expiro | b98b4a58ffc62e2300baa88e627c709a0b8a2eaecfecabe9f93a6b3db4902b23

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/01/2025, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
Size

959KB
MD5

4964e20c78ec9af68bac8a4684fa1b86
SHA1

ce11c2a1775b1fc300bdf5caae2fd3e3a654dab1
SHA256

b98b4a58ffc62e2300baa88e627c709a0b8a2eaecfecabe9f93a6b3db4902b23
SHA512

9a284ba56e8e1a226179e88a49ff7e9a5b361bbc845aed4beb38e2aca81d7313270d2f9a75760106a0043aba83aabd3c33be18bb1ac2756e03f2a641988748f7
SSDEEP

24576:vPfAPgUYrPXPWeB7S53PW6DmIUVPulHTb9OLf:vXAqrP/WH5/WUmIUVWVTb9OL

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 4 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2780-34-0x0000000010074000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2780-35-0x0000000010000000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2780-43-0x0000000010000000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2780-42-0x0000000010074000-0x0000000010108000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 64 IoCs

pid	Process
472	Process not Found
2524	alg.exe
3044	aspnet_state.exe
2780	mscorsvw.exe
2616	mscorsvw.exe
3068	mscorsvw.exe
1372	mscorsvw.exe
1804	mscorsvw.exe
492	mscorsvw.exe
1312	mscorsvw.exe
2444	mscorsvw.exe
1264	mscorsvw.exe
2388	mscorsvw.exe
1892	mscorsvw.exe
2080	mscorsvw.exe
2516	mscorsvw.exe
2680	mscorsvw.exe
2692	mscorsvw.exe
2848	mscorsvw.exe
2576	mscorsvw.exe
2640	mscorsvw.exe
1620	mscorsvw.exe
1608	mscorsvw.exe
2324	mscorsvw.exe
1728	mscorsvw.exe
1788	mscorsvw.exe
1708	mscorsvw.exe
884	mscorsvw.exe
2472	mscorsvw.exe
2740	mscorsvw.exe
2640	mscorsvw.exe
1896	mscorsvw.exe
2340	mscorsvw.exe
1656	mscorsvw.exe
2900	mscorsvw.exe
1372	mscorsvw.exe
2752	mscorsvw.exe
800	mscorsvw.exe
2992	mscorsvw.exe
348	mscorsvw.exe
2272	mscorsvw.exe
1680	mscorsvw.exe
2064	mscorsvw.exe
2492	mscorsvw.exe
2936	mscorsvw.exe
2664	mscorsvw.exe
2836	mscorsvw.exe
2400	mscorsvw.exe
1496	mscorsvw.exe
280	mscorsvw.exe
1148	mscorsvw.exe
1708	mscorsvw.exe
1244	mscorsvw.exe
440	mscorsvw.exe
1384	mscorsvw.exe
2984	mscorsvw.exe
568	mscorsvw.exe
1588	mscorsvw.exe
2496	mscorsvw.exe
1920	mscorsvw.exe
1476	mscorsvw.exe
2692	mscorsvw.exe
2608	mscorsvw.exe
2332	mscorsvw.exe

