expiro | e251ce316981a1d19efec2b4e961b7d7fe6c70a0b33e98f1854eddfa482685b8

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04/01/2025, 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
Size

764KB
MD5

774cff64cf516936ddf4842b4bc8706a
SHA1

72270607c9fbf4d939eccf83680daf8c643a1feb
SHA256

e251ce316981a1d19efec2b4e961b7d7fe6c70a0b33e98f1854eddfa482685b8
SHA512

e259ba1635b9c0c0a9f42e9fc4a7864a4427f99ffff0e93afbaed02290a52f320e41bce03dc02a23df50a2c72aa49c2fe80108efd601821b0c6c710618728fd6
SSDEEP

12288:fvqlqSrzEAupLiPuSrN0GMa2gCQ033RJgonvmXnA4vklNgHF1UzUDJNgvi2OUMsK:3sqSroAupL8uSrOGMzgCQ033IovmXA44

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 3 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2568-2-0x0000000001000000-0x000000000127C000-memory.dmp	family_expiro1
behavioral1/memory/2396-66-0x0000000010000000-0x0000000010257000-memory.dmp	family_expiro1
behavioral1/memory/1276-421-0x0000000140000000-0x0000000140291000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 20 IoCs

pid	Process
2396	mscorsvw.exe
464	Process not Found
2796	mscorsvw.exe
2812	mscorsvw.exe
1276	mscorsvw.exe
2344	elevation_service.exe
788	IEEtwCollector.exe
3040	mscorsvw.exe
1520	mscorsvw.exe
2132	mscorsvw.exe
2544	mscorsvw.exe
264	mscorsvw.exe
3040	mscorsvw.exe
1144	mscorsvw.exe
2584	mscorsvw.exe
2312	mscorsvw.exe
2492	mscorsvw.exe
2496	mscorsvw.exe
2908	mscorsvw.exe
2808	mscorsvw.exe

Loads dropped DLL 6 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
1144	mscorsvw.exe
1144	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3692679935-4019334568-335155002-1000	elevation_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3692679935-4019334568-335155002-1000\EnableNotifications = "0"	elevation_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3692679935-4019334568-335155002-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3692679935-4019334568-335155002-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe

Enumerates connected drives 3 TTPs 63 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	elevation_service.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\G:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\P:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\E:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\Y:	elevation_service.exe
File opened (read-only)	\??\H:	elevation_service.exe
File opened (read-only)	\??\J:	elevation_service.exe
File opened (read-only)	\??\O:	elevation_service.exe
File opened (read-only)	\??\S:	elevation_service.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\U:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\I:	elevation_service.exe
File opened (read-only)	\??\P:	elevation_service.exe
File opened (read-only)	\??\Q:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\W:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\K:	elevation_service.exe
File opened (read-only)	\??\X:	elevation_service.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\K:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\U:	elevation_service.exe
File opened (read-only)	\??\E:	elevation_service.exe
File opened (read-only)	\??\G:	elevation_service.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\X:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\J:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\V:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\O:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\Y:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\V:	elevation_service.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\M:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\L:	elevation_service.exe
File opened (read-only)	\??\N:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\T:	elevation_service.exe
File opened (read-only)	\??\M:	elevation_service.exe
File opened (read-only)	\??\Q:	elevation_service.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\I:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\H:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\R:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\Z:	elevation_service.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\T:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\Z:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\R:	elevation_service.exe
File opened (read-only)	\??\W:	elevation_service.exe
File opened (read-only)	\??\S:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\L:	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened (read-only)	\??\Z:	mscorsvw.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\system32\locator.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	\??\c:\windows\system32\cnkkemka.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	\??\c:\windows\system32\qjieiidj.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	\??\c:\windows\SysWOW64\fgddmfnp.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	\??\c:\windows\SysWOW64\nkohblql.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	elevation_service.exe
File created	\??\c:\windows\system32\pocjfdia.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\alg.exe	elevation_service.exe
File created	\??\c:\windows\SysWOW64\alhocqco.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	\??\c:\windows\system32\mldjocpk.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	elevation_service.exe
File created	\??\c:\windows\SysWOW64\mjgjgemd.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	\??\c:\windows\system32\idmgnnlg.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\system32\vds.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	elevation_service.exe
File created	\??\c:\windows\system32\fnbfagfm.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	\??\c:\windows\system32\jjgffhdn.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	\??\c:\windows\system32\bhnlmqde.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\system32\locator.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	\??\c:\windows\system32\jppaflfh.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\eqiodbdg.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\dckanpca.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	C:\Program Files\7-Zip\dklkkafp.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\nimidobm.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File created	C:\Program Files\DVD Maker\knqknjlo.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	C:\Program Files\Google\Chrome\Application\bhlnifll.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\nlfifejp.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\feqkbkgm.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ighnagcm.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kefbfhkg.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dgilkpmn.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\cgakfigd.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	C:\Program Files\Internet Explorer\fjlaqemg.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	C:\Program Files\Internet Explorer\onnmbqjl.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ckillgah.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\idddgalc.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\cfkifjdj.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe

