9f1c441a757bef9ab3b5bd51c7fadb6e77d8236b982118a92918dcdb439714c8

Analysis

max time kernel
2s
max time network
4s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
Size

127KB
MD5

8a99ec19d45d699bbae5b9e4a78fb542
SHA1

6e8e981d5f53e26422457f28c7de339527684b48
SHA256

9f1c441a757bef9ab3b5bd51c7fadb6e77d8236b982118a92918dcdb439714c8
SHA512

e3d561d30b9f9771f68b434e3ca63ba4114e6057e242e8e14a2060e7f774966fd83b2802c9e157927e2e538e81f10a6855ad0e281f20d436d6879f45373d6344
SSDEEP

1536:famlu3hbBGy3G8nhMpD7MUYU6U5jUdPQc+n35KZg8/nouy8Iu:freMPd/MYjUtQl78vout

Score

10^/10

defense_evasion discovery persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	nvcw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Disables RegEdit via registry modification 2 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe

Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	winlogon.exe

Executes dropped EXE 50 IoCs

pid	Process
2916	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
2780	csrss.exe
2924	csrss.exe
2512	csrss.exe
2628	csrss.exe
680	nvcw.exe
1252	smss.exe
2312	smss.exe
1912	csrss.exe
1704	csrss.exe
2824	smss.exe
2548	smss.exe
1772	lsass.exe
1436	lsass.exe
2232	csrss.exe
2044	csrss.exe
1712	smss.exe
868	smss.exe
2216	lsass.exe
660	lsass.exe
1208	services.exe
2828	services.exe
1692	csrss.exe
3048	csrss.exe
568	smss.exe
3032	smss.exe
1980	lsass.exe
992	lsass.exe
1412	services.exe
764	services.exe
2912	winlogon.exe
1856	winlogon.exe
1640	csrss.exe
2088	csrss.exe
864	smss.exe
2220	smss.exe
3000	lsass.exe
576	lsass.exe
2636	services.exe
2840	services.exe
2768	winlogon.exe
2632	winlogon.exe
2740	Paraysutki_VM_Community
2584	Paraysutki_VM_Community
1620	winlogon.exe
2296	winlogon.exe
2256	csrss.exe
1704	csrss.exe
2596	smss.exe
2568	smss.exe

Loads dropped DLL 64 IoCs

pid	Process
2280	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
2280	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
2916	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
2916	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
2780	csrss.exe
2780	csrss.exe
2780	csrss.exe
2924	csrss.exe
2924	csrss.exe
2924	csrss.exe
2512	csrss.exe
2512	csrss.exe
2512	csrss.exe
2628	csrss.exe
2512	csrss.exe
2512	csrss.exe
2924	csrss.exe
2924	csrss.exe
1252	smss.exe
1252	smss.exe
1252	smss.exe
2312	smss.exe
2312	smss.exe
2312	smss.exe
1912	csrss.exe
1912	csrss.exe
1912	csrss.exe
1704	csrss.exe
2312	smss.exe
2312	smss.exe
2824	smss.exe
2824	smss.exe
2824	smss.exe
2548	smss.exe
2312	smss.exe
2312	smss.exe
1772	lsass.exe
1772	lsass.exe
1772	lsass.exe
1436	lsass.exe
1436	lsass.exe
1436	lsass.exe
2232	csrss.exe
2232	csrss.exe
2232	csrss.exe
2044	csrss.exe
1436	lsass.exe
1436	lsass.exe
1712	smss.exe
1712	smss.exe
1712	smss.exe
868	smss.exe
1436	lsass.exe
1436	lsass.exe
2216	lsass.exe
2216	lsass.exe
660	lsass.exe
1436	lsass.exe
1436	lsass.exe
1208	services.exe
1208	services.exe
1208	services.exe
2828	services.exe
2828	services.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	nvcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	csrss.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	nvcw.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	smss.exe
File created	\??\c:\windows\SysWOW64\maxtrox.txt	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	csrss.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	nvcw.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	Paraysutki_VM_Community
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\private_browsing.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\ReadBlock.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	nvcw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	nvcw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paraysutki_VM_Community
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvcw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paraysutki_VM_Community

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2556	ping.exe
2452	ping.exe
860	ping.exe
884	ping.exe
1928	ping.exe
1860	ping.exe
3016	ping.exe
992	ping.exe
2132	ping.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	nvcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	nvcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	nvcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	nvcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	nvcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	nvcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	nvcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	nvcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	nvcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	nvcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	nvcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	nvcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	nvcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	nvcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	nvcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	nvcw.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
2452	ping.exe
860	ping.exe
1860	ping.exe
2132	ping.exe
3016	ping.exe
884	ping.exe
1928	ping.exe
992	ping.exe
2556	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
2912	winlogon.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe
1208	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1180	rundll32.exe
2204	rundll32.exe

