e2767c98ca604617757441c03063deeb4e0e1bccc9da386d6274efb98d6bc69a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Size

924KB
MD5

084248a7ea4ad9048e7b97cb4cc51452
SHA1

987108ddece8dc53651b9372caa6fe0c01b29399
SHA256

e2767c98ca604617757441c03063deeb4e0e1bccc9da386d6274efb98d6bc69a
SHA512

7bad32252556a299c546a7466763a19e1dbfc39bbe690ba3d01ea17014b794117f8ecaa262c8d439cd386630d88f0b89112e344a6e74f8828cb7b5cd6ef5deed
SSDEEP

24576:34H0b1KAEc20Mm6yiQQNN3iR1n7HNhf1aq246LlVtf6lJZY8tj:+0J7E4+AQH817HNhJ4VZ6JG8tj

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe
File created	C:\Windows\SysWOW64\Drivers\npf.sys	svehost.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svehost.exe

Executes dropped EXE 10 IoCs

pid	Process
4640	svehost.exe
3040	svehost.exe
4224	svehost.exe
4012	svehost.exe
2452	svehost.exe
3844	svehost.exe
116	svehost.exe
1212	svehost.exe
3584	svehost.exe
2480	svehost.exe

Loads dropped DLL 33 IoCs

pid	Process
3864	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
3864	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
3864	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
4640	svehost.exe
4640	svehost.exe
4640	svehost.exe
3040	svehost.exe
3040	svehost.exe
3040	svehost.exe
4224	svehost.exe
4224	svehost.exe
4224	svehost.exe
4012	svehost.exe
4012	svehost.exe
4012	svehost.exe
2452	svehost.exe
2452	svehost.exe
2452	svehost.exe
3844	svehost.exe
3844	svehost.exe
3844	svehost.exe
116	svehost.exe
116	svehost.exe
116	svehost.exe
1212	svehost.exe
1212	svehost.exe
1212	svehost.exe
3584	svehost.exe
3584	svehost.exe
3584	svehost.exe
2480	svehost.exe
2480	svehost.exe
2480	svehost.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\wpcap.dll	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File opened for modification	C:\Windows\SysWOW64\svehost.exe	svehost.exe
File created	C:\Windows\SysWOW64\packet.dll	svehost.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\oeZokkw = "x[re^aMrYWp`xIaUTDv[VH\\J]"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\oeZokkw = "x[re^aMrYWs`xIaUTDu[VH\\J]"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\okhVzSs = "AnfIeRFZ@~qi\\xZO\\\|K{Wjv^P{\\ybP"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\tdwledDpsfVL = "hYdn`d"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\thezhJjnX = "by[^kqVxN_CBJMw_t"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\tdwledDpsfVL = "gAxpHp"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\thezhJjnX = "by[^kqVxN_CPJMw_t"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\thezhJjnX = "by[^kqVxN_CAJMw_t"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\tdwledDpsfVL = "lM\|qmH"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\tdwledDpsfVL = "oQiqED"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vsqlhh = "DNe_rKnyqVREMgJlHnqQzx\x7f_IErGR"	svehost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\Implemented Categories	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\ProgID	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\oeZokkw = "x[re^aMrYWv`xIaUTDp[VH\\J]"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\thezhJjnX = "by[^kqVxN_CNJMw_t"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\tdwledDpsfVL = "eX^Fdx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\csKbhakpzlu = "wn~QCHDWi\\tegWXS\\sycaziRVw}\|G_N"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eGzoowoYb = "{ZbxZt[o}CiQg^\x7f}v"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\tdwledDpsfVL = "ni\x7fi}\\"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\thezhJjnX = "by[^kqVxN_CSJMw_t"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\tdwledDpsfVL = "mXRLAx"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\thezhJjnX = "by[^kqVxN_CUJMw_t"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\thezhJjnX = "by[^kqVxN_CMJMw_t"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\tdwledDpsfVL = "khvxgp"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\thezhJjnX = "by[^kqVxN_CrJMw_t"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\csKbhakpzlu = "wn~QCHDWi\\tegWXS\\sycaziRVw}\|G_N"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\csKbhakpzlu = "wn~QCHDWi\\tegWXS\\sycaziRVw}\|G_N"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\thezhJjnX = "by[^kqVxN_C~JMw_t"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\tdwledDpsfVL = "`h_`dD"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\okhVzSs = "ARfIeRFZ@~qi\\xZO\\\|K{Wjv^P{\\ybP"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\thezhJjnX = "by[^kqVxN_CVJMw_t"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\tdwledDpsfVL = "cYMvcP"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\okhVzSs = "@YfIeRFZ@~qi\\xZO\\\|K{Wjv^P{\\ybP"	svehost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\oeZokkw = "x[re^aMrYWt`xIaUTDr[VH\\J]"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eGzoowoYb = "{ZbxZt[o}CiQg^\x7f}v"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\oeZokkw = "x[re^aMrYW\|`xIaUTDz[VH\\J]"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\okhVzSs = "ARfIeRFZ@~qi\\xZO\\\|K{Wjv^P{\\ybP"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vsqlhh = "DNe_rKnyqVREMgJlHnqQzx\x7f_IErGR"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\okhVzSs = "A\x7ffIeRFZ@~qi\\xZO\\\|K{Wjv^P{\\ybP"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\tdwledDpsfVL = "obMft\\"	svehost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\ToolBoxBitmap32	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\vsqlhh = "DNe_rKnyqVREMgJlHnqQzx\x7f_IErGR"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\thezhJjnX = "by[^kqVxN_CKJMw_t"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\eGzoowoYb = "{ZbxZt[o}CiQg^\x7f}v"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\tdwledDpsfVL = "jvhhiL"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\tdwledDpsfVL = "`bM\x7fJt"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\csKbhakpzlu = "wn~QCHDWi\\tegWXS\\sycaziRVw}\|G_N"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\tdwledDpsfVL = "fUdGoL"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\tdwledDpsfVL = "dbd~wh"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\okhVzSs = "@HfIeRFZ@~qi\\xZO\\\|K{Wjv^P{\\ybP"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\csKbhakpzlu = "wn~QCHDWi\\tegWXS\\sycaziRVw}\|G_N"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\csKbhakpzlu = "wn~QCHDWi\\tegWXS\\sycaziRVw}\|G_N"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\okhVzSs = "@YfIeRFZ@~qi\\xZO\\\|K{Wjv^P{\\ybP"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\tdwledDpsfVL = "bPSYAX"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\InprocServer32\ = "C:\\Windows\\SysWOW64\\Dxtmsft.dll"	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\thezhJjnX = "by[^kqVxN_CRJMw_t"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\tdwledDpsfVL = "j`hfzD"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\thezhJjnX = "by[^kqVxN_CHJMw_t"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\oeZokkw = "x[re^aMrYWr`xIaUTDt[VH\\J]"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\ = "AlphaImageLoader"	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\oeZokkw = "x[re^aMrYWq`xIaUTDw[VH\\J]"	svehost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}\thezhJjnX = "by[^kqVxN_CDJMw_t"	svehost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA481660-7739-7F10-325A-B09A3E53A5A6}	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe

NTFS ADS 11 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe
File created	C:\ProgramData\TEMP:1D956695	svehost.exe
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe
File opened for modification	C:\ProgramData\TEMP:1D956695	svehost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: 33	3864	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3864	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
Token: 33	4640	svehost.exe
Token: SeIncBasePriorityPrivilege	4640	svehost.exe
Token: 33	3040	svehost.exe
Token: SeIncBasePriorityPrivilege	3040	svehost.exe
Token: 33	4224	svehost.exe
Token: SeIncBasePriorityPrivilege	4224	svehost.exe
Token: 33	4012	svehost.exe
Token: SeIncBasePriorityPrivilege	4012	svehost.exe
Token: 33	2452	svehost.exe
Token: SeIncBasePriorityPrivilege	2452	svehost.exe
Token: 33	3844	svehost.exe
Token: SeIncBasePriorityPrivilege	3844	svehost.exe
Token: 33	116	svehost.exe
Token: SeIncBasePriorityPrivilege	116	svehost.exe
Token: 33	1212	svehost.exe
Token: SeIncBasePriorityPrivilege	1212	svehost.exe
Token: 33	3584	svehost.exe
Token: SeIncBasePriorityPrivilege	3584	svehost.exe
Token: 33	2480	svehost.exe
Token: SeIncBasePriorityPrivilege	2480	svehost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 4640	3864	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe	82
PID 3864 wrote to memory of 4640	3864	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe	82
PID 3864 wrote to memory of 4640	3864	084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe	82
PID 4640 wrote to memory of 3040	4640	svehost.exe	88
PID 4640 wrote to memory of 3040	4640	svehost.exe	88
PID 4640 wrote to memory of 3040	4640	svehost.exe	88
PID 3040 wrote to memory of 4224	3040	svehost.exe	92
PID 3040 wrote to memory of 4224	3040	svehost.exe	92
PID 3040 wrote to memory of 4224	3040	svehost.exe	92
PID 4224 wrote to memory of 4012	4224	svehost.exe	94
PID 4224 wrote to memory of 4012	4224	svehost.exe	94
PID 4224 wrote to memory of 4012	4224	svehost.exe	94
PID 4012 wrote to memory of 2452	4012	svehost.exe	95
PID 4012 wrote to memory of 2452	4012	svehost.exe	95
PID 4012 wrote to memory of 2452	4012	svehost.exe	95
PID 2452 wrote to memory of 3844	2452	svehost.exe	96
PID 2452 wrote to memory of 3844	2452	svehost.exe	96
PID 2452 wrote to memory of 3844	2452	svehost.exe	96
PID 3844 wrote to memory of 116	3844	svehost.exe	97
PID 3844 wrote to memory of 116	3844	svehost.exe	97
PID 3844 wrote to memory of 116	3844	svehost.exe	97
PID 116 wrote to memory of 1212	116	svehost.exe	98
PID 116 wrote to memory of 1212	116	svehost.exe	98
PID 116 wrote to memory of 1212	116	svehost.exe	98
PID 1212 wrote to memory of 3584	1212	svehost.exe	99
PID 1212 wrote to memory of 3584	1212	svehost.exe	99
PID 1212 wrote to memory of 3584	1212	svehost.exe	99
PID 3584 wrote to memory of 2480	3584	svehost.exe	100
PID 3584 wrote to memory of 2480	3584	svehost.exe	100
PID 3584 wrote to memory of 2480	3584	svehost.exe	100