Drops file in Windows directory 63 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	\??\c:\windows\servicing\jedcipjj.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\dgefiffj.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	\??\c:\windows\servicing\cngiminf.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	elevation_service.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\KEPZX5H0G1\Accessibility.ni.dll.aux	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	elevation_service.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	elevation_service.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\LSA379U0UW\ComSvcConfig.ni.exe.aux	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\LSA379U0UW\ComSvcConfig.ni.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\fdnccokm.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	\??\c:\windows\servicing\kddkfiko.tmp	elevation_service.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\doqjpjpf.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mjlchfen.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	elevation_service.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\KEPZX5H0G1\Accessibility.ni.dll	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	elevation_service.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA3BE.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\ehome\pfieijjg.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	\??\c:\windows\ehome\ohiapihq.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	elevation_service.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	elevation_service.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	elevation_service.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	elevation_service.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\ncoiofag.tmp	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	elevation_service.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
1276	mscorsvw.exe
2344	elevation_service.exe
2344	elevation_service.exe
2344	elevation_service.exe
2344	elevation_service.exe
2344	elevation_service.exe
2344	elevation_service.exe
2344	elevation_service.exe
2344	elevation_service.exe
2344	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2568	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeShutdownPrivilege	1276	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2344	elevation_service.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2568	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
2568	JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 3040	1276	mscorsvw.exe	37
PID 1276 wrote to memory of 3040	1276	mscorsvw.exe	37
PID 1276 wrote to memory of 3040	1276	mscorsvw.exe	37
PID 1276 wrote to memory of 1520	1276	mscorsvw.exe	39
PID 1276 wrote to memory of 1520	1276	mscorsvw.exe	39
PID 1276 wrote to memory of 1520	1276	mscorsvw.exe	39
PID 1276 wrote to memory of 2132	1276	mscorsvw.exe	40
PID 1276 wrote to memory of 2132	1276	mscorsvw.exe	40
PID 1276 wrote to memory of 2132	1276	mscorsvw.exe	40
PID 1276 wrote to memory of 2544	1276	mscorsvw.exe	41
PID 1276 wrote to memory of 2544	1276	mscorsvw.exe	41
PID 1276 wrote to memory of 2544	1276	mscorsvw.exe	41
PID 1276 wrote to memory of 264	1276	mscorsvw.exe	42
PID 1276 wrote to memory of 264	1276	mscorsvw.exe	42
PID 1276 wrote to memory of 264	1276	mscorsvw.exe	42
PID 1276 wrote to memory of 3040	1276	mscorsvw.exe	43
PID 1276 wrote to memory of 3040	1276	mscorsvw.exe	43
PID 1276 wrote to memory of 3040	1276	mscorsvw.exe	43
PID 1276 wrote to memory of 1144	1276	mscorsvw.exe	44
PID 1276 wrote to memory of 1144	1276	mscorsvw.exe	44
PID 1276 wrote to memory of 1144	1276	mscorsvw.exe	44
PID 1276 wrote to memory of 2584	1276	mscorsvw.exe	45
PID 1276 wrote to memory of 2584	1276	mscorsvw.exe	45
PID 1276 wrote to memory of 2584	1276	mscorsvw.exe	45
PID 1276 wrote to memory of 2312	1276	mscorsvw.exe	46
PID 1276 wrote to memory of 2312	1276	mscorsvw.exe	46
PID 1276 wrote to memory of 2312	1276	mscorsvw.exe	46
PID 1276 wrote to memory of 2492	1276	mscorsvw.exe	47
PID 1276 wrote to memory of 2492	1276	mscorsvw.exe	47
PID 1276 wrote to memory of 2492	1276	mscorsvw.exe	47
PID 1276 wrote to memory of 2496	1276	mscorsvw.exe	48
PID 1276 wrote to memory of 2496	1276	mscorsvw.exe	48
PID 1276 wrote to memory of 2496	1276	mscorsvw.exe	48
PID 1276 wrote to memory of 2908	1276	mscorsvw.exe	49
PID 1276 wrote to memory of 2908	1276	mscorsvw.exe	49
PID 1276 wrote to memory of 2908	1276	mscorsvw.exe	49
PID 1276 wrote to memory of 2808	1276	mscorsvw.exe	50
PID 1276 wrote to memory of 2808	1276	mscorsvw.exe	50
PID 1276 wrote to memory of 2808	1276	mscorsvw.exe	50

