expiro | b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7

Analysis

max time kernel
120s
max time network
117s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
Size

610KB
MD5

cfa8191b3ff2d4c91719db8affaa6090
SHA1

1bc6a3276fc444c1faed44347b3180eb8b3803bd
SHA256

b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7
SHA512

8a24aab9c09bb018b7dbe4c78d5437e1bb13aa94111240da99450b3728e2aefd1149c5e007aaefc1856ee591d5e2a8e12bfd96dfa9f620733c835901994cc572
SSDEEP

12288:BPrneXCtwpxa5ICfznTODkiRrZ3VpWCDy7Frd3:BPr4CmpxayCfznTkhVpN6rd

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 4 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2092-2-0x0000000000400000-0x0000000000656000-memory.dmp	family_expiro1
behavioral1/memory/2512-55-0x0000000010000000-0x0000000010257000-memory.dmp	family_expiro1
behavioral1/memory/2996-161-0x0000000000400000-0x0000000000660000-memory.dmp	family_expiro1
behavioral1/memory/2996-162-0x0000000000400000-0x0000000000660000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 54 IoCs

pid	Process
2512	mscorsvw.exe
476	Process not Found
2760	mscorsvw.exe
2996	mscorsvw.exe
2832	mscorsvw.exe
1832	elevation_service.exe
1260	mscorsvw.exe
1556	mscorsvw.exe
1292	mscorsvw.exe
2968	mscorsvw.exe
1308	mscorsvw.exe
1496	mscorsvw.exe
1580	mscorsvw.exe
896	mscorsvw.exe
760	mscorsvw.exe
988	mscorsvw.exe
1668	mscorsvw.exe
2588	mscorsvw.exe
2476	mscorsvw.exe
928	mscorsvw.exe
2300	mscorsvw.exe
984	mscorsvw.exe
1708	mscorsvw.exe
572	mscorsvw.exe
1056	mscorsvw.exe
2748	mscorsvw.exe
2688	mscorsvw.exe
2784	mscorsvw.exe
1724	mscorsvw.exe
1580	mscorsvw.exe
2396	mscorsvw.exe
2440	mscorsvw.exe
2156	mscorsvw.exe
2560	mscorsvw.exe
2888	mscorsvw.exe
940	mscorsvw.exe
2896	mscorsvw.exe
1952	mscorsvw.exe
2656	mscorsvw.exe
1696	mscorsvw.exe
2716	mscorsvw.exe
1636	mscorsvw.exe
2828	mscorsvw.exe
1048	mscorsvw.exe
2372	mscorsvw.exe
2444	mscorsvw.exe
1608	mscorsvw.exe
2340	mscorsvw.exe
2756	mscorsvw.exe
2400	mscorsvw.exe
2892	mscorsvw.exe
2776	mscorsvw.exe
1032	mscorsvw.exe
2280	mscorsvw.exe