C:\Users\Admin\AppData\Local\Temp\084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Windows\SysWOW64\svehost.exe
  C:\Windows\system32\svehost.exe 1424 "C:\Users\Admin\AppData\Local\Temp\084248a7ea4ad9048e7b97cb4cc51452_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\SysWOW64\svehost.exe
    C:\Windows\system32\svehost.exe 1456 "C:\Windows\SysWOW64\svehost.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\svehost.exe
      C:\Windows\system32\svehost.exe 1460 "C:\Windows\SysWOW64\svehost.exe"
      4⤵
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1464 "C:\Windows\SysWOW64\svehost.exe"
        5⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4012
      - C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1468 "C:\Windows\SysWOW64\svehost.exe"
        6⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1472 "C:\Windows\SysWOW64\svehost.exe"
        7⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1440 "C:\Windows\SysWOW64\svehost.exe"
        8⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1476 "C:\Windows\SysWOW64\svehost.exe"
        9⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1484 "C:\Windows\SysWOW64\svehost.exe"
        10⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\svehost.exe
        
        C:\Windows\system32\svehost.exe 1444 "C:\Windows\SysWOW64\svehost.exe"
        11⤵
        Drops file in Drivers directory
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
3e2131cc54b3d34e4962271095d73032

SHA1
d15d395488241ff4b69cc4f8b34819b917a07e8f

SHA256
87531857dcf21bd93b4bafd790a11cb96346d669a33bea9be904e4ae3606fbae

SHA512
1068a6d4acb9c8d2b3478eeff3de46ceb5c2e526ac9e4f410fadc984e269a8c8183652bd986ff8463a583fc2df68501d092c5acf9a53b59872e0e9b66a7edf64

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
29eb8a7bd55a79b9233f1a7eb354bd4f

SHA1
39223ed5ab98a7363393a39090de510c136aaaa6

SHA256
3fe3bfc2f15b2b3618f15bd36533b7599d837f1a82fe0dac6866ec582b9b9d3f

SHA512
28c152234bda379f43592901ab8b36114ef5c0c90bc566d2548b10a89ddea13d6ee5a22e30dde2fb3b4ea0dba9055c229a268823cb49f50616f4c37ab5188072