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	elevation_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	elevation_service.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_774cff64cf516936ddf4842b4bc8706a.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2396

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2812

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 194 -NGENProcess 19c -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 1b4 -NGENProcess 194 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1e4 -NGENProcess 1fc -Pipe 19c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 26c -NGENProcess 1a8 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 200 -NGENProcess 244 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 26c -NGENProcess 200 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 264 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 26c -NGENProcess 264 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 27c -NGENProcess 1fc -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 27c -NGENProcess 260 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 244 -NGENProcess 274 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 248 -NGENProcess 19c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 25c -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2344

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ncjookla.tmp

Filesize
694KB

MD5
2f7bf18481e7130143486fc1ba93bda5

SHA1
0ce5f93ac4251b84fb0b558846204dbd7f1efcab

SHA256
6aff3dfc24ab1035031ee582822545c8bbbc275cba5e2503873c0dbc67e8bf5d

SHA512
ca70fa3587df70999de340fdb65c14f3227d6004ab1673f79305766838dda7698d633e912ae25a2b5e8072da9d3c1e6b5c68a76dce14563db284d782d9425b39

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
1b94e781d8c7ad481fce480bf3439777

SHA1
de402b82feae30355e4c00d64976c982862307f4

SHA256
ff12f6947d6ad222610bee52b730b86bbcb3456de45b6d9d5d8f891fb208540e

SHA512
7be8802cbf70778b1fd7142d75baddd29b1cb1923bc01d4b66bc09feadc0c7d7984951fd0b6047a17bd9bb972919ed600180522c179b20cfc9e6ba8ff27390e1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp

Filesize
4.8MB

MD5
41b396d8f24a3020fe165a09be07d821

SHA1
c9c45e611e707ec82fe5ac25c4a9ac433867005a

SHA256
a9ad429f3d3efa8e0c9ace1502423f1e3bb7ea4dfe2be7048c894f6ec7f0c6bb

SHA512
0c6f68a8d7594a97c14fbf6ff8f44bce708c35f49974a283c763e8a91f6cc9380e7d0c02232930f6fd676741cec7c90db708754e9eaeff0f860e7de03f4c295f

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
ffcad3e62b8dae42941fa8fc23d657c9

SHA1
a61fe3719ed5bb00d26551904d47b4618c97cc6e

SHA256
9692dcb3ba33cb6f45a3324596a0ddedbe69b5e467f1c00dd7ad95aac3f10c0f

SHA512
a2e4a3778ba0d5f4f640e4ebea199a875bedf4ee681d4e2cfcf9659069b389e3c727ee07182a097341d54b13743e1e5e68cae3183a5a03fcfb917a9a5172455a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
11db73eaf41a7646a2243d111a695e09