Loads dropped DLL 41 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
1580	mscorsvw.exe
1580	mscorsvw.exe
760	mscorsvw.exe
760	mscorsvw.exe
1668	mscorsvw.exe
1668	mscorsvw.exe
2476	mscorsvw.exe
2476	mscorsvw.exe
2300	mscorsvw.exe
2300	mscorsvw.exe
1708	mscorsvw.exe
1708	mscorsvw.exe
1056	mscorsvw.exe
1056	mscorsvw.exe
2688	mscorsvw.exe
2688	mscorsvw.exe
1724	mscorsvw.exe
1724	mscorsvw.exe
2396	mscorsvw.exe
2396	mscorsvw.exe
2156	mscorsvw.exe
2156	mscorsvw.exe
2888	mscorsvw.exe
2888	mscorsvw.exe
2896	mscorsvw.exe
2896	mscorsvw.exe
2656	mscorsvw.exe
2656	mscorsvw.exe
2716	mscorsvw.exe
2716	mscorsvw.exe
2828	mscorsvw.exe
2828	mscorsvw.exe
2756	mscorsvw.exe
2756	mscorsvw.exe
2400	mscorsvw.exe
2400	mscorsvw.exe
2776	mscorsvw.exe
2776	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1163522206-1469769407-485553996-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1163522206-1469769407-485553996-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\H:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\L:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\P:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\Y:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\J:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\M:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\Q:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\K:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\W:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\G:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\I:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\N:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\V:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\E:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\S:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\Z:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\T:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\U:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\X:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\R:	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File created	\??\c:\windows\system32\pibbeffn.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\vds.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	\??\c:\windows\system32\llgeeepm.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	\??\c:\windows\system32\famiqgff.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File created	\??\c:\windows\system32\pffpgida.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	\??\c:\windows\SysWOW64\lmcnfcka.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\kcbnmqpg.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	\??\c:\windows\SysWOW64\dnjmklld.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	\??\c:\windows\system32\ebmokiip.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	\??\c:\windows\system32\mqebhalg.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	\??\c:\windows\system32\hgpgohcb.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File created	\??\c:\windows\system32\dnnimlma.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	\??\c:\windows\system32\wbem\nlkkipkj.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	\??\c:\windows\system32\jlifhlda.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	\??\c:\windows\system32\milbific.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	\??\c:\windows\system32\egpbpepq.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\system32\locator.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\cpkcoelj.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\feqkbkgm.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	\??\c:\program files (x86)\microsoft office\office14\jaeokmld.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\gdaoemja.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\llopmkim.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	C:\Program Files\Internet Explorer\aglddoil.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kfefgkli.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\nimidobm.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\klonohhl.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\nigmjhgo.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\gakpqfhp.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	C:\Program Files\Internet Explorer\onnmbqjl.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\qfemblig.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\idddgalc.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\qcogljfn.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\cgakfigd.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP72EF.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	\??\c:\windows\servicing\lfenobei.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5C05.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP66CE.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP62F7.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\pnihdpfl.tmp	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5293.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6DEF.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index156.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe
2832	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2092	b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2996	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe
Token: SeShutdownPrivilege	2832	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 1260	2832	mscorsvw.exe	37
PID 2832 wrote to memory of 1260	2832	mscorsvw.exe	37
PID 2832 wrote to memory of 1260	2832	mscorsvw.exe	37
PID 2832 wrote to memory of 1556	2832	mscorsvw.exe	38
PID 2832 wrote to memory of 1556	2832	mscorsvw.exe	38
PID 2832 wrote to memory of 1556	2832	mscorsvw.exe	38
PID 2832 wrote to memory of 1292	2832	mscorsvw.exe	39
PID 2832 wrote to memory of 1292	2832	mscorsvw.exe	39
PID 2832 wrote to memory of 1292	2832	mscorsvw.exe	39
PID 2832 wrote to memory of 2968	2832	mscorsvw.exe	40
PID 2832 wrote to memory of 2968	2832	mscorsvw.exe	40
PID 2832 wrote to memory of 2968	2832	mscorsvw.exe	40
PID 2832 wrote to memory of 1308	2832	mscorsvw.exe	41
PID 2832 wrote to memory of 1308	2832	mscorsvw.exe	41
PID 2832 wrote to memory of 1308	2832	mscorsvw.exe	41
PID 2832 wrote to memory of 1496	2832	mscorsvw.exe	42
PID 2832 wrote to memory of 1496	2832	mscorsvw.exe	42
PID 2832 wrote to memory of 1496	2832	mscorsvw.exe	42
PID 2832 wrote to memory of 1580	2832	mscorsvw.exe	43
PID 2832 wrote to memory of 1580	2832	mscorsvw.exe	43
PID 2832 wrote to memory of 1580	2832	mscorsvw.exe	43
PID 2832 wrote to memory of 896	2832	mscorsvw.exe	44
PID 2832 wrote to memory of 896	2832	mscorsvw.exe	44
PID 2832 wrote to memory of 896	2832	mscorsvw.exe	44
PID 2832 wrote to memory of 760	2832	mscorsvw.exe	45
PID 2832 wrote to memory of 760	2832	mscorsvw.exe	45
PID 2832 wrote to memory of 760	2832	mscorsvw.exe	45
PID 2832 wrote to memory of 988	2832	mscorsvw.exe	46
PID 2832 wrote to memory of 988	2832	mscorsvw.exe	46
PID 2832 wrote to memory of 988	2832	mscorsvw.exe	46
PID 2832 wrote to memory of 1668	2832	mscorsvw.exe	47
PID 2832 wrote to memory of 1668	2832	mscorsvw.exe	47
PID 2832 wrote to memory of 1668	2832	mscorsvw.exe	47
PID 2832 wrote to memory of 2588	2832	mscorsvw.exe	48
PID 2832 wrote to memory of 2588	2832	mscorsvw.exe	48
PID 2832 wrote to memory of 2588	2832	mscorsvw.exe	48
PID 2832 wrote to memory of 2476	2832	mscorsvw.exe	49
PID 2832 wrote to memory of 2476	2832	mscorsvw.exe	49
PID 2832 wrote to memory of 2476	2832	mscorsvw.exe	49
PID 2832 wrote to memory of 928	2832	mscorsvw.exe	50
PID 2832 wrote to memory of 928	2832	mscorsvw.exe	50
PID 2832 wrote to memory of 928	2832	mscorsvw.exe	50
PID 2832 wrote to memory of 2300	2832	mscorsvw.exe	51
PID 2832 wrote to memory of 2300	2832	mscorsvw.exe	51
PID 2832 wrote to memory of 2300	2832	mscorsvw.exe	51
PID 2832 wrote to memory of 984	2832	mscorsvw.exe	52
PID 2832 wrote to memory of 984	2832	mscorsvw.exe	52
PID 2832 wrote to memory of 984	2832	mscorsvw.exe	52
PID 2832 wrote to memory of 1708	2832	mscorsvw.exe	53
PID 2832 wrote to memory of 1708	2832	mscorsvw.exe	53
PID 2832 wrote to memory of 1708	2832	mscorsvw.exe	53
PID 2832 wrote to memory of 572	2832	mscorsvw.exe	54
PID 2832 wrote to memory of 572	2832	mscorsvw.exe	54
PID 2832 wrote to memory of 572	2832	mscorsvw.exe	54
PID 2832 wrote to memory of 1056	2832	mscorsvw.exe	55
PID 2832 wrote to memory of 1056	2832	mscorsvw.exe	55
PID 2832 wrote to memory of 1056	2832	mscorsvw.exe	55
PID 2832 wrote to memory of 2748	2832	mscorsvw.exe	56
PID 2832 wrote to memory of 2748	2832	mscorsvw.exe	56
PID 2832 wrote to memory of 2748	2832	mscorsvw.exe	56
PID 2832 wrote to memory of 2688	2832	mscorsvw.exe	57
PID 2832 wrote to memory of 2688	2832	mscorsvw.exe	57
PID 2832 wrote to memory of 2688	2832	mscorsvw.exe	57
PID 2832 wrote to memory of 2784	2832	mscorsvw.exe	58