Loads dropped DLL 39 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
1656	mscorsvw.exe
1656	mscorsvw.exe
1372	mscorsvw.exe
1372	mscorsvw.exe
800	mscorsvw.exe
800	mscorsvw.exe
348	mscorsvw.exe
348	mscorsvw.exe
1680	mscorsvw.exe
1680	mscorsvw.exe
2492	mscorsvw.exe
2492	mscorsvw.exe
2664	mscorsvw.exe
2664	mscorsvw.exe
2400	mscorsvw.exe
2400	mscorsvw.exe
280	mscorsvw.exe
280	mscorsvw.exe
1708	mscorsvw.exe
1708	mscorsvw.exe
440	mscorsvw.exe
440	mscorsvw.exe
2984	mscorsvw.exe
2984	mscorsvw.exe
1588	mscorsvw.exe
1588	mscorsvw.exe
1920	mscorsvw.exe
1920	mscorsvw.exe
2692	mscorsvw.exe
2692	mscorsvw.exe
2332	mscorsvw.exe
2332	mscorsvw.exe
2768	mscorsvw.exe
2768	mscorsvw.exe
264	mscorsvw.exe
264	mscorsvw.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3063565911-2056067323-3330884624-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3063565911-2056067323-3330884624-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\X:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\Y:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\J:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\K:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\V:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\H:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\O:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\T:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\R:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\I:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\N:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\P:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\Q:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\S:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\L:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\U:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\Z:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\G:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\M:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\W:	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\K:	alg.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\knmhnhde.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File created	\??\c:\windows\system32\jfqfbqga.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	\??\c:\windows\system32\nibbpibe.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	\??\c:\windows\system32\gbhlgolk.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File created	\??\c:\windows\system32\pkpkgnke.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	\??\c:\windows\system32\wbem\qcacegef.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File created	\??\c:\windows\system32\dfdpifle.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File created	\??\c:\windows\syswow64\dnalkmip.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File created	\??\c:\windows\system32\loindcgc.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File created	\??\c:\windows\system32\agmgillk.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	\??\c:\windows\system32\nqbnajjl.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	\??\c:\windows\system32\ikdlelll.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	\??\c:\windows\system32\bmkefihc.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	alg.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	\??\c:\windows\system32\njfinkpj.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\boqpbpmf.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\cgmodhlq.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ldcnmoao.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File created	C:\Program Files\7-Zip\cedpmnkl.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\onbaidqf.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\iilmmhmc.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\olphkojf.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\edgadenk.tmp	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ckfdqqhh.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\olemadei.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pgildlkb.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\pppjqpbi.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\lbhckibj.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\occlljkq.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hhfjjgab.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\dddilmae.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\lhbjhkab.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ajjekqnl.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ifpcoece.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\imamgieo.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\camigjbg.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\mngianin.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	\??\c:\program files\windows media player\ilfohpph.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	\??\c:\windows\ehome\fbgokhbh.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC571.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC3C.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE59E.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	alg.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC0C0.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\dhpmgodb.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFB11.tmp\stdole.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	\??\c:\windows\ehome\ocdemdhn.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA860.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\hmikcnne.tmp	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe
2524	alg.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1836	JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2524	alg.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe
Token: SeShutdownPrivilege	3068	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 1372	3068	mscorsvw.exe	36
PID 3068 wrote to memory of 1372	3068	mscorsvw.exe	36
PID 3068 wrote to memory of 1372	3068	mscorsvw.exe	36
PID 3068 wrote to memory of 1372	3068	mscorsvw.exe	36
PID 3068 wrote to memory of 1804	3068	mscorsvw.exe	38
PID 3068 wrote to memory of 1804	3068	mscorsvw.exe	38
PID 3068 wrote to memory of 1804	3068	mscorsvw.exe	38
PID 3068 wrote to memory of 1804	3068	mscorsvw.exe	38
PID 3068 wrote to memory of 492	3068	mscorsvw.exe	39
PID 3068 wrote to memory of 492	3068	mscorsvw.exe	39
PID 3068 wrote to memory of 492	3068	mscorsvw.exe	39
PID 3068 wrote to memory of 492	3068	mscorsvw.exe	39
PID 3068 wrote to memory of 1312	3068	mscorsvw.exe	40
PID 3068 wrote to memory of 1312	3068	mscorsvw.exe	40
PID 3068 wrote to memory of 1312	3068	mscorsvw.exe	40
PID 3068 wrote to memory of 1312	3068	mscorsvw.exe	40
PID 3068 wrote to memory of 2444	3068	mscorsvw.exe	41
PID 3068 wrote to memory of 2444	3068	mscorsvw.exe	41
PID 3068 wrote to memory of 2444	3068	mscorsvw.exe	41
PID 3068 wrote to memory of 2444	3068	mscorsvw.exe	41
PID 3068 wrote to memory of 1264	3068	mscorsvw.exe	42
PID 3068 wrote to memory of 1264	3068	mscorsvw.exe	42
PID 3068 wrote to memory of 1264	3068	mscorsvw.exe	42
PID 3068 wrote to memory of 1264	3068	mscorsvw.exe	42
PID 3068 wrote to memory of 2388	3068	mscorsvw.exe	43
PID 3068 wrote to memory of 2388	3068	mscorsvw.exe	43
PID 3068 wrote to memory of 2388	3068	mscorsvw.exe	43
PID 3068 wrote to memory of 2388	3068	mscorsvw.exe	43
PID 3068 wrote to memory of 1892	3068	mscorsvw.exe	44
PID 3068 wrote to memory of 1892	3068	mscorsvw.exe	44
PID 3068 wrote to memory of 1892	3068	mscorsvw.exe	44
PID 3068 wrote to memory of 1892	3068	mscorsvw.exe	44
PID 3068 wrote to memory of 2080	3068	mscorsvw.exe	45
PID 3068 wrote to memory of 2080	3068	mscorsvw.exe	45
PID 3068 wrote to memory of 2080	3068	mscorsvw.exe	45
PID 3068 wrote to memory of 2080	3068	mscorsvw.exe	45
PID 3068 wrote to memory of 2516	3068	mscorsvw.exe	46
PID 3068 wrote to memory of 2516	3068	mscorsvw.exe	46
PID 3068 wrote to memory of 2516	3068	mscorsvw.exe	46
PID 3068 wrote to memory of 2516	3068	mscorsvw.exe	46
PID 3068 wrote to memory of 2680	3068	mscorsvw.exe	47
PID 3068 wrote to memory of 2680	3068	mscorsvw.exe	47
PID 3068 wrote to memory of 2680	3068	mscorsvw.exe	47
PID 3068 wrote to memory of 2680	3068	mscorsvw.exe	47
PID 3068 wrote to memory of 2692	3068	mscorsvw.exe	48
PID 3068 wrote to memory of 2692	3068	mscorsvw.exe	48
PID 3068 wrote to memory of 2692	3068	mscorsvw.exe	48
PID 3068 wrote to memory of 2692	3068	mscorsvw.exe	48
PID 3068 wrote to memory of 2848	3068	mscorsvw.exe	49
PID 3068 wrote to memory of 2848	3068	mscorsvw.exe	49
PID 3068 wrote to memory of 2848	3068	mscorsvw.exe	49
PID 3068 wrote to memory of 2848	3068	mscorsvw.exe	49
PID 3068 wrote to memory of 2576	3068	mscorsvw.exe	50
PID 3068 wrote to memory of 2576	3068	mscorsvw.exe	50
PID 3068 wrote to memory of 2576	3068	mscorsvw.exe	50
PID 3068 wrote to memory of 2576	3068	mscorsvw.exe	50
PID 3068 wrote to memory of 2640	3068	mscorsvw.exe	51
PID 3068 wrote to memory of 2640	3068	mscorsvw.exe	51
PID 3068 wrote to memory of 2640	3068	mscorsvw.exe	51
PID 3068 wrote to memory of 2640	3068	mscorsvw.exe	51
PID 3068 wrote to memory of 1620	3068	mscorsvw.exe	52
PID 3068 wrote to memory of 1620	3068	mscorsvw.exe	52
PID 3068 wrote to memory of 1620	3068	mscorsvw.exe	52
PID 3068 wrote to memory of 1620	3068	mscorsvw.exe	52

