metasploit | bfdbc82c506fe324f7b6dd5223c3eabb4562e32f4b0e7bd51448489a18ac5b07

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe
Size

194KB
MD5

98a433fd1e5e9ec0123a90f2fd51f3b3
SHA1

b14a64c4fe09357bff5da6081114aa752799a0f3
SHA256

bfdbc82c506fe324f7b6dd5223c3eabb4562e32f4b0e7bd51448489a18ac5b07
SHA512

e7658ea14d0bdcf388f54d69c029313983b9ce72b4b8b1d2bda9b0aeafd26deb84af2550ff2304c00ec5cc76c2b0c111318d0e9814f0fa6a50286b357ca6465c
SSDEEP

6144:a9rfJIqw2hj6rVwitWLbXaLOxf1LMWRaze2Jsj:aBfJI7Z4zayxflYsj

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 42 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	PrvHstMgs.exe

Deletes itself 1 IoCs

pid	Process
940	PrvHstMgs.exe

Executes dropped EXE 64 IoCs

pid	Process
4144	PrvHstMgs.exe
940	PrvHstMgs.exe
1676	PrvHstMgs.exe
2128	PrvHstMgs.exe
1512	PrvHstMgs.exe
2988	PrvHstMgs.exe
220	PrvHstMgs.exe
3012	PrvHstMgs.exe
3432	PrvHstMgs.exe
2104	PrvHstMgs.exe
1680	PrvHstMgs.exe
3860	PrvHstMgs.exe
2428	PrvHstMgs.exe
3548	PrvHstMgs.exe
2256	PrvHstMgs.exe
436	PrvHstMgs.exe
2720	PrvHstMgs.exe
4988	PrvHstMgs.exe
5016	PrvHstMgs.exe
4968	PrvHstMgs.exe
4864	PrvHstMgs.exe
5092	PrvHstMgs.exe
2268	PrvHstMgs.exe
3976	PrvHstMgs.exe
1460	PrvHstMgs.exe
3588	PrvHstMgs.exe
388	PrvHstMgs.exe
2684	PrvHstMgs.exe
2252	PrvHstMgs.exe
3320	PrvHstMgs.exe
4896	PrvHstMgs.exe
4484	PrvHstMgs.exe
1992	PrvHstMgs.exe
4744	PrvHstMgs.exe
5084	PrvHstMgs.exe
3128	PrvHstMgs.exe
1900	PrvHstMgs.exe
1248	PrvHstMgs.exe
2168	PrvHstMgs.exe
4040	PrvHstMgs.exe
2244	PrvHstMgs.exe
3884	PrvHstMgs.exe
1628	PrvHstMgs.exe
4144	PrvHstMgs.exe
3356	PrvHstMgs.exe
1944	PrvHstMgs.exe
4840	PrvHstMgs.exe
2252	PrvHstMgs.exe
4480	PrvHstMgs.exe
4748	PrvHstMgs.exe
780	PrvHstMgs.exe
4412	PrvHstMgs.exe
1520	PrvHstMgs.exe
4848	PrvHstMgs.exe
3856	PrvHstMgs.exe
1216	PrvHstMgs.exe
4000	PrvHstMgs.exe
728	PrvHstMgs.exe
4892	PrvHstMgs.exe
3944	PrvHstMgs.exe
2488	PrvHstMgs.exe
2104	PrvHstMgs.exe
3476	PrvHstMgs.exe
4964	PrvHstMgs.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PrvHstMgs.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File opened for modification	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe
File created	C:\Windows\SysWOW64\PrvHstMgs.exe	PrvHstMgs.exe