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
"C:\Users\Admin\AppData\Local\Temp\b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2512

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 238 -NGENProcess 244 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 150 -InterruptEvent 1f0 -NGENProcess 184 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 25c -NGENProcess 23c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 184 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 25c -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1f0 -NGENProcess 268 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 26c -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1f0 -NGENProcess 268 -Pipe 150 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 27c -NGENProcess f4 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent f4 -NGENProcess 23c -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent f4 -InterruptEvent 25c -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 268 -NGENProcess 27c -Pipe 110 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 28c -NGENProcess 280 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 280 -NGENProcess 25c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 294 -NGENProcess 27c -Pipe f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 25c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 25c -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2a4 -NGENProcess 23c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 23c -NGENProcess 29c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 2ac -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 294 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 294 -NGENProcess 2ac -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 294 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 294 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2c4 -NGENProcess 294 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2b4 -NGENProcess 2e0 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 294 -NGENProcess 2e0 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e4 -NGENProcess 2e8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2f8 -NGENProcess 2bc -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2dc -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2d4 -NGENProcess 2e8 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d8 -NGENProcess 2fc -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2fc -NGENProcess 2f0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2f0 -NGENProcess 304 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 314 -NGENProcess 2c4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2c4 -NGENProcess 2fc -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 2d8 -NGENProcess 300 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2280

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ncjookla.tmp

Filesize
694KB

MD5
a2aeffdbbd8ea87a7b29835036885b47

SHA1
95c55ceab182ecba0c622d2817f9594fdbcd6e56

SHA256
5828c3cbcb1d0666e790825f213ff13737fb61ccb730215fbe6fdeeb2e84cc94

SHA512
aab11de99c2cfbfafb4b256c0552477e918fc207f4dac25392c19fbb0fd074ac7258ad9cedaf984403997aabaf568e295e18e643e4a972c181360c75098b68d3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
6d22a322ddc1d77e65b3c18f8ba7936a

SHA1
49c5cc95c22c94d8d48b1fbfbf966d398cf520dd

SHA256
c401e2c8f7963587846ed9f87a99dae4e745f4f5359ea1b7375217abbdb7cabb

SHA512
9139e2b812670e6ec4997d5011a4ff5f62e3f0d3d239787f0d57dbeb4a24682404facad865379055d414cd9be766a6b3566ddf4fe842b217082a5ecb66fa19c6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp