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4964e20c78ec9af68bac8a4684fa1b86.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:3044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2780

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 1ac -NGENProcess 1b0 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 1ac -NGENProcess 1b0 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 1ac -NGENProcess 230 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 21c -NGENProcess 1b0 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 238 -NGENProcess 22c -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 23c -NGENProcess 230 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 1b0 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 22c -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 230 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 1b0 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 240 -NGENProcess 22c -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 238 -NGENProcess 250 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 258 -NGENProcess 1b0 -Pipe 1c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 22c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 1b0 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 22c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 250 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 1b0 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 22c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 26c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 260 -NGENProcess 22c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 280 -NGENProcess 270 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d0 -NGENProcess 258 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 214 -NGENProcess 240 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 218 -NGENProcess 1ac -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 224 -NGENProcess 258 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 1c0 -NGENProcess 240 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 240 -NGENProcess 218 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 184 -NGENProcess 1c0 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 1c0 -NGENProcess 1fc -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 178 -NGENProcess 26c -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 178 -InterruptEvent 26c -NGENProcess 184 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 27c -NGENProcess 1fc -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 184 -NGENProcess 1fc -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 22c -NGENProcess 1d0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 1d0 -NGENProcess 280 -Pipe 178 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1b0 -NGENProcess 1fc -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 1fc -NGENProcess 22c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 288 -NGENProcess 280 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 280 -NGENProcess 1b0 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 290 -NGENProcess 22c -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 22c -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 298 -NGENProcess 1b0 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 1b0 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 298 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2a8 -NGENProcess 290 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 218 -NGENProcess 290 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 290 -NGENProcess 2ac -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2b8 -NGENProcess 2b0 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2b0 -NGENProcess 218 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2c0 -NGENProcess 2ac -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2ac -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2c8 -NGENProcess 218 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 218 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2c8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c0 -NGENProcess 1c0 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2a4 -NGENProcess 2dc -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2dc -NGENProcess 2d0 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2d0 -NGENProcess 2d8 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d8 -NGENProcess 2d4 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2a4 -NGENProcess 298 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b8 -NGENProcess 1e0 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2f0 -NGENProcess 2d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f4 -NGENProcess 298 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 1e0 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 298 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 1e0 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
534KB