Suspicious use of SetWindowsHookEx 51 IoCs

pid	Process
2280	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
2916	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
2780	csrss.exe
2924	csrss.exe
2512	csrss.exe
2628	csrss.exe
680	nvcw.exe
1252	smss.exe
2312	smss.exe
1912	csrss.exe
1704	csrss.exe
2824	smss.exe
2548	smss.exe
1772	lsass.exe
1436	lsass.exe
2232	csrss.exe
2044	csrss.exe
1712	smss.exe
868	smss.exe
2216	lsass.exe
660	lsass.exe
1208	services.exe
2828	services.exe
1692	csrss.exe
3048	csrss.exe
568	smss.exe
3032	smss.exe
1980	lsass.exe
992	lsass.exe
1412	services.exe
764	services.exe
2912	winlogon.exe
1856	winlogon.exe
1640	csrss.exe
2088	csrss.exe
864	smss.exe
2220	smss.exe
3000	lsass.exe
576	lsass.exe
2636	services.exe
2840	services.exe
2768	winlogon.exe
2632	winlogon.exe
2740	Paraysutki_VM_Community
2584	Paraysutki_VM_Community
1620	winlogon.exe
2296	winlogon.exe
2256	csrss.exe
1704	csrss.exe
2596	smss.exe
2568	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2916	2280	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe	30
PID 2280 wrote to memory of 2916	2280	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe	30
PID 2280 wrote to memory of 2916	2280	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe	30
PID 2280 wrote to memory of 2916	2280	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe	30
PID 2916 wrote to memory of 2780	2916	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe	31
PID 2916 wrote to memory of 2780	2916	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe	31
PID 2916 wrote to memory of 2780	2916	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe	31
PID 2916 wrote to memory of 2780	2916	JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe	31
PID 2780 wrote to memory of 2924	2780	csrss.exe	32
PID 2780 wrote to memory of 2924	2780	csrss.exe	32
PID 2780 wrote to memory of 2924	2780	csrss.exe	32
PID 2780 wrote to memory of 2924	2780	csrss.exe	32
PID 2924 wrote to memory of 2512	2924	csrss.exe	33
PID 2924 wrote to memory of 2512	2924	csrss.exe	33
PID 2924 wrote to memory of 2512	2924	csrss.exe	33
PID 2924 wrote to memory of 2512	2924	csrss.exe	33
PID 2512 wrote to memory of 2628	2512	csrss.exe	34
PID 2512 wrote to memory of 2628	2512	csrss.exe	34
PID 2512 wrote to memory of 2628	2512	csrss.exe	34
PID 2512 wrote to memory of 2628	2512	csrss.exe	34
PID 2512 wrote to memory of 680	2512	csrss.exe	35
PID 2512 wrote to memory of 680	2512	csrss.exe	35
PID 2512 wrote to memory of 680	2512	csrss.exe	35
PID 2512 wrote to memory of 680	2512	csrss.exe	35
PID 2924 wrote to memory of 1252	2924	csrss.exe	36
PID 2924 wrote to memory of 1252	2924	csrss.exe	36
PID 2924 wrote to memory of 1252	2924	csrss.exe	36
PID 2924 wrote to memory of 1252	2924	csrss.exe	36
PID 1252 wrote to memory of 2312	1252	smss.exe	37
PID 1252 wrote to memory of 2312	1252	smss.exe	37
PID 1252 wrote to memory of 2312	1252	smss.exe	37
PID 1252 wrote to memory of 2312	1252	smss.exe	37
PID 2312 wrote to memory of 1912	2312	smss.exe	38
PID 2312 wrote to memory of 1912	2312	smss.exe	38
PID 2312 wrote to memory of 1912	2312	smss.exe	38
PID 2312 wrote to memory of 1912	2312	smss.exe	38
PID 1912 wrote to memory of 1704	1912	csrss.exe	39
PID 1912 wrote to memory of 1704	1912	csrss.exe	39
PID 1912 wrote to memory of 1704	1912	csrss.exe	39
PID 1912 wrote to memory of 1704	1912	csrss.exe	39
PID 2312 wrote to memory of 2824	2312	smss.exe	40
PID 2312 wrote to memory of 2824	2312	smss.exe	40
PID 2312 wrote to memory of 2824	2312	smss.exe	40
PID 2312 wrote to memory of 2824	2312	smss.exe	40
PID 2824 wrote to memory of 2548	2824	smss.exe	41
PID 2824 wrote to memory of 2548	2824	smss.exe	41
PID 2824 wrote to memory of 2548	2824	smss.exe	41
PID 2824 wrote to memory of 2548	2824	smss.exe	41
PID 2312 wrote to memory of 1772	2312	smss.exe	42
PID 2312 wrote to memory of 1772	2312	smss.exe	42
PID 2312 wrote to memory of 1772	2312	smss.exe	42
PID 2312 wrote to memory of 1772	2312	smss.exe	42
PID 1772 wrote to memory of 1436	1772	lsass.exe	43
PID 1772 wrote to memory of 1436	1772	lsass.exe	43
PID 1772 wrote to memory of 1436	1772	lsass.exe	43
PID 1772 wrote to memory of 1436	1772	lsass.exe	43
PID 1436 wrote to memory of 2232	1436	lsass.exe	44
PID 1436 wrote to memory of 2232	1436	lsass.exe	44
PID 1436 wrote to memory of 2232	1436	lsass.exe	44
PID 1436 wrote to memory of 2232	1436	lsass.exe	44
PID 2232 wrote to memory of 2044	2232	csrss.exe	45
PID 2232 wrote to memory of 2044	2232	csrss.exe	45
PID 2232 wrote to memory of 2044	2232	csrss.exe	45
PID 2232 wrote to memory of 2044	2232	csrss.exe	45