Filesize
4.8MB

MD5
0f7d354ed8a44f797f1f76847525301f

SHA1
f3d224c45effac882575e15a8034d120435ec908

SHA256
14a82a559b2b4fc8fbf4b9d7633a411b1f7a49e2c43390606a8862e6012b4238

SHA512
14cf4e2f0a3cd7600da371d1d1601a3c1c8e08ad9a0b2d328179ac5c26134d6c32f5163cde53f81bdfabe14683a29821d50490c95d9789c041ec59a1e8eecf05

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
4dd1a50bb9aa7f4273661449bba37b5a

SHA1
cbe56949801ad486614dd941a3fd89fef7b8a3bd

SHA256
e4ac9579a2d7c8bff1e38c42a847d14c0d4ad6eaacd21967b905d93a2695f26d

SHA512
d9db0c58fe1ba4eb581a905637817bfeaa1457f5a9730afbf6560188f55c0a8ea55d75ae7d35efe8f69ebe7fc102289fcd1ca41242a960470361bd427002c5f2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
77f94c9329b28a0025ed1ae88c0449da

SHA1
bff2ba696b5af236d1adff16fd09ae1166397da6

SHA256
0ffba0a47ed47e6b759696c5110b65d100c475231e6b678e92ffd44c7fe962b7

SHA512
ae926b0268f20c90bfde760afe8e2efff1c42f16a8c7f43cb55401752ff19847a14784264051f642690f3870543d9587f3050dc05232425432f9eb97510e2518

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
1e05d250c80acced74666c29b14905b4

SHA1
d1706e164ccd908feb24cb08751abd16162667c6

SHA256
fab98b63ebe8249545f8a859549b2b4115df7485ca108a7ad835d028b55faa28

SHA512
c2fe40da584ca8d7868354bf8099ac680641affe5a232074c71bff43175d90ec1adcf9b745898d57e3ee58d7b37347bab4388beff5667622cc271a836e177209

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
b366819eb3fae41139dcf3d0caae4bec

SHA1
240c4188550de4849bb68e776f8e2f9e9d13d7ae

SHA256
0c13cf80a4e5d59e1f9947987bce69d8c8953afb5ddac48e7671ca72647332d1

SHA512
dd6b49c7a7f5d7f05fb0b247c367185aa704e1254b3bda8b64083866b282064845414f1929584ff1be2eb1c5d71c24a0a5d4f8e9a3159f9431285de4eba1371a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
613KB

MD5
fdebf76741ceb35003f15d9fe46142cb

SHA1
99b20d2926b63ea713ba7ac84827115cadbe367e

SHA256
835aa8dee22cb5ef969941b81f534478019cd67b4408f79ea8eca1233fb798fb

SHA512
b29c13aa8e72b04d93b428ca851b49aeb0e5b0d76799692b05caea9635f90d8261f233dbb6f7921cc9a8490f2156789cb488ccbeb835c17f89cecb2fa17762e4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
7fc21c3fac652dc44746d46be358ccfe

SHA1
7f07b8788b9d4d3f731f6d66fb3f3d64c251394d

SHA256
a3352ff7c23816b32c154349bc6ff43dcb00c3f87702c37c05bf9f88e53ccdaa

SHA512
af04a19bef19d6e69800f6b7d48b9dad99380b2dc62f638b9eaf445d88b7a06304cad043627962527301637b739921bdc825ce2bcefca629d93911bf8075a3ac

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
644KB

MD5
497e2e405b572084bd792790c0e59800

SHA1
674965efa4c8aa2c673b0b98c209791547fcbf40

SHA256
bd6204b58e3b9d2b71594c8bd83f65f45d1fcd7b3506e35d83e67562cf8ece81

SHA512
1729c757212d222352a664e0d5b63227dddbfd97b7662c915c53b96e29a03b960d10f9f60c808c4892638d08086fa4d4e4fd65ae38d21fdb39be39c2574d8ca0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\1ba97107c927d6596b6cea93d996ad84\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
509107d2d4f8da9096b3489e58d9cfe3