Suspicious use of SetThreadContext 43 IoCs

description	pid	Process	procid_target
PID 1684 set thread context of 516	1684	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe	86
PID 4144 set thread context of 940	4144	PrvHstMgs.exe	93
PID 1676 set thread context of 2128	1676	PrvHstMgs.exe	100
PID 1512 set thread context of 2988	1512	PrvHstMgs.exe	104
PID 220 set thread context of 3012	220	PrvHstMgs.exe	107
PID 3432 set thread context of 2104	3432	PrvHstMgs.exe	109
PID 1680 set thread context of 3860	1680	PrvHstMgs.exe	111
PID 2428 set thread context of 3548	2428	PrvHstMgs.exe	113
PID 2256 set thread context of 436	2256	PrvHstMgs.exe	115
PID 2720 set thread context of 4988	2720	PrvHstMgs.exe	118
PID 5016 set thread context of 4968	5016	PrvHstMgs.exe	122
PID 4864 set thread context of 5092	4864	PrvHstMgs.exe	125
PID 2268 set thread context of 3976	2268	PrvHstMgs.exe	130
PID 1460 set thread context of 3588	1460	PrvHstMgs.exe	132
PID 388 set thread context of 2684	388	PrvHstMgs.exe	134
PID 2252 set thread context of 3320	2252	PrvHstMgs.exe	136
PID 4896 set thread context of 4484	4896	PrvHstMgs.exe	138
PID 1992 set thread context of 4744	1992	PrvHstMgs.exe	140
PID 5084 set thread context of 3128	5084	PrvHstMgs.exe	142
PID 1900 set thread context of 1248	1900	PrvHstMgs.exe	144
PID 2168 set thread context of 4040	2168	PrvHstMgs.exe	146
PID 2244 set thread context of 3884	2244	PrvHstMgs.exe	149
PID 1628 set thread context of 4144	1628	PrvHstMgs.exe	151
PID 3356 set thread context of 1944	3356	PrvHstMgs.exe	153
PID 4840 set thread context of 2252	4840	PrvHstMgs.exe	155
PID 4480 set thread context of 4748	4480	PrvHstMgs.exe	157
PID 780 set thread context of 4412	780	PrvHstMgs.exe	159
PID 1520 set thread context of 4848	1520	PrvHstMgs.exe	161
PID 3856 set thread context of 1216	3856	PrvHstMgs.exe	163
PID 4000 set thread context of 728	4000	PrvHstMgs.exe	165
PID 4892 set thread context of 3944	4892	PrvHstMgs.exe	167
PID 2488 set thread context of 2104	2488	PrvHstMgs.exe	169
PID 3476 set thread context of 4964	3476	PrvHstMgs.exe	171
PID 4692 set thread context of 2200	4692	PrvHstMgs.exe	173
PID 536 set thread context of 984	536	PrvHstMgs.exe	175
PID 2180 set thread context of 1928	2180	PrvHstMgs.exe	177
PID 2892 set thread context of 3896	2892	PrvHstMgs.exe	179
PID 64 set thread context of 4408	64	PrvHstMgs.exe	181
PID 2240 set thread context of 2224	2240	PrvHstMgs.exe	183
PID 3004 set thread context of 632	3004	PrvHstMgs.exe	185
PID 4784 set thread context of 3188	4784	PrvHstMgs.exe	187
PID 2896 set thread context of 540	2896	PrvHstMgs.exe	189
PID 2576 set thread context of 2716	2576	PrvHstMgs.exe	191