MD5
66334ae881b2f9b7ee50947f69848922

SHA1
e0b6c449fcc0e4717277446e0f7cc87b402963b2

SHA256
522cd7b93674864375d089dda043865d57670d4e3483cb8d2ee77087ce0d335e

SHA512
27e3cb5dfe64f42cafaa3caa15b2d0880490f05a177541cbc1467dde05d5c2db747afe06bd7a141aa59199b17d94998cc6fc87dc424b8bbdff908231cc53dcb6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.4MB

MD5
1a16917f598554e4ccfda70b5e1b7906

SHA1
498ef74e638f544f516a379a9d8f29b76d0ced56

SHA256
426b0eca97c385bd9fb7f58831a61e8dcfd3bf51d948ac1a5f4df90816b18e62

SHA512
318e02b0d83b557f0e3263cd9cc711f10e624de1ce53448ed5a9a6fb968e85ab659fd443b259fa42afbdc28d5e9624f0062c08fc47392d3cfbd3809310ef78e3

Download Submit
C:\Users\Admin\AppData\Local\lbjlfnia\cmd.exe

Filesize
732KB

MD5
faef6f5023d66ac28644269705717a9e

SHA1
2f93692ca0254a5e691b9a9f83dd314f1de5cabf

SHA256
df20629062e405b765b7e871897e7bbd09670e90cc2ae7b80e9aead08b03845e

SHA512
9cabbf34b94cde7df9b6179130befa42f59701d04db3b3cdb0462bae30bccb123c4e070fbf4af1831f9a491f4d5234e3ab913b5f3cf6cc3422a9be1e1af299f4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
480KB

MD5
aa235d0af591f1a20157370ae376f2f2

SHA1
e44162963f15bed0d60766fe0eaad6f6c6355d9d

SHA256
22a4451d185d3806af036aec101a9e4ff860229383d80e75e5cf15f2aac0b954

SHA512
d1d5a19c672c788aa0bbeb972452149cf7a78b0de37013e93e24583576f5836e70bb8e4ffe90b1217c2c9b31fd35eec269788f8d0367af2daca59ffc249db350

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
b60aedaaa24b014844b01402c2ae3797

SHA1
b0b56aabba9a33f910d6a2280756d480861e04a7

SHA256
093fbd62fc33e3d095e9ebe1f56c4362aa65ab69e37a947245b321b87a179efc

SHA512
c0bb0332ddfdcd574a089755aa2f2290e78017558b60c3bbd7b2f65e760aceec3ccca3dec05c1baf85b019ad64ce7040540d4f6683f808ea61a3964a512e9bcb

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
457KB

MD5
f1ef445d7a115d059ccd8c24d40632c3

SHA1
fc9104e4a4ef396c4f6f8f1eb6db5c4ca55d192c

SHA256
af8d15539a71725f0ed47be65d0055ff8a3aa588e5823e0155dd8fa9a041e54b

SHA512
b33095706a61e2c4003249c998138fdffd0a7a4c5db916f573deabbc4883c6e2a5336e27740c3a601fc21ff2c01150a9cf2d66afa7292474d8e70b13b6447770

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
a37e976a7c52f2af4f325823da402106

SHA1
b38bb25e203a5f9704803a2afd2f2034d929fe3c

SHA256
21520e0c4ff5007a556d7cc12e5b5de1ffef14cd9f0cff2bfbf0e906338f6ee2

SHA512
188a2895bba9a545da095ecc4ce1bf301e027cfb2f8a3c89645bfab1dafb8fab987d4705fd792bde4753cdf61437549309329ad8e7c5d95e619c2ae83661a705

