c8f4c11aa398ac03baf97205fc40bf4bf626b55421e678d38c3ee9ea35b07182

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe
Size

1.0MB
MD5

e1bf7a67e97906838d9aa160eee326d5
SHA1

b1e2e432c61e43601a10492297041200581f54c4
SHA256

c8f4c11aa398ac03baf97205fc40bf4bf626b55421e678d38c3ee9ea35b07182
SHA512

23aa1da64fc40ab3954488061585f17450bd6b7034d9bf4244c7db98dd03b780919f3b761d703eee46dca1d551b25b8cdfa97f740308c82c455a19af2136554f
SSDEEP

24576:djo1MCIJH6m0hl9lUtwCrOqjJHlSXHrfyU:a1MXanetbiSHQXG

Score

7^/10

discovery

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nod23krn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	nod23krn.exe

Executes dropped EXE 20 IoCs

pid	Process
2620	nod23krn.exe
2160	nod23krn.exe
2856	nod23krn.exe
2260	nod23krn.exe
2224	nod23krn.exe
860	nod23krn.exe
1840	nod23krn.exe
1520	nod23krn.exe
2400	nod23krn.exe
1192	nod23krn.exe
2776	nod23krn.exe
2760	nod23krn.exe
1808	nod23krn.exe
2812	nod23krn.exe
588	nod23krn.exe
2140	nod23krn.exe
3024	nod23krn.exe
672	nod23krn.exe
2604	nod23krn.exe
2220	nod23krn.exe

Loads dropped DLL 21 IoCs

pid	Process
2864	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe
2864	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe
2620	nod23krn.exe
2160	nod23krn.exe
2160	nod23krn.exe
2260	nod23krn.exe
2260	nod23krn.exe
860	nod23krn.exe
860	nod23krn.exe
1520	nod23krn.exe
1520	nod23krn.exe
1192	nod23krn.exe
1192	nod23krn.exe
2760	nod23krn.exe
2760	nod23krn.exe
2812	nod23krn.exe
2812	nod23krn.exe
2140	nod23krn.exe
2140	nod23krn.exe
672	nod23krn.exe
672	nod23krn.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File opened for modification	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File created	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File created	C:\Windows\SysWOW64\nod23krn.exe	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File created	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File created	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File created	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File opened for modification	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File opened for modification	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File opened for modification	C:\Windows\SysWOW64\nod23krn.exe	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File created	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File opened for modification	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File created	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File opened for modification	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File created	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File opened for modification	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File created	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File opened for modification	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File opened for modification	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe
File created	C:\Windows\SysWOW64\nod23krn.exe	nod23krn.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 1448 set thread context of 2864	1448	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe	30
PID 2620 set thread context of 2160	2620	nod23krn.exe	32
PID 2856 set thread context of 2260	2856	nod23krn.exe	34
PID 2224 set thread context of 860	2224	nod23krn.exe	36
PID 1840 set thread context of 1520	1840	nod23krn.exe	38
PID 2400 set thread context of 1192	2400	nod23krn.exe	40
PID 2776 set thread context of 2760	2776	nod23krn.exe	43
PID 1808 set thread context of 2812	1808	nod23krn.exe	45
PID 588 set thread context of 2140	588	nod23krn.exe	47
PID 3024 set thread context of 672	3024	nod23krn.exe	49
PID 2604 set thread context of 2220	2604	nod23krn.exe	51