SHA1
00b539381153f9dbe2c63035849b3e3ff6f72973

SHA256
ebde7a168f8918ceabb79121ec6c3670823a850ffc9d86dd791b114767a485e8

SHA512
6e4ac1f69c1fec18f1a8bd9dd3e4fe3207761035d116afe73a910bd9350eaca89dfde590b40cdcc668a3e182b4d468bd7466497b0dbd0681962f56d097adf021

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\692697074f53b9c2b5d7561665486e51\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
bd0051ec9703dea2f728c72e14f6645f

SHA1
c9ed9c9d22c6c7ed1b510bb0415b89a5ab0e0033

SHA256
0c965be3577b36fefc1693799022a79042b35f9fcec8c89db48c68ec11652009

SHA512
0111b5bc8de8cc69daaf4d60d60d85b2be88cf93921bea07fbe317ba9438fd444ac3f53b397cae77e464c1f250e46423ddeea098147b1331a54c5c2a8f715c79

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\aca3af00939d9b50c4564f5b8ae9b3cb\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
02192f0e1526e557123aaf7c25bf2cd5

SHA1
a9a628e15c78316fdecdaa5439a94f0e46a7873c

SHA256
c65a64ead10a1dd01259d6477ec61f7e67c164266de372ac4de806e1e1e08769

SHA512
bc77e65efd9067f310d13cd4166e5f8b594b07b7cc7b5737098484fa253a7a8ffc48d9db2fe801213e07bf25029d535e48e2330934c2d3426226505add21fa28

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\b5dea15712f653156cbc11f278c055e0\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
45593610c8c6525bff49e9689422d1cb

SHA1
674425ed1813046896daa987bbbd004f6ba44639

SHA256
2f841f1d512955105e67d6fc2b9c5efa96182932580c8e46cb68b57f70cad8d2

SHA512
a7b2ec831f317503f1575dcaf547c2821b423948dae99a0564c4a904bdf897dde2f599fe34c3253e5e2c26a3df49c5db4e6a8ced803ae0f604971064c6dad55c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
694KB

MD5
5b58292711c3a4c4e3994c9a565b3cbd

SHA1
aa27871f022881d8aaee57b8a5d423f77bec26dd

SHA256
5e084a1861a5c667bb141a433d7a33b652674b28a196200a2a38ae7a145e8971

SHA512
c19053cb30e158cafb6b719173dedbd18285a86b509c5bda58e041cab183d6271a2d172d452748f6b409faa995b3d97a46a6492ed7c3e111c58d35762d930a45

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
c44e2f568584df945a5a420cf9cae1db

SHA1
d66fe78ee5bc285178e8f1e84a5f244ddb1cc92f

SHA256
e983062ed15c66a06bf8825827fee28152f695739ab56f4acf2c50621e975df0

SHA512
32daf09974cd81cca82557ea4d0bbec30e63619bc92cc2ef2a67aa6856da6e44f272c2e2acfafc20e7cad484328f372ac7236438978699ebfd457b6ece660f0b

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
769KB

MD5
072501663e7189b3f760ad679a7c53c7

SHA1
d68cc47076c8640696b024e792ccdeb3675676d2

SHA256
e5a20ce03fa7dd52b1664560de6c867e436475277ba58eb3bcafa5467d65577f

SHA512
732369c344ee36224ddbbba024effa239ee05dad98748ecf12fe8c32f0c5b314d3753ccff022da2c55a05f2499ad3c18a375dc3d17ad57666795e3394855e896

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
2.0MB

MD5
9c8e3517879a7f9f58804154344cf74f

SHA1
f072194a2cbb8712b048d27be9769c4cde8be9b9

SHA256
b94109877d9340854c6a2302039b26c52ffcde7d1c49fd4b7df39a9facf23d0d

SHA512
051e77d6d6a25aed66159ac8a118f0bfbda1fba8aabab9bbb8b69af6342ee1a61a84c3a86bd38f2f8d04cdc1d9c8d64e138162697ee0fdf8af063be5646c722e

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
aea0a30b0745954f8c76c2698511c712

SHA1
7df6a59c943624990be0b8ab323f1cd0120ca8cb

SHA256
5c8d562bc0ce096de4b151df26eae42330aa6b64cb1e2c4b88d65d1cc5f930ab

SHA512
922a82da7ca2553615e287df0095fc8a9fc569e841c8aa347f336306c4ae4885b570e7f73faf447adca24a743dae9440e46d14eb600d0c1e95c9475186e0c509