SHA1
cec43a5cfc33353feb9face6e60ac7f65cedfe9f

SHA256
840a5ab0512b205e03b70176f89b9909a0236faf08380b8d5983d896d2304091

SHA512
9d0c41558f36ca2de32d9da80feb4795d77ec88e86193cd1b46c80184415f86bee072d53be66c1f3d9b54fc93087d1a5b021cd6b66ffbd1962ab6a3a3e6d7bc3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
4KB

MD5
56675b3765c802115a259469690a5065

SHA1
f1683bfe35291ddaf1c8b6d002c0f3fbec2148cb

SHA256
fc7b6aaacff92ebf4b09da9b67ff655caaf6f8fb8dd065b6f2768749bfb4f6a3

SHA512
fe5ada0e79d603334f9a290ab8971d67db27b0c01e189e89c94980f9b2ddec202e457fafc2948c4ec382ce531fdba7ec39b9a1edef82eba0141c33d878056f25

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
613KB

MD5
96086f4520ba64f845bd8dc06b7884ca

SHA1
62f78110c1cf7967727d94a548de67ba61f65149

SHA256
768c01d2f704ae80bdc36101b0888a6da0a0499a88476f6f1725661815abb78a

SHA512
c42a3444ef740994a6c646d331167c3b2c8d6ea6438e2856b0a78a24ab58adf6066e46f9e3971fa99165120f47bd368bd70c74e8931519d90b5ef89312c90d91

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
0b960439ff091a71fa2cb422e4bd6247

SHA1
be5bb1df68ace01879419d700a138935feabb48d

SHA256
aa5af5f34cfceda3fdf563602a8e60e2d982ff547f0abbeaa7f258de056ca361

SHA512
a0768e070796ca3b325635fff0cffc56b0403ae206cafa64c169b8a0987feb738f73a6aa190a99259778442d5979d5a4681037f54e61c44b2e19b2a92ff25fab

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
644KB

MD5
75be7f59899e6ff1d29238f55bb751d8

SHA1
6c0eb0df381d2b8513fbe62a0d25d9cd5a0d10e4

SHA256
fde7c5025fbf09e64ab4e5162bbf70a7448a02c925ed4c45b3159b7509d524f1

SHA512
e112f7b499c36596775d38d6c1dd048ef088220723c022f800655e3eb3c3c57463de4980039a47e63abd84e792de008bac9cfb31a13784d6f5101cf6f8e4eee7

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
694KB

MD5
41188f7a1e952c36d3e37d4c67af4942

SHA1
d8b4e67fe5cdf210cd24ce9501ac1483060e72b4

SHA256
f38140228dd8fdfa9753a05a6d39dfd52e0b97e4a837d12da18402da05409946

SHA512
0e253b6f179aba96dfe458832126c54dec845972e0889701a2f44898fd88ee052719411b6c11ef129fef8ad8a07a57d554807b95af504d9ffeb157c68b4b12ea

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
50ae6ec989d49977be528acbca20e8f0

SHA1
5bf73b83c288afcffba739d543a75f9735cf26f2

SHA256
fb7e2d70b4bd075d40233d2c422c3c68d6924791fa53ca093679751431961826

SHA512
54fee2748b4458dc93cf04f56e35b8465d4d75b971d8653195feebd7645cd674016765e912d11e80e852df7bc67aeadf4baad0d67f31f1fd0f2e87987ec522bf

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
769KB

MD5
d1f67ff036da9cefe8aca510c581a63f

SHA1
1e378c4255378f608b1062c78d85a17c80503679

SHA256
8109dd6122f37069aafa66296641bc1ca4b4886a16a0dba39f60b4f0634c25be

SHA512
213bf15cd5a51826fe25583a4e112cf62841400841f0edf361030fe6cd2f9f5f2928b838cdcc6727c8a45bd294851692fae587e594a9d880751ecb052b96f529

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
2.0MB

MD5
f40aefc9b11eaa357114c055c0a793ba

SHA1
f310afba3fc78ea627aa69c3d3f1e7346c132883

SHA256
aa31abd280ab3b0eba512c2d356feccdfd5742cd4a1177a959ca0e724702dd60

SHA512
e9914424a841bfcbe3bbbebbe9daea8b11f96ab087cd48c4de1eeaac0fbb4ca0d64eed5d633a503b68a42b29125cfe5d8d325cce59c21f8c8ace586b659f2971