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nod23krn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hVWdmivydo = "BSZnHhTE^D\\FsfTfBYvmjKkdb`E"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^^OL\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^ROL\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^U\x7fL\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kJewaqk = "xDkh^MFU_FMlfgXi@iTMWmH"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vyqvluEnwwzah = "[bKBQe_^_AYDGh~j"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CdLmhlmKjqEz = "vxtpTazs"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kJewaqk = "xDkh^MFU_FMlfgXi@iTMWmH"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CdLmhlmKjqEz = "vxwSHlSy"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^]OL\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CdLmhlmKjqEz = "vxtWHQ\x7fS"	nod23krn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\VersionIndependentProgID	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\zcyqqFvYWnOup = "nFntG_bGNVKr\x7fnAF{STJPAULI"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CdLmhlmKjqEz = "vxwimqgr"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CdLmhlmKjqEz = "vxvRQSFC"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^R\x7fL\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\VersionIndependentProgID\ = "MimeDir.MimeDirParser"	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^S_L\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ebWh = "pXMblZ~^aTCqd{XBj\|UL"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CdLmhlmKjqEz = "vxu~{Wbo"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\zcyqqFvYWnOup = "nFntG_cGNVKr\x7fn@F{STJPAULI"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CdLmhlmKjqEz = "vxwAGHot"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^POL\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ebWh = "pXMblZ~^aTCqd{XBj\|UL"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ebWh = "pXMblZ~^aTCqd{XBj\|UL"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CdLmhlmKjqEz = "vxvYzvfq"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vyqvluEnwwzah = "[bKBQe_^_AYDGh~j"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kJewaqk = "xDkh^MFU_FMlfgXi@iTMWmH"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CdLmhlmKjqEz = "vxtH_JZR"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ebWh = "pXMblZ~^aTCqd{XBj\|UL"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CdLmhlmKjqEz = "vxw[TILz"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kJewaqk = "xDkh^MFU_FMlfgXi@iTMWmH"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ebWh = "pXMblZ~^aTCqd{XBj\|UL"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CdLmhlmKjqEz = "vxtrlGDL"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\zcyqqFvYWnOup = "nFntG_`WNVKr\x7fnCV{STJPAULI"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CdLmhlmKjqEz = "vxuYgggO"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^P_L\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kJewaqk = "xDkh^MFU_FMlfgXi@iTMWmH"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^\\_L\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^^_L\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CdLmhlmKjqEz = "vxtoUjug"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\zcyqqFvYWnOup = "nFntG_`gNVKr\x7fnCf{STJPAULI"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^_OL\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CdLmhlmKjqEz = "vxwQpJmF"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CdLmhlmKjqEz = "vxusuxQv"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^RoL\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^\\OL\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CdLmhlmKjqEz = "vxwC\x7fnQK"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CdLmhlmKjqEz = "vxtip`fL"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^P\x7fL\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ebWh = "pXMblZ~^aTCqd{XBj\|UL"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CdLmhlmKjqEz = "vxwNqAbR"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^UoL\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^W\x7fL\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\zcyqqFvYWnOup = "nFntG_cGNVKr\x7fn@F{STJPAULI"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\zcyqqFvYWnOup = "nFntG_`WNVKr\x7fnCV{STJPAULI"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^]\x7fL\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ebWh = "pXMblZ~^aTCqd{XBj\|UL"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hVWdmivydo = "BSZnHhTE^D\\FsfTfBYvmjKkdb`E"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^WOL\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\zcyqqFvYWnOup = "nFntG_cWNVKr\x7fn@V{STJPAULI"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tguozeg = "BvCndwf{vwHMVmvtDtGSEQHp^PoL\\"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\zcyqqFvYWnOup = "nFntG_cwNVKr\x7fn@v{STJPAULI"	nod23krn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vyqvluEnwwzah = "[bKBQe_^_AYDGh~j"	nod23krn.exe

