expiro | ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
Size

653KB
MD5

1559eba1084a34643e6456d416478ca0
SHA1

b6bef8dd97c615df23733745fa02986ffcb60e34
SHA256

ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9
SHA512

bfc027e4d82f1958d552837b2ac5a5f75b4ab9d77095c60a9c5f4eb0730dd6a38a56e9dcd834ba073037a08675bffdfc3bc22c9dce61666cd454d060a647cada
SSDEEP

12288:JTYkuB+NC7dTWJ3s0gKhdQw66zqHR7L3jwAS+QWE3PfQy75alnnEX7nuoK6HQDX3:JsB+Nytop966zqR7jUAFQWeXQy70yTPK

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/memory/4308-2-0x0000000001000000-0x00000000011DA000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 7 IoCs

pid	Process
232	elevation_service.exe
2232	elevation_service.exe
3680	maintenanceservice.exe
1732	OSE.EXE
656	ssh-agent.exe
2988	AgentService.exe
4588	wbengine.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1045960512-3948844814-3059691613-1000\EnableNotifications = "0"	OSE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1045960512-3948844814-3059691613-1000	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\E:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\P:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\Q:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\U:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\Z:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\M:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\S:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\Y:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\J:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\L:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\T:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\I:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\K:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\H:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\G:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\R:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\V:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\N:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\O:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened (read-only)	\??\W:	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\leplicdo.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\windows\system32\lonegafe.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\alg.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\windows\system32\ngiacdpj.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\molmoebh.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\windows\system32\bhqpeioj.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\windows\system32\dqddhplb.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\spectrum.exe	OSE.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\hbnljmia.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\locator.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\vds.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\windows\system32\dobnllof.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\snmptrap.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\vds.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\svchost.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	OSE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\fijffced.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	OSE.EXE
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	OSE.EXE
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Program Files\7-Zip\klncjook.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	OSE.EXE
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\geakanpm.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\gkbpadmi.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\inoibohf.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Program Files\7-Zip\mnclgkoo.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\program files\windows media player\lnhkbjap.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Program Files\Internet Explorer\fdekffol.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\cgoddhjm.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Program Files\7-Zip\ckjgpiji.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cgcganec.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\7z.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\pnhochhl.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\pnpndocj.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	OSE.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\kcndgmlj.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\hnfobeem.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\dnmejccm.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ghpbhbif.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	OSE.EXE
File created	C:\Program Files\dotnet\enmgfdcm.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\iabjpiql.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\ndphlgfh.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	OSE.EXE
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\7zG.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\jkkbiphh.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ejlkpjei.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE
1732	OSE.EXE

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4308	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
Token: SeAssignPrimaryTokenPrivilege	2988	AgentService.exe
Token: SeBackupPrivilege	4588	wbengine.exe
Token: SeRestorePrivilege	4588	wbengine.exe
Token: SeSecurityPrivilege	4588	wbengine.exe
Token: SeTakeOwnershipPrivilege	1732	OSE.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	OSE.EXE

C:\Users\Admin\AppData\Local\Temp\ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
"C:\Users\Admin\AppData\Local\Temp\ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2232

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3680

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1732

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:656

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5873382833a395de1faf706eb148c55b

SHA1
c7e0200b950dd97d02bae081234851d0f1c20ad2

SHA256
39a4911fe4d04004ef70d9512bd5e66137141463a686a83e5a2dc2f4fe389719

SHA512
120874b95bb3ab8456c40be12411e8d46a51d6c61fdcbee173ad5c79c9c248659075cb824d700e4a0a69be07c8247dd361c27bce760b579f9082eb0977c15785

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
809KB

MD5
c3a6b88411cd3f9c6674e68fd7a06171

SHA1
7046ca8084a682607d4cd6b1c38f710b82b923fe

SHA256
12766a5b06d9ffc3d4a134d31d1823d75758b20c70fee8e36a9d3acc7e242678

SHA512
56d38ae18b538aa0eecc9351742151b70ca33c7113dfddcaa2dfc4a2e0a3356c08fc954415d160adb616d4db20c96c26a483d2ae01e8448da87d4ea833eff517

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
feab1fcaddae3fc981f0822678dfd6f1