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
c3a13f4f474b877c2b1cf65da9c4d339

SHA1
7c173b289d5edde4e9fe50f40c447e896965fff7

SHA256
8798e47d692c1994ce7bb6c922d42102141e2ec3bab09e6f158bab4f07699ca5

SHA512
9c2c88e4208b92d81414f735a90297ccf28e8b205feb4076f8bdca7e36c949d1c6282d4d54e73efaafb2891c5e15dce24bd18a6cb480239f49bea4ea4f22159e

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
494285859b2df69a08b93364d40a2780

SHA1
79e76fd6426961c5e7c2855f993c37092f08da03

SHA256
4c7f7113ec9535ab9a0c26e0580607b5f0cc915f6ae8cb4d59d0dd4cee1108f6

SHA512
a8c09f34b5fa46358bd8604c88e5b496c747cc3a17fa39550093a49aa0be2a493b0742c2b86f89936703d066926ad6a7e8818679d279ee009ccf0fc40dded0cc

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
6e8c0b23d636c02c2570880760f47c64

SHA1
19af1069991bf1047a3a3cc0f0d4c798d0acf4fd

SHA256
0aa2505926e8fe7ecd8a165d51a631206231a5329d93de63c56653b52cfc4922

SHA512
39a39e3c1794608fe8ae037f972116652a8877f3b63f631d938505e6c650cb6d87d080ca316fc3dec1b0319ee446c7fc0cb333c0a8ed33cf3fcc35b4d3ae3285

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
6fed004ed3e7c9eefa8aba6fe5c94680

SHA1
c0cf257a887063056bec8ce431526e1e41c2ff27

SHA256
f1d13e4a0171ba5cf1579e97e54d42beb468b1fc1b0f867943cf546b9c91cc6f

SHA512
09de4b5b4145cebb5b6d98d55c6ab959c80e6401bb616f8f03f8afac6b262f88397478df0e9f1375e7f82fb7dbc832c38524a8946300de98f56498fdb8d1778e

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
cb1cb7bafaff243b0904bf7e7d41aa2c

SHA1
91e1ecab363d91367e599d38e717e5f066668db2

SHA256
3aa9cd4798243f15f94f657c67efffb3326c1cf5fe41379ccf75933cfcb90b06

SHA512
67ae574af518eeb25f48ed3c225f268c764b0a39708482d16336f348d0624a0a02de18d8e8bba3751571f3c6130658169292074cc24088f5a43fc69b598383c7

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
27682ca6d4f536c7eec9a8424611b035

SHA1
a57c5b7cf54dcafdcdb9ba171cf65f71d3d454a0

SHA256
92f20aa20b9639f20bdbaaea36f2431055b89fe2d9f0a6e14f2354680cb7d071

SHA512
12389235722673534acc1a79164b61ba17b5e7e85959ee65216ca00265cc812dd6821188828176677c0914f5636a69e766edc5732b0503646348ca0b275edf7f

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
98e9b7bf9ae6daa81cb142fddd723079

SHA1
9be7dc4ca26fee12b60f4bbd1f38a203df614258

SHA256
648e22580d37c686f811658fa44203e11f86544e2849485b6b76308db7e23cf4

SHA512
c39bdc581bbcd3d8f03b7faaeaebdb8fd9fa5f65d765f0d02b932f5d8ad8d67994ca4a011e53e404c49b8179f335b768805d645057b882c9dee2d0f131af9192

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
3699772607a957c5398564b36c3706ce

SHA1
e7f491b30b21e78ad3cb85e2c9c9b1fbdadcf02d

SHA256
7431f2dd12f45e387beb003fd2e916ec96c45defc1c96c01c605ab8df1029324

SHA512
1e196d91037236936bca9c21118fa991fe9ba97e3adb73a8af2ba4e4e18b22e0353489e6eeeb1e26dd43e488daa7300e0955c4bbb258f95a63069eeba8de0dd0

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
93ed4ae1238d5a6e0487966573111fdc

SHA1
18cefd330dbc2198234885fba1ec472d899fc04d

SHA256
6dc774ef0ffd26f05fc6a628a06994f96275ed78a39a14c6ae6ce91b3ec94ea6

SHA512
8c8ba3282e0332b7e60b0b48f589030aa06fdd7de1f95b795a979cfd91ed1e8ba4cd45709ec206f61c3b3f0beda182c41bae1a869d92f3781daab60e691f8aab