NTFS ADS 11 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:C980DA7D	nod23krn.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	nod23krn.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	nod23krn.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	nod23krn.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	nod23krn.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	nod23krn.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	nod23krn.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	nod23krn.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	nod23krn.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	nod23krn.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	nod23krn.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: 33	1448	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1448	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe
Token: 33	2620	nod23krn.exe
Token: SeIncBasePriorityPrivilege	2620	nod23krn.exe
Token: 33	2856	nod23krn.exe
Token: SeIncBasePriorityPrivilege	2856	nod23krn.exe
Token: 33	2224	nod23krn.exe
Token: SeIncBasePriorityPrivilege	2224	nod23krn.exe
Token: 33	1840	nod23krn.exe
Token: SeIncBasePriorityPrivilege	1840	nod23krn.exe
Token: 33	2400	nod23krn.exe
Token: SeIncBasePriorityPrivilege	2400	nod23krn.exe
Token: 33	2776	nod23krn.exe
Token: SeIncBasePriorityPrivilege	2776	nod23krn.exe
Token: 33	1808	nod23krn.exe
Token: SeIncBasePriorityPrivilege	1808	nod23krn.exe
Token: 33	588	nod23krn.exe
Token: SeIncBasePriorityPrivilege	588	nod23krn.exe
Token: 33	3024	nod23krn.exe
Token: SeIncBasePriorityPrivilege	3024	nod23krn.exe
Token: 33	2604	nod23krn.exe
Token: SeIncBasePriorityPrivilege	2604	nod23krn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2864	1448	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2864	1448	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2864	1448	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2864	1448	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2864	1448	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2864	1448	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2864	1448	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2864	1448	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2864	1448	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2864	1448	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2864	1448	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2620	2864	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe	31
PID 2864 wrote to memory of 2620	2864	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe	31
PID 2864 wrote to memory of 2620	2864	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe	31
PID 2864 wrote to memory of 2620	2864	e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe	31
PID 2620 wrote to memory of 2160	2620	nod23krn.exe	32
PID 2620 wrote to memory of 2160	2620	nod23krn.exe	32
PID 2620 wrote to memory of 2160	2620	nod23krn.exe	32
PID 2620 wrote to memory of 2160	2620	nod23krn.exe	32
PID 2620 wrote to memory of 2160	2620	nod23krn.exe	32
PID 2620 wrote to memory of 2160	2620	nod23krn.exe	32
PID 2620 wrote to memory of 2160	2620	nod23krn.exe	32
PID 2620 wrote to memory of 2160	2620	nod23krn.exe	32
PID 2620 wrote to memory of 2160	2620	nod23krn.exe	32
PID 2620 wrote to memory of 2160	2620	nod23krn.exe	32
PID 2620 wrote to memory of 2160	2620	nod23krn.exe	32
PID 2160 wrote to memory of 2856	2160	nod23krn.exe	33
PID 2160 wrote to memory of 2856	2160	nod23krn.exe	33
PID 2160 wrote to memory of 2856	2160	nod23krn.exe	33
PID 2160 wrote to memory of 2856	2160	nod23krn.exe	33
PID 2856 wrote to memory of 2260	2856	nod23krn.exe	34
PID 2856 wrote to memory of 2260	2856	nod23krn.exe	34
PID 2856 wrote to memory of 2260	2856	nod23krn.exe	34
PID 2856 wrote to memory of 2260	2856	nod23krn.exe	34
PID 2856 wrote to memory of 2260	2856	nod23krn.exe	34
PID 2856 wrote to memory of 2260	2856	nod23krn.exe	34
PID 2856 wrote to memory of 2260	2856	nod23krn.exe	34
PID 2856 wrote to memory of 2260	2856	nod23krn.exe	34
PID 2856 wrote to memory of 2260	2856	nod23krn.exe	34
PID 2856 wrote to memory of 2260	2856	nod23krn.exe	34
PID 2856 wrote to memory of 2260	2856	nod23krn.exe	34
PID 2260 wrote to memory of 2224	2260	nod23krn.exe	35
PID 2260 wrote to memory of 2224	2260	nod23krn.exe	35
PID 2260 wrote to memory of 2224	2260	nod23krn.exe	35
PID 2260 wrote to memory of 2224	2260	nod23krn.exe	35
PID 2224 wrote to memory of 860	2224	nod23krn.exe	36
PID 2224 wrote to memory of 860	2224	nod23krn.exe	36
PID 2224 wrote to memory of 860	2224	nod23krn.exe	36
PID 2224 wrote to memory of 860	2224	nod23krn.exe	36
PID 2224 wrote to memory of 860	2224	nod23krn.exe	36
PID 2224 wrote to memory of 860	2224	nod23krn.exe	36
PID 2224 wrote to memory of 860	2224	nod23krn.exe	36
PID 2224 wrote to memory of 860	2224	nod23krn.exe	36
PID 2224 wrote to memory of 860	2224	nod23krn.exe	36
PID 2224 wrote to memory of 860	2224	nod23krn.exe	36
PID 2224 wrote to memory of 860	2224	nod23krn.exe	36
PID 860 wrote to memory of 1840	860	nod23krn.exe	37
PID 860 wrote to memory of 1840	860	nod23krn.exe	37
PID 860 wrote to memory of 1840	860	nod23krn.exe	37
PID 860 wrote to memory of 1840	860	nod23krn.exe	37
PID 1840 wrote to memory of 1520	1840	nod23krn.exe	38
PID 1840 wrote to memory of 1520	1840	nod23krn.exe	38
PID 1840 wrote to memory of 1520	1840	nod23krn.exe	38
PID 1840 wrote to memory of 1520	1840	nod23krn.exe	38