SHA1
5a9aefe2c7351369cbf19242b14c4f70e0f227c6

SHA256
1a18f3ce1624d3a374addc368b311b5675a00bf799643341fdbe6964835350c1

SHA512
6d152e3eaf4b955fe7963a786112a9e81ca81d596047fdf76044c9b568596fa50a9c2f4b355bbbff82f41973b020c6a33afa27e26cb9f8c7fb297770749ea135

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b44e1faeb9e519c4db55a6015d1e2570

SHA1
35def54e260c1da6f6812d14dc6e16bd3ce093c4

SHA256
59202a79e3a98d65e8ddf0f7806c8673aaf6d6ac45c40bc8f261f42620c66474

SHA512
e8fe27a79d405f3dc468d19c79563fb07aa56a17ea083a6b4affc1f29487728aa4a43be05e1ed859326a7b44a6eb525fb1aee5b15525c7070a650b93f16b62d8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2ea6c281a3789a3e4b671ee19e7d71b0

SHA1
db00d4f0acfe12bfc7f301cdb36db00c9959ecf0

SHA256
70bb3c703884e1534c3306662f0fe4a9d5e6f47455b5f229b30823d94562efe6

SHA512
f851e3352415c2fc18b414314ed67e77d389ba7fd61594a67499aec72ed83b398452e5b696997b0974df4ca9d1c57d6742d6cde8bfadd37b98c004a13efd7ff5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
598KB

MD5
522fc6a6bad238e46deb8021f49488eb

SHA1
04aa24581c591947741b8d97bee2e2176ef94949

SHA256
12327c2da5bda290b9ffa7b69795157e4580b18a08ead34fba55419601dead0e

SHA512
0312f4310a621a19b17bd2e3ab3b7bcaf94c37ade15b25cfefce9ba44837c9ee9c722562321870199003cc45abc0f8c647e028dd55236cc6566d3edab332e91e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
860KB

MD5
454381fabbf85139ad747f0cedb27db4

SHA1
a1a58b05ebf8e41866e283a1183928d2738d0c25

SHA256
919e0e5a983e3af3ba7e13ed4b3a3ef8cc2cc03e599ceb4f997834e65c0c0622

SHA512
57d65f93ddea82cf7c0a44d2e15cc0ea585e783433b8386bef49e9d5e7fffdc54cac1a4463ca8115a0881f8c59e5b2b5f6b8135df82250ed1e83f67735b98c28

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.7MB

MD5
190e2667557cd6587aa682d061ed7330

SHA1
38c18679cb57f8e81c20fb53a5e64e199a2e3ad3

SHA256
b4e0abef0ddd60c1950a8ac6385654847d551ca1b87d7e15e72a1155ce53e6f9

SHA512
7ba7ca038c52b5f32e36c0e5f6cb4fda3312d794523d8292568b1bf818add9b4ac29d0432f4eb211ac2d3635dd04cc9e4ae320daed01756a254f7bf8454ce9ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
930KB

MD5
a616bf9b9da4c76f9d3e77ba9bb5c870

SHA1
c7eb59bff61431d1acd7b722b2697b2b50ac1815

SHA256
35c856010beb1e1b7a074742b0376b6c4a28a5f5aa04473e1b97a24012d63b30

SHA512
6571929c1fd2ec183985eb3ec7c41591dddd291a42fc6d70a761c0ca19ff31cc860d070f30a75261613f623c02ea93aab10658e9344e43ecfbe779dafa368baa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
510d39ce202fce96d360c996fc3489ab

SHA1
b53d330541934acbce21108187200d4245aa482e

SHA256
767443ed60758b39f7362bffb790aa2d4e4e259678df3858b0b201071d63f6ac

SHA512
c9b80fc6629a384e666d7a5239828b928107e9400e570ea6c1636c4fb7cde31aa39eb8dbc8984c872f5ffa775194b55aedac286889ad9f4d89a8222527144e6b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
600e86d22837f04490b6d756b6e7c4d4

SHA1
caa61a46f9764ce4e498ba556d48961b2031c84a

SHA256
f4085cb54943d0d69828e6d7e76d048d68d510215f1a8957eb265b864fe6edce

SHA512
3b8cef0d932626bc0f89aea570323425336538aef19c3637ce02f7080a2bc5f24f70282a51e1b1006946e864f055eeda0aab043196ea7363e9d8fcb65c7f1bff