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
ee24efd474546e8af9a01189f3e22a61

SHA1
02b9e03264a0698631debf3055ced4243a175b80

SHA256
08608152d3528317a388b8c5c1eef8c67ed70f207a92194393f865ca3c03dd2f

SHA512
14c593adfcb3f17f8b580f76cbb6d642ba11c00f78f5b346dff81c4c2f2104a518954507af6e64bc0265f120e7102eed124c7da34cf63cfc6eb825581ad85c69

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
5d8fa192fe68368a1e41b039a844c8f2

SHA1
927b2ccb7eb06c67a005f5bcec98ceb6983ef18e

SHA256
ec24648148bc571c589cd97c1bce4a2b525a3e0bb618989f5faa3012965d6049

SHA512
775ae19634cc002cfb29445afaff40a9347513ee6dcfd97596aeedc93e5b86dce35951db2342d62170b53aae60d00526fec9129bab0a8161e5cdd5290242f63e

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
ea42070896448c903354461cff3e9e4f

SHA1
0be24aff309df3e9dd60b5243f07ef4588c102fb

SHA256
d837b829416cf9a67118256d6db179866ec8267717da3247463c844683d619af

SHA512
9f5a3efb83e1849e0cd4a06ffa8ecb662e238c50e8ffdc57f978612e38c4f59834c90d32abf184f796dc163dc5121c25a64aa1f295312e669d84601a006bc207

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
4eda14842177a5435810137ed8e14a21

SHA1
19bfa316e66fb5b4d1f3cb3cb70bbb70fc6e5756

SHA256
865a72f96e6486797c743b0070277c3d5f47e960d416ed85f0c49d865bc41689

SHA512
422a2b165275d698017ce4d5c4515e097a952cf8293f31eef96b14f78c0854d1adbec5e393703da5ab990583ac56f9ee18d720185caa56191b067e2ada10c12c

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
efa0ecc2bcca00e6ebce8a3741088654

SHA1
2e5d4b9e71816dc5fb1d7329aa82e328d8e5cc44

SHA256
5cbfa1f612f83511e0b7cd9c898634b1e31823a11bc50e037fcf505f6ff13257

SHA512
c7105aea7f06ffc48eb0cc3585c7674a5f7d8d38c1793940f3f6f392cd1022dd82ffb3c1319f146eb7ca4ce69de09cf40528906467311ace8dffad78c34cded2

Download Submit
C:\ProgramData\TEMP:1D956695

Filesize
115B

MD5
bc06dc5471065da26f8c0cc702666cfd

SHA1
b0daff13263ceba49cbdc5053aeadc8355d5f265

SHA256
daec85095f15fa634da1f7f1f314fc3c915e0a9e6c84219cf8a1c3b758728f6b

SHA512
6a054fc3eb8b7eae3754aef560ddf6f5d716aad8a448ceb3770c53f5e630447d410d5a2cd4ff8f144396ecbc4f5823946d9e94833aae2a82bf5c0368a16df93b

Download Submit
C:\Windows\SysWOW64\drivers\NPF.sys

Filesize
41KB

MD5
243126da7ba441d7c7c3262dcf435a9c

SHA1
42616f7034c0f12e3e4a2166ebe082eb3f08223a

SHA256
80d36efd5b3abb82c421149d423e5019c21f203f085ae2655429a44bb5a9f5c0

SHA512
f5539774d89e8f025da97e7b49d143b7224fcf899db967a34445de70f9228ea5e2d5daffe6444492ce82a3dfb2734786e09140277c208ec1e64580ad74883e68

Download Submit
C:\Windows\SysWOW64\packet.dll

Filesize
86KB

MD5
3eb0beb8e318646104362537570fc6bc

SHA1
3cb48ea9073fcca5835adad307e14ebf0cfe7279

SHA256
ab3f8c80b85aae70f89c8e7919d7dd147c2bc3ec68769e0bdb05fcc4083e3643

SHA512
db5fd16749641de6282d36af7b1921f908850ece3429ffe5ad33d990431bf4990f0314d28af082394af1f4d66516d9d89806a38e2801c34b4dd1ccb69bfafe47