C:\Users\Admin\AppData\Local\Temp\e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\nod23krn.exe
    C:\Windows\system32\nod23krn.exe 460 "C:\Users\Admin\AppData\Local\Temp\e1bf7a67e97906838d9aa160eee326d5_JaffaCakes118.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\nod23krn.exe
      "C:\Windows\SysWOW64\nod23krn.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Windows\SysWOW64\nod23krn.exe
        
        C:\Windows\system32\nod23krn.exe 524 "C:\Windows\SysWOW64\nod23krn.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\SysWOW64\nod23krn.exe
        
        "C:\Windows\SysWOW64\nod23krn.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\nod23krn.exe
        
        C:\Windows\system32\nod23krn.exe 528 "C:\Windows\SysWOW64\nod23krn.exe"
        7⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\nod23krn.exe
        
        "C:\Windows\SysWOW64\nod23krn.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\nod23krn.exe
        
        C:\Windows\system32\nod23krn.exe 524 "C:\Windows\SysWOW64\nod23krn.exe"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\nod23krn.exe
        
        "C:\Windows\SysWOW64\nod23krn.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\nod23krn.exe
        
        C:\Windows\system32\nod23krn.exe 524 "C:\Windows\SysWOW64\nod23krn.exe"
        11⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\SysWOW64\nod23krn.exe
        
        "C:\Windows\SysWOW64\nod23krn.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\nod23krn.exe
        
        C:\Windows\system32\nod23krn.exe 524 "C:\Windows\SysWOW64\nod23krn.exe"
        13⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\SysWOW64\nod23krn.exe
        
        "C:\Windows\SysWOW64\nod23krn.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\nod23krn.exe
        
        C:\Windows\system32\nod23krn.exe 524 "C:\Windows\SysWOW64\nod23krn.exe"
        15⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\SysWOW64\nod23krn.exe
        
        "C:\Windows\SysWOW64\nod23krn.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\nod23krn.exe
        
        C:\Windows\system32\nod23krn.exe 524 "C:\Windows\SysWOW64\nod23krn.exe"
        17⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\SysWOW64\nod23krn.exe
        
        "C:\Windows\SysWOW64\nod23krn.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\nod23krn.exe
        
        C:\Windows\system32\nod23krn.exe 524 "C:\Windows\SysWOW64\nod23krn.exe"
        19⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\SysWOW64\nod23krn.exe
        
        "C:\Windows\SysWOW64\nod23krn.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Windows\SysWOW64\nod23krn.exe
        
        C:\Windows\system32\nod23krn.exe 524 "C:\Windows\SysWOW64\nod23krn.exe"
        21⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\SysWOW64\nod23krn.exe
        