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
679KB

MD5
76998c2c36012bc42a86470b7393ee2c

SHA1
d7b50bbbbbaeb1aec1afe5221c2054fc8ab83050

SHA256
310c1e14555e00a7845a7b739c5d31c6c5ae66462b132ba82037a77380456c59

SHA512
bb8ee93664f981a46520ef521dd90b163735ab709e719fd6b9306a4d12cda8ea24e2b89a3e82d9511f772d50e2c8ea60a3f11d7adbbeb8639d6e9b038fa55037

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
591KB

MD5
2c51b40deec8f38e660706c2aa788104

SHA1
1d8b97a4fc2e8348c0373c6c3d318e3d9ba047b8

SHA256
9d6787eefc99ffa3901e4e7e499cc0d4cd47b6666ceb57172e7418e51b656faa

SHA512
b3dbd6c071697006c93da40fce8625fdfb85ad513480629ccc27708797a920315a60630ed07eb68ae6a7822e6c5f1f2ed5c40ace145c3c13d75d5f7c2b9f11f1

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
632KB

MD5
6c73dbdc8403cf9859e6c156f5c81fdf

SHA1
8a90b4473e26c8de08bb38eae16e69a4a0f03c11

SHA256
e2d75bb035e1dd5d2a0baf170a2d623453c15139c813249e72b1926a8ddf1b93

SHA512
811dd344e6d8cd053b47b1a33105114cb09a1b97c42d49319402395a0adf2437d3e9a75639a5ba4d3391e28a78a36443a9814a0ee70710013066dbe2df8e2ce3

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
6cecae76072d59ff1e9c380c946e05ff

SHA1
b8c11396b4d16cc555305eab7d87f0a6784d8781

SHA256
f773b1174eb956d4a021e25edc472ceec013790d30b8243192f18a9f712b5fb3

SHA512
5e1b40a03070200666fd19f66145d246f32f6b61f979ec256f199c21981fffec40d18c46a526affb63e145c33446ee001487a05dbe91db1bb7297f1923e6ab30

Download Submit
\??\c:\windows\system32\ieetwcollector.exe

Filesize
662KB

MD5
1e0d893c0af25a6646c384a7c4d81edf

SHA1
c55b3b58f61b0474847e426bc2ceb6fb42512bb2

SHA256
7b9227b33d243d1fb045fe575c7232f0d409669f582b399df4fd3e83dc1a0416

SHA512
acf24470c5713a1299893128cfebb4cca0339c7ccd3948bb06adab5fdc808a232ccb63227c9e99904fca7c081d41e3fc0abb1bd8a23a6673d8ab8ab739902f35

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
693KB

MD5
196ab106406a97e2dee8ac4ee546ab46

SHA1
76bcc1ddbb9ced5dab97693500a3dfbaea1ce983

SHA256
71242011e638aefe39a6d45b74b20eb68ac3f63646586aede8e6af3c45da0437

SHA512
e7fb0f5c41b80e8c94f00df38d67000265c9b7d0e96f4c47fc6e78d3738c94627f486b7b89b41e477aed9e7b6f176189e55cc896cfd8e17676efa76aba101336

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
679KB

MD5
54286cafa5fad7baba037bdc92435808

SHA1
a100af486d8df5afd0c008e804b21de26297642a

SHA256
5bad33e8cf977b5b8756258d07e06dda5ec49dc5a9e648f6dbb38e42396247a8

SHA512
a7f455cbe54e4fe17d61220eb8d80cc7b8daa8f1c4d27b097cb360b95243280271278b5759968a1f0ac995db0702ba96f438a323b14ebed323ab3093764264e3

Download Submit
\??\c:\windows\system32\searchindexer.exe

Filesize
1.1MB

MD5
b4e38d39f37aceb36efcbe347a3f6e78

SHA1
04f7da67e63566e5dc73842cabdfb2b7beb27da0

SHA256
431cfecb1c6d45a4bdcf9d8ac266bea6e3a138d32b030cc5305a7f81a14a588c

SHA512
1b9318511f0428094f0831da1de23cac3b4071c15b89d7f7dfa748e698a6d0ce7b6b5ae816a1c12aa396a97bc883f1686cc8cca61a9cb56c8e447d3d6f6cb33f

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
569KB

MD5
16f40813cbdceac21108c33e44bc95fe

SHA1
ee1d541862ca316a4d7d199be450449e7d5c8814

SHA256
608a5bce17aafded7e5f45aa10ea6aef35e878e9d14b43c23d1bc2dc2df392c9

SHA512
2c2934b81e88d51ff6f5b2ad4c360b8ae30552df270965902ccc84b93ea5ce59bb32e87dabd25dd59fc34f8f46f2a8a6f53f868c13b6350f3fd9918ca9981e23