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
313a7e497973e2992cdf80213ce316bc

SHA1
04562907586b6c18fe184ea845dd9fdec081798d

SHA256
632b012e52c2e11a2da7ece0506cc0f8abb8cb97c2a7fbff685dd2f42df32043

SHA512
53f9e2f99ec243606c086fcf23b074c96ac11f1ce34eb8da8473368f99d9ac98351f4d0ea50fda2fb3ef3b3c19af0586f2d8c83ab50bb2e2e1cb1117f453e26c

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
679KB

MD5
17d4b2294aedf103e8cefdd1145ff730

SHA1
4861a3eb6872147c5f25edd2fb38bf8fa46648a0

SHA256
a729ffd285eaf6c3260383a0503e5b43d2b69c956346341ee45e907bc9ad3a3b

SHA512
689f502aecfce1fe1e23e8d13331471478a61af808c110c54a79d122821d76a71f95e66437a11c7c1f525cf244a32201412d07d67151080b7c6e572b980feea2

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
591KB

MD5
ae2174623811f6e39bc06ec6013ba159

SHA1
bd7c80b26099b25b9049bed71d251278550bd8a0

SHA256
474c05d55363cf9db0f89a10f2c072d39d2d2d0c845ca9c0c17adbee97e8e623

SHA512
1765df0f1e34c73d86a24b30d1abbcf565a00309131782439850125144140b0507f4b38676e4f43ccb0256f893846daba8bba66ef37f091c8869d6104c7d68ff

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
632KB

MD5
258e40d8d05b177735f328e6cf272a42

SHA1
214a7c61a9c00403344e13cf2bcaa2e8a9dfb069

SHA256
da41a8c169e94c34ddb1f39936dc3ea0387398083c9dd206d0e7a89db7ab5c96

SHA512
f0d986e0d743ccfaa2725e9c5c52df17a1709b1b606ac347f61a270386bcf66db14bd47d394b839edbfc628b5ab03ac16e58424034c448fa6c74102e90ed1c95

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
93847b5d4445f37b79b261be4fc4d20c

SHA1
af5fb01efd9c9b6f9e8fc3bd1b184e9b93de3759

SHA256
f07738cb083153d99c705450369cf6ea56b60cadd21ba67112a52c940339d692

SHA512
22be6df92358e037f4a059cc38cff4b6637d9c7050ac7ce33c17c8ed37c98de538e9d9a88d29987980463a2998e95218c8a8bcccd26fd444276cfa65c23784fe

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
693KB

MD5
8596f07971ea36c3735d5a43b3694ffb

SHA1
e2fb9be9b3acc0d0eeaac4d385a32cb8f4855bdb

SHA256
751cc4c6053af19c274136bce340f0282b21c6f568bd419779de96efa7a4788a

SHA512
ad14ec1385ea8fe030214f36172710a01cb917394523ae2dc8c724da582cd88754285a072cf7eb299060bde91db32c0478fb5d7ce44875ef3ca31da267cdf2d5

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
679KB

MD5
32fd4be4b34dc86d869a545f005f1e53

SHA1
c275706d52b4fb11f2c1ae73638013841a2d7966

SHA256
d0b0f50ce4e712d4584e6651d149ea6f2e0fcd12575c7f2b867d23eb744eb3d9

SHA512
458b9c7c5434ed7a4d2c57b2ac43f3956f09b6e6d396094aa16fb1f11df6bb65912ec8c4f831fc7757212def899c6821f1ae0d491bf925d854d3fec70bba887f

Download Submit
\??\c:\windows\system32\searchindexer.exe

Filesize
1.1MB

MD5
164dbee75cdcc63890c5b40ad9a5be87

SHA1
85b19b58537bec02865fc639ad6c6dbb1ed68859

SHA256
13442e9c45a5842d5aad74b7f855c684c61f3b1cc765b866ebb1188fbf9fb46a

SHA512
6a7c712c448d40e5f9f663fd20959d528c9a58848151bdf140b626309277142decf58bffcc51e8627675bd027d0b040768b5ca90f95e172918ead4fe8a4cbacd