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
    C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
      C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2628
      - \??\c:\Documents and Settings\Admin\Application Data\Microsoft\nvcw.exe
        
        "c:\Documents and Settings\Admin\Application Data\Microsoft\nvcw.exe" csrss
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Modifies system executable filetype association
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:680
    - - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1252
      - C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:660
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1208
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        10⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2828
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1412
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:764
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1856
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:864
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:576
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2768
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:2204
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2556
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3016
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2452
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:1180
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:860
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:884
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1928
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2596
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        11⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        12⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        11⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        12⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
        13⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
        14⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
        13⤵
        
        PID:840
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
        14⤵
        
        PID:868
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
        13⤵
        
        PID:108
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
        14⤵
        
        PID:328
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
        13⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
        14⤵
        
        PID:592
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        13⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        14⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        13⤵
        
        PID:608
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
        13⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.duniasex.com -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:992
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.data0.net -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1860
        
        C:\Windows\SysWOW64\ping.exe
        
        ping www.rasasayang.com.my -n 65500 -l 1340
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2132
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        11⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        12⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        
        C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
        11⤵
        
        PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe

Filesize
127KB

MD5
24def6d973a3d95dcccf42bf31b8569b

SHA1
22b3f5030f999be75e5ec9d4c9954c6c8ddd8339

SHA256
421e9b21a9c640dc33c67541f07f91ac360e29912beec6306a2cfbde19628a5d

SHA512
1b7cbae11fdc65615d261b65c883e4827ab7e4697bd3fdcba0a3a763f5d8f4821d81f86992ce2af021576589e8dffa0a573db77bc785e315178cdbc8788996bb

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a99ec19d45d699bbae5b9e4a78fb542.exe

Filesize
50KB

MD5
69beac0954c38e170a6db8c50fe6a055

SHA1
2b16d43fa9c5d042a030b9267846cf254d47da75

SHA256
2f850319eb8dcefbd7d7c2f405c9b5a9e76ca7ebda34751017e2f23c01a00e8e

SHA512
c219d6d014898394116b1b19ac330143396af470198334f01b2944049b5bb9fe2c5febfcb040ff6ed2e75416908b7089ff0261b7c7c2029a60c3cae8a01666a1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\nvcw.exe

Filesize
76KB

MD5
a987e2564e4f9a0f77554c4bdff06c09

SHA1
57b177e1d953ece57eb8f91a52efe0a9530d1e12

SHA256
74f0893a020af333c121f9101a30d876abaa42a4a6cc11b1d1b63a4e9d412a20

SHA512
9f571583bff5891d80ca155707f8ca09054f9ed63d58bd6d72e2c9ea73eec3141f80ebd1ad9127de1e38a67568e22cf933ae62da14ad0343c29c32b12df2f8a2

Download Submit
memory/108-414-0x0000000000310000-0x0000000000330000-memory.dmp

Filesize
128KB

Download
memory/328-417-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/568-273-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/576-327-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/592-424-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/660-248-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-293-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/840-407-0x00000000002B0000-0x00000000002D0000-memory.dmp

Filesize
128KB

Download
memory/868-240-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/992-284-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1208-289-0x00000000005B0000-0x00000000005D0000-memory.dmp

Filesize
128KB

Download
memory/1208-258-0x00000000005B0000-0x00000000005D0000-memory.dmp

Filesize
128KB

Download
memory/1252-167-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/1412-288-0x0000000000380000-0x00000000003A0000-memory.dmp

Filesize
128KB

Download
memory/1436-259-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1532-385-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/1620-362-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/1620-399-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/1640-310-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/1692-265-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/1704-372-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1704-192-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1772-222-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/1856-338-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1856-347-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1912-186-0x00000000005B0000-0x00000000005D0000-memory.dmp

Filesize
128KB

Download
memory/2044-233-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2088-314-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2148-393-0x00000000002B0000-0x00000000002D0000-memory.dmp

Filesize
128KB

Download
memory/2216-244-0x0000000000280000-0x00000000002A0000-memory.dmp

Filesize
128KB

Download
memory/2220-320-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2232-229-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/2256-368-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download
memory/2280-169-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/2280-171-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/2280-13-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/2280-12-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/2296-400-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2312-228-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2312-173-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2400-444-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2488-437-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2488-428-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2548-211-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-377-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-381-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2596-376-0x00000000002B0000-0x00000000002D0000-memory.dmp

Filesize
128KB

Download
memory/2604-389-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2628-115-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2632-342-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2780-85-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/2824-205-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/2828-352-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2828-304-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2840-334-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2860-432-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2912-303-0x0000000000340000-0x0000000000360000-memory.dmp

Filesize
128KB

Download
memory/2916-172-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2916-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2924-204-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3032-277-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3048-269-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download