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
484KB

MD5
d9e231f8d7af17e2b99f3ea0da94ea52

SHA1
f217a77e25ccef164e568261cdf3c88544ffe337

SHA256
addf3c49072a7d94f356b2c5dba66051b8ad4520ebcfd260f23d0b434b7610a6

SHA512
042ad0d22ae2f64a73a2352d0a02a5537183927780924ea1fa1f6be2e594bc819b8972dc8abe38889af223bc8d455d1e150f87037122ea246100a608ca057224

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
e2d545517c96b655aadd5f1cdb2455db

SHA1
d8f89cb116f2180a872f960fd0b219bc2beaa2b6

SHA256
06112d901e35cbdb97e6f2f90ce80d6c9e50d18a6364e02d777e2106cd5f1b76

SHA512
d2b79ad0ec7c710362561ecbdc1b718bc59706091b8054dd8f095b44ffc08813ea64ecf1d930326fa8696ae388a93c20b0bf047784bf74299c98abea7634ac82

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\580d4597c21b769431bc3d98d5ea0360\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
83KB

MD5
244ee25d7118f547c1b66f2f92ec2e45

SHA1
964ef2b42f1883d1f4519f3afbc3213691d13a92

SHA256
1fac227f026d4c39fd452e778f90d30388d406cc49f1843da61974f64ac38a0c

SHA512
b211c8c3908cbe39884b777fb555aa514ed9fb0b11e253fa61810689a66ae15c87524f27933703d75f129c598d122eadf6b62237df82ad4b8ad1a62e95b53ed4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\61959152bf3be64308241d2fc98b5b0e\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
187KB

MD5
aa79242d1de788b4e4c329640116e163

SHA1
bbef4ac761409ebd8a62846afd1f42287538429c

SHA256
530c2d691b799316e384af6c04fe2848bee24eee311bcd270b4bba075f9e99bd

SHA512
493fd881b4a90b2981d252403e56943bbfe98cab28eafe4f743d229fd6950bded3a70d832c0268899e333e47ef65846e8e1efc40f5f7f637abf1a175d1d8d601

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\677f702dae85e9e71dd263389b314e4c\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
143KB

MD5
707dfd12050367afa559a46fb9f58cc3

SHA1
5de2d34f0244ea30a7cee2ce057911d496b275ec

SHA256
c573fbe5d6d82ded4bf0b6e009ec70ce0deb2b6a17d071941d4be4d7a533c4b2

SHA512
09129b72022fdd6853ab271997dfe452df1fecc718b07b334559c481f5524c9cbb9a36f3f51631046332b5841012d273882b8ce5e95c6d38a52b7634dc15e3b8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\7957da23d49a93d801f3e9cfdd45f1f4\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
180KB

MD5
afa95cf5546f356fa614857de67ecad5

SHA1
8ec35787c66c8d3d7b9bfab0d9e04d8e8bd44e8d

SHA256
59b4bb7d8c0a8102cc81fa01748e8a858847155b481d90c15f5155d1c497248a

SHA512
244a1cb4accb8f3da6456e17b74affded1c4c11c97d53e70932b96c1b4bc120fcbc5b98f8b2c88e9af938adc56da89a6391edbadd0c2f6a56deeca93f37d1266

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
57KB

MD5
6eaaa1f987d6e1d81badf8665c55a341

SHA1
e52db4ad92903ca03a5a54fdb66e2e6fad59efd5

SHA256
4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e

SHA512
dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

Filesize
855KB

MD5
7812b0a90d92b4812d4063b89a970c58

SHA1
3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea

SHA256
897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543

SHA512
634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

Filesize
43KB

MD5
3e72bdd0663c5b2bcd530f74139c83e3

SHA1
66069bcac0207512b9e07320f4fa5934650677d2

SHA256
6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357

SHA512
b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
534KB

MD5
c58d271ce3686958798e76ef5164967a

SHA1
fa0bff140157bfa3dc601c692038310719308ea5

SHA256
cb98ed3ecdde90f9cf70c976f1c02b99f0316be91fb95876c5f2fe6285c22494

SHA512
3be9ba7d7a0dbcb97a331a7df9f7cb6eb7f72cbda5c8fccc1300cf556b3fadfc6b78a5214de4c30b55d9318715426c3b580be94514354852e67c789462453ebf