        "C:\Windows\SysWOW64\nod23krn.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:C980DA7D

Filesize
110B

MD5
b39cf43b74e3238e4949ccdc6831c6c3

SHA1
163bc2da284a51856a648254222188fe28975233

SHA256
05f3e6a3b6bc890325ea2f7368fb412c6c63dec75e3612e99e2e99b775c27c0e

SHA512
2f8980e099b9959ddfb258bf54dbf75644894c7766ea2fa4bf59ff56e54ce5e92f897f8d9983731a9511bf597fad5a89bd2788b1dd9908f0abb696d9c10ec3bc

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
110B

MD5
c0a1f5e606310903ed400177f0baf8ee

SHA1
a487e1cdec129113ba5c41816a4b157ccaae761f

SHA256
0295cfa5ec6601eee80ba9a0a0a721d5b72dbdd089ea43275572ad724748ab78

SHA512
563295094092d97c4d0996fa0b90cd44955c151e50c520908f19e45a45c7d79790c1445f8e8ba631e3277a8fe6fccb1c6b94f2211f9bd22dace84d1e98072918

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
110B

MD5
d28d00f0221f73f7515a2d8dfbdd4544

SHA1
64680b5b5ea9c2f30854233966a7deb8f89bb0d4

SHA256
0700ac77320dd0328a8277404266b2f43ded61796e3c402a11477fbf9c37f55a

SHA512
51c6d9ab9c724d6387ca98b99e95052eac23d4a4e979a923870aaa0ad96ef00b056d96260fa0c8815f5abd74fd7a3eb640421ad44060cadeffa0b344a2db3c1f

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
110B

MD5
56a041f712f39bf51c8e2d19505e6c8c

SHA1
78467e23338920d3558d858db27ccfa49beff204

SHA256
4e9857da080c180712bfd897e7e509bbf08cdcbfd37ba87624c2ee606af28ab0

SHA512
c07baf818067ccb065595008c774dd77518d224d856891a8546c41a34e25edd3e01f6a4d754013d49ac1c1778807f0858abf5f892d6940a0985ba0303f938b8a

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
110B

MD5
10ce5edd00aa396f05e65d38a737dc50

SHA1
cd7ae61021a5084762c7cbc179998b2d9711c92b

SHA256
25c3330aea82b91145726eb9bb75fde46a8d187597539067ef7c9a03fc691b6c

SHA512
7c075fef2a1fe1fbbb1a04ed1734b09dba96522ad58e936de9e746fa59040c9f3af1f2a51c32c00f5150685cb764dbc57779a8b3a7ea97346405ac8b1e3eebd0

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
110B

MD5
578e47643b9c7c8d95e5b7437200290a

SHA1
8ede476bb04556bb04e81520eee7afcd0981bae9

SHA256
6ca2933dac6c3f67df8f58b942053752ebb2da845779f4b57dedc99b837c4b5b

SHA512
6d011e721bdb6e110ab0c61d76dcaa1cfe0346649dcdb44690f77b7ba5060df8e69d901b6c38ae59b93ec9d34427593185902476b439cc1e0d63331757c3c4b9

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
110B

MD5
e413e3c59d4ad397a6de9b27b28c502d

SHA1
40adbf4473bb279d9ddb3a85ca6883e2fb4d3adb

SHA256
6dbc8feab4c5b4a3201bccd04a7efec7cc38560c30aa2e035da5cd8e90406ced

SHA512
dfa7da1fe77444059b3ee6e52f2e884e2628267cd34b98f3a63a6aab64a77d4bb6d3ab6e527f2db6124abc4f8e14ddfadc537622610ec2fd9f97961b67c5c19b

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
110B

MD5
c5f44d01941da77d241128c93f66a274

SHA1
2c147f9d42b51a101c7f023454f24d5e1258ebd3

SHA256
14528502a4301b27caccb17ff7e3e1467e8a9237719199904e7fc2a696186a8d

SHA512
c8d348a074b6e2b7f1685e4a065809864d8890dda16371f2eed7ea6090a2e8020d3e3343abd2a5c7ad6196a01eff902bf99c4c19e743ef21449462762145d624