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/516-2-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/516-1-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/516-0-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/516-5-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/516-8-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/516-9-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/516-7-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/516-43-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/940-51-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/940-54-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/940-55-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/940-53-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/940-56-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/2128-66-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/2128-67-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/2128-68-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/2128-69-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/2988-80-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/2988-81-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/2988-79-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/2988-82-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3012-96-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/2104-104-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/2104-107-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/2104-106-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/2104-111-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3860-125-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3548-139-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/436-149-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/436-154-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4988-162-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4988-169-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4968-180-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4968-184-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/5092-198-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3976-213-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3588-227-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/2684-235-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/2684-242-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3320-250-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3320-257-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4484-270-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4744-281-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4744-286-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3128-300-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/1248-310-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/1248-315-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4040-323-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4040-330-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3884-340-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3884-345-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4144-355-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4144-359-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/1944-371-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/2252-383-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4748-395-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4412-402-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4412-408-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4848-415-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/4848-421-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/1216-433-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/728-445-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/3944-457-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral2/memory/2104-469-0x0000000000400000-0x000000000046D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrvHstMgs.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PrvHstMgs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
516	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe
516	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe
940	PrvHstMgs.exe
940	PrvHstMgs.exe
2128	PrvHstMgs.exe
2128	PrvHstMgs.exe
2988	PrvHstMgs.exe
2988	PrvHstMgs.exe
3012	PrvHstMgs.exe
3012	PrvHstMgs.exe
2104	PrvHstMgs.exe
2104	PrvHstMgs.exe
3860	PrvHstMgs.exe
3860	PrvHstMgs.exe
3548	PrvHstMgs.exe
3548	PrvHstMgs.exe
436	PrvHstMgs.exe
436	PrvHstMgs.exe
4988	PrvHstMgs.exe
4988	PrvHstMgs.exe
4968	PrvHstMgs.exe
4968	PrvHstMgs.exe
5092	PrvHstMgs.exe
5092	PrvHstMgs.exe
3976	PrvHstMgs.exe
3976	PrvHstMgs.exe
3588	PrvHstMgs.exe
3588	PrvHstMgs.exe
2684	PrvHstMgs.exe
2684	PrvHstMgs.exe
3320	PrvHstMgs.exe
3320	PrvHstMgs.exe
4484	PrvHstMgs.exe
4484	PrvHstMgs.exe
4744	PrvHstMgs.exe
4744	PrvHstMgs.exe
3128	PrvHstMgs.exe
3128	PrvHstMgs.exe
1248	PrvHstMgs.exe
1248	PrvHstMgs.exe
4040	PrvHstMgs.exe
4040	PrvHstMgs.exe
3884	PrvHstMgs.exe
3884	PrvHstMgs.exe
4144	PrvHstMgs.exe
4144	PrvHstMgs.exe
1944	PrvHstMgs.exe
1944	PrvHstMgs.exe
2252	PrvHstMgs.exe
2252	PrvHstMgs.exe
4748	PrvHstMgs.exe
4748	PrvHstMgs.exe
4412	PrvHstMgs.exe
4412	PrvHstMgs.exe
4848	PrvHstMgs.exe
4848	PrvHstMgs.exe
1216	PrvHstMgs.exe
1216	PrvHstMgs.exe
728	PrvHstMgs.exe
728	PrvHstMgs.exe
3944	PrvHstMgs.exe
3944	PrvHstMgs.exe
2104	PrvHstMgs.exe
2104	PrvHstMgs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 516	1684	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe	86
PID 1684 wrote to memory of 516	1684	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe	86
PID 1684 wrote to memory of 516	1684	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe	86
PID 1684 wrote to memory of 516	1684	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe	86
PID 1684 wrote to memory of 516	1684	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe	86
PID 1684 wrote to memory of 516	1684	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe	86
PID 1684 wrote to memory of 516	1684	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe	86
PID 1684 wrote to memory of 516	1684	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe	86
PID 516 wrote to memory of 4144	516	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe	92
PID 516 wrote to memory of 4144	516	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe	92
PID 516 wrote to memory of 4144	516	JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe	92
PID 4144 wrote to memory of 940	4144	PrvHstMgs.exe	93
PID 4144 wrote to memory of 940	4144	PrvHstMgs.exe	93
PID 4144 wrote to memory of 940	4144	PrvHstMgs.exe	93
PID 4144 wrote to memory of 940	4144	PrvHstMgs.exe	93
PID 4144 wrote to memory of 940	4144	PrvHstMgs.exe	93
PID 4144 wrote to memory of 940	4144	PrvHstMgs.exe	93
PID 4144 wrote to memory of 940	4144	PrvHstMgs.exe	93
PID 4144 wrote to memory of 940	4144	PrvHstMgs.exe	93
PID 940 wrote to memory of 1676	940	PrvHstMgs.exe	99
PID 940 wrote to memory of 1676	940	PrvHstMgs.exe	99
PID 940 wrote to memory of 1676	940	PrvHstMgs.exe	99
PID 1676 wrote to memory of 2128	1676	PrvHstMgs.exe	100
PID 1676 wrote to memory of 2128	1676	PrvHstMgs.exe	100
PID 1676 wrote to memory of 2128	1676	PrvHstMgs.exe	100
PID 1676 wrote to memory of 2128	1676	PrvHstMgs.exe	100
PID 1676 wrote to memory of 2128	1676	PrvHstMgs.exe	100
PID 1676 wrote to memory of 2128	1676	PrvHstMgs.exe	100
PID 1676 wrote to memory of 2128	1676	PrvHstMgs.exe	100
PID 1676 wrote to memory of 2128	1676	PrvHstMgs.exe	100
PID 2128 wrote to memory of 1512	2128	PrvHstMgs.exe	102
PID 2128 wrote to memory of 1512	2128	PrvHstMgs.exe	102
PID 2128 wrote to memory of 1512	2128	PrvHstMgs.exe	102
PID 1512 wrote to memory of 2988	1512	PrvHstMgs.exe	104
PID 1512 wrote to memory of 2988	1512	PrvHstMgs.exe	104
PID 1512 wrote to memory of 2988	1512	PrvHstMgs.exe	104
PID 1512 wrote to memory of 2988	1512	PrvHstMgs.exe	104
PID 1512 wrote to memory of 2988	1512	PrvHstMgs.exe	104
PID 1512 wrote to memory of 2988	1512	PrvHstMgs.exe	104
PID 1512 wrote to memory of 2988	1512	PrvHstMgs.exe	104
PID 1512 wrote to memory of 2988	1512	PrvHstMgs.exe	104
PID 2988 wrote to memory of 220	2988	PrvHstMgs.exe	106
PID 2988 wrote to memory of 220	2988	PrvHstMgs.exe	106
PID 2988 wrote to memory of 220	2988	PrvHstMgs.exe	106
PID 220 wrote to memory of 3012	220	PrvHstMgs.exe	107
PID 220 wrote to memory of 3012	220	PrvHstMgs.exe	107
PID 220 wrote to memory of 3012	220	PrvHstMgs.exe	107
PID 220 wrote to memory of 3012	220	PrvHstMgs.exe	107
PID 220 wrote to memory of 3012	220	PrvHstMgs.exe	107
PID 220 wrote to memory of 3012	220	PrvHstMgs.exe	107
PID 220 wrote to memory of 3012	220	PrvHstMgs.exe	107
PID 220 wrote to memory of 3012	220	PrvHstMgs.exe	107
PID 3012 wrote to memory of 3432	3012	PrvHstMgs.exe	108
PID 3012 wrote to memory of 3432	3012	PrvHstMgs.exe	108
PID 3012 wrote to memory of 3432	3012	PrvHstMgs.exe	108
PID 3432 wrote to memory of 2104	3432	PrvHstMgs.exe	109
PID 3432 wrote to memory of 2104	3432	PrvHstMgs.exe	109
PID 3432 wrote to memory of 2104	3432	PrvHstMgs.exe	109
PID 3432 wrote to memory of 2104	3432	PrvHstMgs.exe	109
PID 3432 wrote to memory of 2104	3432	PrvHstMgs.exe	109
PID 3432 wrote to memory of 2104	3432	PrvHstMgs.exe	109
PID 3432 wrote to memory of 2104	3432	PrvHstMgs.exe	109
PID 3432 wrote to memory of 2104	3432	PrvHstMgs.exe	109
PID 2104 wrote to memory of 1680	2104	PrvHstMgs.exe	110