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
569KB

MD5
f9daa0c17b4591bc5d91abfa153e8225

SHA1
d1cff5d9ccfb7e5ee3fa8b7d355d8f4baff44d2f

SHA256
e93022ff4fbe122418d327ac7944ad453ffb58e69526671adee1933bb5efab45

SHA512
6d06338e7c83f9ae2598a30dd544489825ef4c4f69fc03bc60e0c8722ef9f6f4d92a7b70c013bb1762bd974123f5dbd26d9079328d1eaed5a384a0a7ca9d02ed

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
595KB

MD5
cb5e2ee46d14d0be2532e3e70eda7c56

SHA1
56f8ec46f819d177ac5118d760a2e6c6b7c7e713

SHA256
326351a883a6a4f6dd5c43aa7db30e3df3c59e5a4f68e920087a5da2000a2622

SHA512
474a8296e8f896e015a9c01d66fb15c46d24eb5594623f5cb385bea97c000c483bdee320555339844fa0f2933701eae0df6fb90f59f1d9875bd6b18315583baf

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.0MB

MD5
78f08f491789a2bf78183390521fb484

SHA1
49b0247e1c812474179a82d47d7e7905734613c9

SHA256
759f280ab4436a93bcce2c5c213fd690b51cc869d6358e8fb866c2f6698d5721

SHA512
51395cd8fbcf43a395d2a3a27164bb331bb7a8722db7636c735a039140a79274a1ad473ba2fa45386a9015555e4df41a47efdbbc24e3b8ab446c2edaf184d3b6

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
8031917e46421d0d1042d5dfeceecb40

SHA1
6a92cc4fa39220b44c95a630e77972fb28c99b56

SHA256
109e43383e10a694b72881c985096ef1a038a899698b12333fe40311dbbd84d2

SHA512
6db75cfcefc1fad33360a1daa5795ffc5eb4ded739d6770bba13fe8e5c90fc90870ae3f025fc6266c5ce04cd46cc40eddcfa5b5ed42339a2e74d0f2c4760e9ad

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
753KB

MD5
9ce9d9622bdd1cab11290fa485d6a449

SHA1
fea9a6fe9957ef71a37932d1185179003aa9d92b

SHA256
20d4d35e81fbec1cb4ddf3bba887759120f36e655c56b4bc369b3738d0d448f6

SHA512
25c52cf85be289c7fb3aa1a7f16e2530271fb5004b03eebd21a6aac64900498b0b5124f98b272d8ce87a0f60182c449e85a04cf0c7d63326075ebf305b5684f3

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.0MB

MD5
d66406f2adfd3af390f47980e09e39cf

SHA1
7e328261f62ef5f9f4522fbd4001c0feebf2d274

SHA256
e52b9cf3484f1f8ada333a43083916cbe7165c800b925663cd973bd9bb4b5a23

SHA512
da859a5d6cd8b1f1549b7eb15ac97ed0c17c872552ccbd4973bb76e98aef2fe953de4c8fdae4f04fc415ac4d3e8a97cfa9edd8ed6c186860d2f59a3c8a123ac0

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
08952f1b07e497aad7080173db930a18

SHA1
384d8e42aaf7def9265034654271339341ce4cb7

SHA256
38ca64eae543d853d5db08f43185717dea3e97839f55e11fcadecd6801b43f4b

SHA512
3b11d750f9325f5bb6aad3287738428b17cb74ccc8eebc0b4f10d58f393a6346085cf318ca93782d421f085229b31f64942f516ca8c8e93789da65d91f6cc865

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
636KB

MD5
e9cf1fdc0da3eb7b3d9ade616ea05293

SHA1
258aee593be3a30d8d0ffcd6caff7b285320e364

SHA256
315e2b2b1699c593be968f13dc8c4f03ea29f02d985b62cc2147cf25c2fcbe8e

SHA512
78a12e4e78962942e5335d402826a4856f9bde3c38ff2fcf567180ce3b1fcac9cf7d3e3dea2093c85f587bd9b9249cf271bbf2086743e769d1141c3149e73903

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
1ec3d9c048ce25c661cc55fd48f023b6