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
110B

MD5
f8c0bea82f2a97fea31bbb2d0d1a7b02

SHA1
d0293170838a561317dbb5095bf46732856d4fe9

SHA256
5f877bbf7750385c085e16b6bb93ef1412379ec9a15236e4f843a20f7020428a

SHA512
d3bdca63ddf2dfcade1adae30588d4e4211e87105f645f683d56ac83a83e557a39e46cf3cced027ea0746e152388140ed63505bba20a40b31d038ed692db1c36

Download Submit
\Windows\SysWOW64\nod23krn.exe

Filesize
1.0MB

MD5
e1bf7a67e97906838d9aa160eee326d5

SHA1
b1e2e432c61e43601a10492297041200581f54c4

SHA256
c8f4c11aa398ac03baf97205fc40bf4bf626b55421e678d38c3ee9ea35b07182

SHA512
23aa1da64fc40ab3954488061585f17450bd6b7034d9bf4244c7db98dd03b780919f3b761d703eee46dca1d551b25b8cdfa97f740308c82c455a19af2136554f

Download Submit
memory/588-372-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/672-418-0x00000000026E0000-0x000000000280E000-memory.dmp

Filesize
1.2MB

Download
memory/672-417-0x00000000026E0000-0x000000000280E000-memory.dmp

Filesize
1.2MB

Download
memory/1448-31-0x00000000005A0000-0x0000000000629000-memory.dmp

Filesize
548KB

Download
memory/1448-7-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1448-5-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1448-0-0x00000000005A0000-0x0000000000629000-memory.dmp

Filesize
548KB

Download
memory/1448-35-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1448-16-0x00000000029A0000-0x0000000002ACE000-memory.dmp

Filesize
1.2MB

Download
memory/1448-6-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1448-8-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1448-9-0x00000000005A0000-0x0000000000629000-memory.dmp

Filesize
548KB

Download
memory/1808-331-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1840-210-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1840-177-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2140-376-0x0000000002860000-0x000000000298E000-memory.dmp

Filesize
1.2MB

Download
memory/2140-377-0x0000000002860000-0x000000000298E000-memory.dmp

Filesize
1.2MB

Download
memory/2224-170-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2260-136-0x0000000002810000-0x000000000293E000-memory.dmp

Filesize
1.2MB

Download
memory/2400-217-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2400-250-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2604-454-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2620-48-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2620-92-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2620-86-0x0000000000340000-0x00000000003C9000-memory.dmp

Filesize
548KB

Download
memory/2620-57-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2620-58-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2620-59-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2620-62-0x0000000002840000-0x000000000296E000-memory.dmp

Filesize
1.2MB

Download
memory/2620-60-0x0000000000340000-0x00000000003C9000-memory.dmp

Filesize
548KB

Download
memory/2620-49-0x0000000000340000-0x00000000003C9000-memory.dmp

Filesize
548KB

Download
memory/2760-295-0x00000000029D0000-0x0000000002AFE000-memory.dmp

Filesize
1.2MB

Download
memory/2776-289-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2812-336-0x00000000028E0000-0x0000000002A0E000-memory.dmp

Filesize
1.2MB

Download
memory/2812-335-0x00000000028E0000-0x0000000002A0E000-memory.dmp

Filesize
1.2MB

Download
memory/2856-97-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2856-130-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2864-33-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2864-46-0x00000000028B0000-0x00000000029DE000-memory.dmp

Filesize
1.2MB

Download
memory/2864-44-0x00000000028B0000-0x00000000029DE000-memory.dmp

Filesize
1.2MB

Download
memory/2864-87-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2864-10-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2864-12-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2864-14-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2864-18-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2864-21-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2864-24-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2864-27-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2864-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3024-413-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download