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98a433fd1e5e9ec0123a90f2fd51f3b3.exe"
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\SysWOW64\PrvHstMgs.exe
    "C:\Windows\system32\PrvHstMgs.exe" C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Windows\SysWOW64\PrvHstMgs.exe
      "C:\Windows\system32\PrvHstMgs.exe" C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3860
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3548
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:436
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4988
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4968
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5092
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3976
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1460
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3588
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:388
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2684
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3320
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4484
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1992
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4744
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3128
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1900
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1248
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4040
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3884
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4144
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1944
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4840
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4748
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4412
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4848
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1216
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:728
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3944
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        68⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        69⤵
        Suspicious use of SetThreadContext
        
        PID:536
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        70⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        72⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        74⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:64
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        76⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        77⤵
        Suspicious use of SetThreadContext
        
        PID:2240
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        78⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        80⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        81⤵
        Suspicious use of SetThreadContext
        
        PID:4784
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        82⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        83⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        84⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        85⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\PrvHstMgs.exe
        
        "C:\Windows\system32\PrvHstMgs.exe" C:\Windows\SysWOW64\PRVHST~1.EXE
        86⤵
        Maps connected drives based on registry
        
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\PrvHstMgs.exe

Filesize
194KB

MD5
98a433fd1e5e9ec0123a90f2fd51f3b3

SHA1
b14a64c4fe09357bff5da6081114aa752799a0f3

SHA256
bfdbc82c506fe324f7b6dd5223c3eabb4562e32f4b0e7bd51448489a18ac5b07

SHA512
e7658ea14d0bdcf388f54d69c029313983b9ce72b4b8b1d2bda9b0aeafd26deb84af2550ff2304c00ec5cc76c2b0c111318d0e9814f0fa6a50286b357ca6465c

Download Submit
memory/220-90-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/436-149-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/436-154-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/516-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/516-8-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/516-9-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/516-7-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/516-5-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/516-43-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/516-2-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/516-1-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/540-590-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/632-560-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/632-566-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/728-445-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/940-53-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/940-51-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/940-54-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/940-55-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/940-56-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/984-505-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1216-433-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1248-315-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1248-310-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1512-77-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1676-64-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1684-6-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1928-517-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1944-371-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2104-111-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2104-469-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2104-106-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2104-104-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2104-107-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2128-67-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2128-66-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2128-68-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2128-69-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2200-493-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2224-553-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2252-383-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2684-235-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2684-242-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2988-80-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2988-82-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2988-79-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2988-81-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3012-96-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3128-300-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3188-578-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3320-257-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3320-250-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3432-105-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3548-139-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3588-227-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3860-125-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3884-340-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3884-345-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3896-529-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3944-457-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3976-213-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4040-323-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4040-330-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4144-355-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4144-52-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4144-359-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4408-541-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4412-408-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4412-402-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4484-270-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4744-281-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4744-286-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4748-395-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4848-415-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4848-421-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4964-481-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4968-184-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4968-180-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4988-169-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4988-162-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5092-198-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download