Download Submit
C:\Windows\SysWOW64\svehost.exe

Filesize
924KB

MD5
084248a7ea4ad9048e7b97cb4cc51452

SHA1
987108ddece8dc53651b9372caa6fe0c01b29399

SHA256
e2767c98ca604617757441c03063deeb4e0e1bccc9da386d6274efb98d6bc69a

SHA512
7bad32252556a299c546a7466763a19e1dbfc39bbe690ba3d01ea17014b794117f8ecaa262c8d439cd386630d88f0b89112e344a6e74f8828cb7b5cd6ef5deed

Download Submit
C:\Windows\SysWOW64\wpcap.dll

Filesize
234KB

MD5
cb0afba4f0fb6ca2b2ea0d2c3e86b588

SHA1
2459367892e012314b451e05de1f1162448a05fa

SHA256
1b0fe60175c88f7cd3f3765b2f0f3eb1530b2e5e5b51f89a83e0322de32bdcf7

SHA512
a4e2d66af68dee67be5883c4770c1339b6be4847a993619389404af6a7ec9763361d9a14c632ca6704f63d84b05483f4bea2ec035b466fdaf03ce68c5cbca128

Download Submit
memory/116-263-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/116-291-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1212-295-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/1212-323-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2452-199-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2452-227-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/2480-358-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3040-83-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3040-86-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3040-98-0x00000000021A0000-0x0000000002235000-memory.dmp

Filesize
596KB

Download
memory/3040-71-0x00000000021A0000-0x0000000002235000-memory.dmp

Filesize
596KB

Download
memory/3040-76-0x00000000021A0000-0x0000000002235000-memory.dmp

Filesize
596KB

Download
memory/3040-80-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3040-81-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3040-102-0x00000000021A0000-0x0000000002235000-memory.dmp

Filesize
596KB

Download
memory/3040-84-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3040-127-0x00000000021A0000-0x0000000002235000-memory.dmp

Filesize
596KB

Download
memory/3040-126-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3040-96-0x00000000032A0000-0x00000000032B5000-memory.dmp

Filesize
84KB

Download
memory/3040-87-0x00000000021A0000-0x0000000002235000-memory.dmp

Filesize
596KB

Download
memory/3040-100-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3040-85-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3584-327-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3584-351-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3844-231-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3844-259-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3864-44-0x0000000002230000-0x00000000022C5000-memory.dmp

Filesize
596KB

Download
memory/3864-7-0x0000000002230000-0x00000000022C5000-memory.dmp

Filesize
596KB

Download
memory/3864-24-0x00000000033B0000-0x00000000033C5000-memory.dmp

Filesize
84KB

Download
memory/3864-2-0x0000000002230000-0x00000000022C5000-memory.dmp

Filesize
596KB

Download
memory/3864-11-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3864-13-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3864-48-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3864-9-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3864-15-0x0000000002230000-0x00000000022C5000-memory.dmp

Filesize
596KB

Download
memory/3864-14-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3864-12-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3864-0-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/3864-8-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4012-167-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4012-195-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4224-118-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4224-163-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4224-135-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4224-117-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4224-114-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4224-116-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4224-119-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4224-113-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4224-105-0x0000000002220000-0x00000000022B5000-memory.dmp

Filesize
596KB

Download
memory/4640-97-0x0000000002200000-0x0000000002295000-memory.dmp

Filesize
596KB

Download
memory/4640-92-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4640-38-0x0000000002200000-0x0000000002295000-memory.dmp

Filesize
596KB

Download
memory/4640-43-0x0000000002200000-0x0000000002295000-memory.dmp

Filesize
596KB

Download
memory/4640-37-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4640-66-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4640-53-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4640-54-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4640-55-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4640-56-0x0000000002200000-0x0000000002295000-memory.dmp

Filesize
596KB

Download
memory/4640-62-0x0000000002B50000-0x0000000002B65000-memory.dmp

Filesize
84KB

Download
memory/4640-52-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4640-88-0x0000000002200000-0x0000000002295000-memory.dmp

Filesize
596KB

Download
memory/4640-64-0x0000000002200000-0x0000000002295000-memory.dmp

Filesize
596KB

Download
memory/4640-50-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4640-68-0x0000000002200000-0x0000000002295000-memory.dmp

Filesize
596KB

Download
memory/4640-49-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download