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
595KB

MD5
a0924b971eeb1f9dfbe79e3662b18192

SHA1
841dea9d02fe409191903d03ccdc37206642d007

SHA256
2b45065e4b63c6a5c76a98c22999cd5fd581b32090a8e2f54ac46fc178ea3a05

SHA512
6734006a721de13790dd29074613a4969c4a1146012f91030fb64f05d1c2a7c319fb0ed6117250015e3212ada0799a4eeb9131a25e2b3eeeb1fa48fcff0e687d

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.0MB

MD5
c31eea42e7470676015945cf1e6f5fdb

SHA1
9e54f553b1ce5d4436a4e00c1d8c9cc5c3492788

SHA256
19902eb90ef4d8354f1b44d9baed12fef1d786113d6e38e719dc12216fc6d7a5

SHA512
7d139dad1a8f318b3b13ed78d0b9ee7e418127fba2c3d4ba18a39b2c245657596a2cc77602af7ff4440abc6ea370de436d3a3b2f3a8e6b943acd960e4a625833

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
20efb30570297e4b42136ad4aac7dfe9

SHA1
e58039fa0b625df771eea0e95b61b051ff839519

SHA256
ca3eb9773da3ebc2653100fc96d3d5b39066bf8631dc75e6edc82d1b6ef43a85

SHA512
b8b18a934e71a78ec232dfaf904e9709f96848975c434a28289491966637e7e27cfdb601428e8e66e451e0454aacfa609d59c6595d12f484c78b9cc1b4019069

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
753KB

MD5
58fd123fccc8c759fa803bd894961bfb

SHA1
3b984ab19f30641844903f64dd6790708b642ba7

SHA256
2d699fe2da8e670dd911af805734c942544247a7f4741fe81ad4a0ff8766314f

SHA512
ef336dd7ae2af069fac7722821ee9fade95951c0eaeb1f5773fbe744f58658cdc07191e98568fa08663e0ab5f235e14e194c974be14bdf783ae7ef94589e2f2e

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.0MB

MD5
cce9b6a08d41e53f92b31ddb2d7516fc

SHA1
17090322d80961b9cac27f112bbf8a2b09f61cd9

SHA256
92e7062f6cf2bbfd6aa4cc935521344c27101b3d145516cc4df79eee2ef105d9

SHA512
6a48624cb0d7bfb28bc0cdf1bcb4400736956abb5e3512046a1bd024385efeb1761bded3dde100c43a68ff5e467e46dcea9855d957d0cee4e6088a0eb1034dfe

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c2488b4ac78fdebff96398dad9c7b027

SHA1
c06a8beca9ea0bfbcba449281320ee2737e1cbdb

SHA256
f13b77ce0f104e2ac3dd9515d4ab2c14614873c458ad93b34e6c611ae6864530

SHA512
d43a8f84b21bee82ee0fe1992baac488142d9a11d19d53f741a84da7edf06fa7981c35d3eaea60626d32bad3c8c81694e965ed02963c1fe4035662d41fd93049

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
636KB

MD5
6b912707a4e48214d6d14b15f3acf4a4

SHA1
4e23fda59a557e21000dae3806b86c5ea61c10c5

SHA256
ea869c5d7ff234ed7026ddd63fe94ca8af84732f78b5848e5b8c12abf3565f5f

SHA512
ba01f44533607464dc1f991c67bce97c1799b85703328fff22efbc620f8de40f9a4629d654c4f28e924388f18f5bc4f7891a9693e48e0985489d7e4f7c84b1cd

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4B33.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4E8D.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5293.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP55FD.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5966.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5C05.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
memory/572-476-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/572-477-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/760-376-0x000000001D540000-0x000000001D558000-memory.dmp

Filesize
96KB

Download
memory/760-375-0x000000001D540000-0x000000001D558000-memory.dmp

Filesize
96KB

Download
memory/760-385-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/760-368-0x0000000000900000-0x000000000091E000-memory.dmp