SHA1
ce91c6c4c8a9db63b0b9fb6a92c78a003c08eaff

SHA256
af545bbcfcbba4c08a020ec032da6ca44af3d1cafaed083a15b62211fa0f2051

SHA512
3cf3970a890504e588ec191ace559a2497afdad1392c3cd148bf5547bbd7149c040131722ad23afc19aba308dd7e06b9692b965cb0d65db673f10cceec5b6733

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
662KB

MD5
a5ebbd75bcac05ff67a8f8027645fd30

SHA1
cef170aff07a4e16595ca4363975863125365cb2

SHA256
0b2608086cd9e48e180eabee0ffa651c83ff8e17c3e5076c3a6a518c771ab2fb

SHA512
588f4091a4fa51b2c973bcbcb8b6b47270d7c1d0619f2773645439cba68344134d1c121e5b3dc1a7ea6ce2365cb7d1ccae9eb510c527b76f4d4db49b41c75566

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA3BE.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
memory/264-351-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/264-352-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/788-93-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/788-184-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/788-230-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1144-366-0x0000000003110000-0x0000000003158000-memory.dmp

Filesize
288KB

Download
memory/1144-386-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1144-375-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/1144-376-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/1144-365-0x0000000003100000-0x000000000310C000-memory.dmp

Filesize
48KB

Download
memory/1144-367-0x0000000003160000-0x0000000003176000-memory.dmp

Filesize
88KB

Download
memory/1144-364-0x00000000008C0000-0x00000000008CE000-memory.dmp

Filesize
56KB

Download
memory/1276-57-0x0000000140001000-0x0000000140003000-memory.dmp

Filesize
8KB

Download
memory/1276-56-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1276-154-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1276-421-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1520-186-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1520-192-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2132-345-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2132-348-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2312-398-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2312-399-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2344-85-0x0000000140000000-0x000000014041A000-memory.dmp

Filesize
4.1MB

Download
memory/2344-183-0x0000000140000000-0x000000014041A000-memory.dmp

Filesize
4.1MB

Download
memory/2396-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2396-21-0x0000000010000000-0x0000000010257000-memory.dmp

Filesize
2.3MB

Download
memory/2396-66-0x0000000010000000-0x0000000010257000-memory.dmp

Filesize
2.3MB

Download
memory/2492-405-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2496-406-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2496-407-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2544-347-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2544-349-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2568-0-0x0000000001000000-0x000000000127C000-memory.dmp

Filesize
2.5MB

Download
memory/2568-2-0x0000000001000000-0x000000000127C000-memory.dmp

Filesize
2.5MB

Download
memory/2568-1-0x000000000101A000-0x000000000101B000-memory.dmp

Filesize
4KB

Download
memory/2584-393-0x00000000007F0000-0x00000000007FE000-memory.dmp

Filesize
56KB

Download
memory/2584-394-0x0000000003040000-0x000000000305A000-memory.dmp

Filesize
104KB

Download
memory/2584-395-0x0000000003060000-0x000000000307E000-memory.dmp

Filesize
120KB

Download
memory/2584-397-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2584-391-0x00000000007D0000-0x00000000007E8000-memory.dmp

Filesize
96KB

Download
memory/2584-385-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2796-33-0x0000000010000000-0x000000001028A000-memory.dmp

Filesize
2.5MB

Download
memory/2796-67-0x0000000010000000-0x000000001028A000-memory.dmp

Filesize
2.5MB

Download
memory/2796-34-0x0000000010000000-0x000000001028A000-memory.dmp

Filesize
2.5MB

Download
memory/2808-416-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2808-417-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2812-45-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2908-415-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/3040-359-0x000000001C4A0000-0x000000001C4E8000-memory.dmp

Filesize
288KB

Download
memory/3040-358-0x0000000002FF0000-0x0000000002FFC000-memory.dmp

Filesize
48KB

Download
memory/3040-357-0x0000000002F90000-0x0000000002F9E000-memory.dmp

Filesize
56KB

Download
memory/3040-356-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/3040-360-0x0000000003010000-0x0000000003026000-memory.dmp

Filesize
88KB

Download
memory/3040-187-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/3040-362-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/3040-168-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download