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.9MB

MD5
3035a17c03b0e26e6893b3b9db392199

SHA1
296f45f78f00afd2984a1abea68d1c7f7f5ea387

SHA256
880034387e2bd413ff416437fb4fcb1593365ca5a2088ecf47ea59c8ae225afd

SHA512
143c243303cb9b0f02358575f0c2eafdd3f9c33d35c2e1deaf73fb791b5dd068a5e38f10e4fcc280cf6ba18ba868d56e6fb723cae23dd172cc4701c97c24ca91

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
613KB

MD5
8f8b6e9505c6455ad25be2b9cd0609c5

SHA1
681c4e46f5505582eccc2acc6859ffc43dbabc85

SHA256
7a4893fff5502829e0e12ccb62d6028fb76bee0a2d07d476b25e421138fb9fa7

SHA512
9bdb39da04f91d4f82b0e53af92516875533b9303e15dd8f8c5d049242d81b9c94dfa570d6f0646242f39161955cb3734f1aa76cf4bb2a4e7d87faedd870dc35

Download Submit
\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.0MB

MD5
71294dd408896dd850f9f02b0e821725

SHA1
01b9f162be286e5b4e4ffeae0f3dd8c271a23481

SHA256
a0805e5a53850ee7c786c13f46225ddc1f7f139a66203e372dd55c19271188ae

SHA512
3f0c5b044355f5167df595ee2123a85ca8762e92b28e728d681d781a6d5bbc3c499278f2c2213507c6806ff592cdb23db23cf996943cd5d8e6b590e043300de9

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.1MB

MD5
1b9e493b21491f12067c9f37e6ba949b

SHA1
6846dbf6993183fe06fbaf632d0025f6d228cb1d

SHA256
be31b8cc1b0f57665d2d6a2dd5b6ad0ce72178d4d26402811669b918ebb7e764

SHA512
34477d6fc733d443d22f1cb83c63cf7c0304b08d1bdbd1fd1ad25ad9232b5a129033ce19af26e474831be7fdc3ac1a83b39c04b01fc40311b21bc78e359e4f7e

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
519KB

MD5
63839e2736a3a19f926cca8d6a1faa29

SHA1
111b964e681865de293d2597f9b09c2fa2beba62

SHA256
79c21272dcb67e7853d020a5e6d8701881ed57cff8084584bf6267336c237b1e

SHA512
601887ffa4273e5db4eddef5a49880f386528ccc97233613a1f0ef548c048b798a0304f7778cf67a5864649d7de43acb4c467e1c69ddb95de78da3e298f6d387

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe

Filesize
506KB

MD5
337df526cfd9e4fcc79dbaa0a2a30f8c

SHA1
6bfd4e4af3bea8eff363bfc19aaadb3147de572b

SHA256
dcbf009cd06e97a091ca3ae03b5caaff069ea517c95cae97af1cf067520b2e35

SHA512
6fc4ebe101746eb4fff2626367c0964c70a15ca9d40e4eb46b0a9690d3f1157edfeee790c0d775cc9b72ae32cfff48441506a33f25bf275640fbf1db315e76b7

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.0MB

MD5
a966f237c53b074258a874770968dcdc

SHA1
676509f203379796b3cbb957e38aea7dfb3a30d7

SHA256
dbe206248078c7f232a00f94279834fabdc4e66a39d0719e49397d4310aa14e9

SHA512
3d39ca9754996d21c7b9b868290e5145795f86898aa847a9469df3dd5ef551ab38d4eb60354d909f65742b0735cc28adbb6440db76ef4c61075b665e561f7a05

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
431KB

MD5
d792f238651d1a5c9e5cb6d1054763c9

SHA1
0611bb0d17aa1f0741a15e1d036b5a7df32761a4

SHA256
262a63d05ed250557e8f2ad0dad1915452ea6438d7fba31a1342209b5a40d0f7

SHA512
cc784440bde086848772ab1988abf67eed523f1ba5c4fe9335619d8356f96e19a0071d12e566e35d918814992eee1dff770939b09922fec99e62af3ddb2d736f