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
825KB

MD5
886a0fa1a16648b219a856914220ec37

SHA1
74538327db4e0eaae70ce11243d70d7e552c1cff

SHA256
f7b8b3926a2e44e037d2ea774a45932dfaa61b8e7fd303e97ce3bc7cca32464b

SHA512
58993be69f12ab313645b389456255bb20addd61579cc58e8bae16563c0ae6d982790917ec7678cd6f6bd89fe44703f3060316c13ff8c9a3c6889178d158c90b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.2MB

MD5
fe46659668f45bad2e648d12d757a7cc

SHA1
389db8450d23694b5e8da2cc6e29ddfd1377660c

SHA256
63c3356830760b4b9085123d43b9d4dc7f390c804f03cce3d7f99fc3013ebf34

SHA512
8262c99bc7f99b13f7fb2d9fd5c75a775696a6a5b644ed066834781884e7e4121e414fcbbe5c6681f7e6242789b6eb0d3f534cce99c263e7c4b3f27823c031d4

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
1010KB

MD5
0d9fd3028d7e10b2b066146f383c36e1

SHA1
85159ba9f9a2f40c98d6d5f2e13bbf9df6c7aefd

SHA256
0d168cddcebbaed16353534ca64eef792e0d1a42beab7b3ae411d283961130e5

SHA512
3c2e74042f171e568da960e022f9b99e2ad315e7d1f4da533ef1558bcc21ffbdb51bf0a2296bc8cf83d12ef48e5339f53fe20ec43e98779777771827a1fed1c1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.8MB

MD5
131f25dfad61c8029bcb779ad2aefabf

SHA1
e1d06d93641fcddf2f05a8cadc4f8f7381b59d7f

SHA256
ea1c4612f61507f8c69733cb2d1d65d9cf64ef79ddce47c7ddaccdf5d282b63f

SHA512
300e8c1bf6765509e5a5c43bae17b84aab2359fb161f4087abf2c6fe69ca8eb1ef0c7be0b75897af4e19e6000c740a3c1c3af4ab46bd505520be8e1cc419b68f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
960KB

MD5
76c43390bae29297fd677218eb1ae0d1

SHA1
9a0bf4ee36031ff11df8bd3499ccd64071eb46af

SHA256
08c3de3991db7d8185ac6d9627509b677f695e270d5538a152e3546fc86d44f2

SHA512
5781abb928ded97fa74a7f0c92e561b208272bb81770be4463c9237ef9364dac7490ffb6aa601cec24265f0e940c05a6574c05a012e43825dbcafe79f65a1f16

Download Submit
C:\Windows\System32\leplicdo.tmp

Filesize
1.3MB

MD5
87f2d0c6bcad975dce50451e75b255d0

SHA1
e02700f1c07b151476048dcd36224c1a199a7ebd

SHA256
282c89cfe3bffdd2996baeae8df01dd7adccf878d5242e8bd1b0ee99118caa85

SHA512
d4993bb45732d804aa2864fbf0a4f9391d3e2ee7046a2c70df71ecf935d927ba829dff6acad202aa071aa5c19e3d437d463e15bb60240660776c20ff48762187

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5ad8560a582740bab26cf97a07976cf7

SHA1
c1895859b8e8df63549f6a9b47d36af9ca647076

SHA256
5b112431e075b243e0187fe06f2a77d5cdef5f0e3347338f5705ad135a96eae6

SHA512
771ca469ddd99060f1c6f4b85be77c16754bc31225a72d498ab59ccba934aa66a5f8b43cffd0a68f619e8e9b2c913a0d11c804d93603c5a4ae6d294436721e4a

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
1.5MB

MD5
0ae2f335ed264dbb7bdc7a391f38b276

SHA1
3464fa2ccfb4bd0f51404ff701190a19e13a1d41

SHA256
b8aaa99d78d26cd14f9ffd2451b4d683be8b4906198f81602463442d79bf5f7e

SHA512
48cd7d52cc6caeef5151ae6cd51aeecab590f43a8776acea5c78aaa801a2b7ae31550ecd6341428c919ba63f253a5b75e01565c22a282202f1dbdb26f22acafc

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
3bab0e34091e744ea9fff490fa705c39