Download Submit
\Windows\System32\alg.exe

Filesize
472KB

MD5
5603db37f614649b7822ca3b010f1af4

SHA1
8263adaf9190a20f41704733e537a1ce8c8ca2cb

SHA256
9f4e6961c6a4a97012434e7fc54a9b270a07ea2c1c1f96be6ff1a6cfa2456280

SHA512
64447d0ab4f29af7d0408a480d881f7b99fff285f98e74e67573ea551cf4a43477c77bd4f5aa377b8d4f9342c8ce5efb811e723b39bd5791f6f23f6e323579fc

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA2D4.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA860.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAD21.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
memory/1836-0-0x000000013F754000-0x000000013F80C000-memory.dmp

Filesize
736KB

Download
memory/1836-1-0x000000013F660000-0x000000013F80C000-memory.dmp

Filesize
1.7MB

Download
memory/1836-2-0x000000013F754000-0x000000013F80C000-memory.dmp

Filesize
736KB

Download
memory/1836-4-0x000000013F660000-0x000000013F80C000-memory.dmp

Filesize
1.7MB

Download
memory/1836-12-0x000000013F660000-0x000000013F80C000-memory.dmp

Filesize
1.7MB

Download
memory/2524-20-0x00000000FFA00000-0x00000000FFB30000-memory.dmp

Filesize
1.2MB

Download
memory/2524-19-0x00000000FFA79000-0x00000000FFB30000-memory.dmp

Filesize
732KB

Download
memory/2524-77-0x00000000FFA00000-0x00000000FFB30000-memory.dmp

Filesize
1.2MB

Download
memory/2524-66-0x00000000FFA00000-0x00000000FFB30000-memory.dmp

Filesize
1.2MB

Download
memory/2524-64-0x00000000FFA79000-0x00000000FFB30000-memory.dmp

Filesize
732KB

Download
memory/2616-51-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/2616-52-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/2616-59-0x0000000010000000-0x0000000010134000-memory.dmp

Filesize
1.2MB

Download
memory/2640-200-0x00000000032A0000-0x000000000335A000-memory.dmp

Filesize
744KB

Download
memory/2780-35-0x0000000010000000-0x0000000010108000-memory.dmp

Filesize
1.0MB

Download
memory/2780-42-0x0000000010074000-0x0000000010108000-memory.dmp

Filesize
592KB

Download
memory/2780-34-0x0000000010074000-0x0000000010108000-memory.dmp

Filesize
592KB

Download
memory/2780-43-0x0000000010000000-0x0000000010108000-memory.dmp

Filesize
1.0MB

Download
memory/3044-76-0x000000013FF80000-0x00000001400A9000-memory.dmp

Filesize
1.2MB

Download
memory/3044-68-0x000000013FFF2000-0x00000001400A9000-memory.dmp

Filesize
732KB

Download
memory/3044-27-0x000000013FFF2000-0x00000001400A9000-memory.dmp

Filesize
732KB

Download
memory/3044-28-0x000000013FF80000-0x00000001400A9000-memory.dmp

Filesize
1.2MB

Download
memory/3068-317-0x00000000026F0000-0x0000000002794000-memory.dmp

Filesize
656KB

Download
memory/3068-318-0x0000000003C30000-0x0000000003DCE000-memory.dmp

Filesize
1.6MB

Download
memory/3068-319-0x0000000002C50000-0x0000000002D3C000-memory.dmp

Filesize
944KB

Download
memory/3068-325-0x00000000026F0000-0x0000000002756000-memory.dmp

Filesize
408KB

Download
memory/3068-320-0x00000000001A0000-0x00000000001B0000-memory.dmp

Filesize
64KB

Download
memory/3068-321-0x00000000026F0000-0x0000000002778000-memory.dmp

Filesize
544KB

Download
memory/3068-322-0x00000000003B0000-0x00000000003D4000-memory.dmp

Filesize
144KB

Download
memory/3068-316-0x00000000026F0000-0x000000000277C000-memory.dmp

Filesize
560KB

Download
memory/3068-315-0x00000000003B0000-0x00000000003CA000-memory.dmp

Filesize
104KB

Download
memory/3068-314-0x00000000003B0000-0x00000000003CE000-memory.dmp

Filesize
120KB

Download
memory/3068-313-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/3068-323-0x00000000001A0000-0x00000000001A8000-memory.dmp

Filesize
32KB

Download
memory/3068-324-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download