SHA1
fa701fcf8136068736534a6f604a4e73213755b1

SHA256
01fae67ef64c0a8b0914dd1a53ebc78350eaf890da638a3419d7154491c1955f

SHA512
c8b0b220b61aa5cb069b85dcf1536512f9cdf7707e364c727242bcdb536b69d34fe70267222160c342a871fb9da2a83df626d3e6c6cc34e6784fc3badf756c82

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
732KB

MD5
242ff9fa6e0ff3b43b50781942bde388

SHA1
c0515a78b2d836770a3f3c4120c36e357905443b

SHA256
3d28fa3fdcb0f994f0c052a3daa812aa1c9394f47d40fb2307ab34fb6b4758a4

SHA512
21c3d692f5906f695c4a20c67d867bcce5f04e7d261e969d76e6996c085945469f245f21b1b175fdaa3ad5e7ecda0304273b70c0fe115fce0f5f1ad8ce8d0463

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
655KB

MD5
6dbbdac4a794d99708c62ea5574e8d9c

SHA1
276322f062d6b69756957cb99736ff3be272c3e4

SHA256
b4f9b8961a49ddd2e468cfa23ba165b79ff714bace18cbcbca6a41b9d0d99e30

SHA512
90550a2f9d910fd6d6ba7b4a79fa735398a58c69e6e9c1daf5c58194504dacda1d277c96fb6afce7c0ba63c09186b1291aa4e543819af01d4d77bf83d89c78b3

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
604KB

MD5
8f4aec72b10b2739d4e20c10930b6614

SHA1
16023baec16a455b16381f3c752adc1523c6d222

SHA256
bd6c7d7a6fb65b31c67f464bec762ff51a3c1f6dc9f3a4a96d51be87df5ad9e8

SHA512
4a8df2984c9c3c93eddd9c0369f1ced4f47a14bbe2b6a585b82f340df963f9c1dcdf17a8b67701e703b440c7d7731461f497ed9121417f7d540a5fd42eff8bef

Download Submit
memory/232-20-0x0000000140000000-0x000000014042B000-memory.dmp

Filesize
4.2MB

Download
memory/232-21-0x0000000140000000-0x000000014042B000-memory.dmp

Filesize
4.2MB

Download
memory/656-93-0x0000000140000000-0x00000001402F9000-memory.dmp

Filesize
3.0MB

Download
memory/656-101-0x0000000140000000-0x00000001402F9000-memory.dmp

Filesize
3.0MB

Download
memory/656-74-0x0000000140000000-0x00000001402F9000-memory.dmp

Filesize
3.0MB

Download
memory/656-73-0x0000000140000000-0x00000001402F9000-memory.dmp

Filesize
3.0MB

Download
memory/1732-59-0x0000000140000000-0x00000001402C6000-memory.dmp

Filesize
2.8MB

Download
memory/1732-83-0x0000000140000000-0x00000001402C6000-memory.dmp

Filesize
2.8MB

Download
memory/1732-60-0x0000000140015000-0x0000000140016000-memory.dmp

Filesize
4KB

Download
memory/2232-28-0x0000000140000000-0x0000000140422000-memory.dmp

Filesize
4.1MB

Download
memory/2232-29-0x0000000140000000-0x0000000140422000-memory.dmp

Filesize
4.1MB

Download
memory/2988-81-0x0000000140000000-0x00000001403B7000-memory.dmp

Filesize
3.7MB

Download
memory/2988-82-0x0000000140000000-0x00000001403B7000-memory.dmp

Filesize
3.7MB

Download
memory/3680-37-0x0000000140000000-0x00000001402C6000-memory.dmp

Filesize
2.8MB

Download
memory/3680-36-0x0000000140000000-0x00000001402C6000-memory.dmp

Filesize
2.8MB

Download
memory/4308-0-0x0000000001000000-0x00000000011DA000-memory.dmp

Filesize
1.9MB

Download
memory/4308-2-0x0000000001000000-0x00000000011DA000-memory.dmp

Filesize
1.9MB

Download
memory/4308-1-0x000000000100A000-0x000000000100B000-memory.dmp

Filesize
4KB

Download
memory/4588-140-0x0000000140000000-0x000000014040D000-memory.dmp

Filesize
4.1MB

Download
memory/4588-90-0x0000000140000000-0x000000014040D000-memory.dmp

Filesize
4.1MB

Download