Filesize
120KB

Download
memory/760-367-0x0000000000770000-0x000000000078A000-memory.dmp

Filesize
104KB

Download
memory/760-366-0x0000000000750000-0x0000000000766000-memory.dmp

Filesize
88KB

Download
memory/760-365-0x0000000000740000-0x000000000074E000-memory.dmp

Filesize
56KB

Download
memory/760-364-0x0000000000730000-0x000000000073C000-memory.dmp

Filesize
48KB

Download
memory/760-363-0x00000000006C0000-0x00000000006D8000-memory.dmp

Filesize
96KB

Download
memory/896-359-0x00000000032F0000-0x000000000330E000-memory.dmp

Filesize
120KB

Download
memory/896-358-0x0000000003140000-0x000000000315A000-memory.dmp

Filesize
104KB

Download
memory/896-361-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/896-355-0x00000000006B0000-0x00000000006C8000-memory.dmp

Filesize
96KB

Download
memory/896-353-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/896-357-0x0000000000710000-0x000000000071E000-memory.dmp

Filesize
56KB

Download
memory/928-440-0x0000000002F40000-0x0000000002F5A000-memory.dmp

Filesize
104KB

Download
memory/928-441-0x0000000002F60000-0x0000000002F76000-memory.dmp

Filesize
88KB

Download
memory/928-443-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/928-439-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/984-462-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/984-460-0x00000000007C0000-0x00000000007CE000-memory.dmp

Filesize
56KB

Download
memory/988-393-0x0000000000980000-0x0000000000990000-memory.dmp

Filesize
64KB

Download
memory/988-391-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/988-395-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/988-386-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1056-488-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1260-198-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1260-167-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1292-322-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1292-319-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1308-326-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1496-329-0x0000000003070000-0x000000000307C000-memory.dmp

Filesize
48KB

Download
memory/1496-331-0x0000000003090000-0x00000000030A6000-memory.dmp

Filesize
88KB

Download
memory/1496-334-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1496-327-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1496-328-0x0000000000930000-0x000000000093E000-memory.dmp

Filesize
56KB

Download
memory/1496-330-0x00000000030D0000-0x0000000003118000-memory.dmp

Filesize
288KB

Download
memory/1556-199-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1556-197-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1580-344-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/1580-343-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/1580-354-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1580-333-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1580-339-0x0000000000920000-0x0000000000936000-memory.dmp

Filesize
88KB

Download
memory/1580-336-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/1580-337-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/1580-338-0x0000000003030000-0x0000000003078000-memory.dmp

Filesize
288KB

Download
memory/1668-397-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/1668-406-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/1668-405-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/1668-416-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1668-401-0x0000000000980000-0x0000000000990000-memory.dmp

Filesize
64KB

Download
memory/1668-400-0x0000000000960000-0x0000000000976000-memory.dmp

Filesize
88KB

Download
memory/1668-399-0x0000000000950000-0x000000000095E000-memory.dmp

Filesize
56KB

Download
memory/1668-398-0x0000000000940000-0x000000000094C000-memory.dmp

Filesize
48KB

Download
memory/1708-467-0x0000000002FD0000-0x0000000002FDE000-memory.dmp

Filesize
56KB

Download
memory/1708-475-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1708-464-0x00000000007B0000-0x00000000007BE000-memory.dmp

Filesize
56KB

Download
memory/1832-189-0x0000000140000000-0x000000014041A000-memory.dmp

Filesize
4.1MB

Download
memory/1832-90-0x0000000140000000-0x000000014041A000-memory.dmp

Filesize
4.1MB

Download
memory/2092-0-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/2092-2-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/2092-1-0x0000000000407000-0x0000000000408000-memory.dmp

Filesize
4KB

Download
memory/2300-446-0x000000001C920000-0x000000001C936000-memory.dmp

Filesize
88KB

Download
memory/2300-445-0x0000000002F60000-0x0000000002F7A000-memory.dmp

Filesize
104KB

Download
memory/2300-450-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/2300-459-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2476-424-0x0000000003180000-0x0000000003194000-memory.dmp

Filesize
80KB

Download
memory/2476-422-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/2476-438-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2476-423-0x0000000000710000-0x000000000071C000-memory.dmp

Filesize
48KB

Download
memory/2476-429-0x0000000003210000-0x000000000321C000-memory.dmp

Filesize
48KB

Download
memory/2476-428-0x0000000003210000-0x000000000321C000-memory.dmp

Filesize
48KB

Download
memory/2512-24-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2512-55-0x0000000010000000-0x0000000010257000-memory.dmp

Filesize
2.3MB

Download
memory/2512-21-0x0000000010000000-0x0000000010257000-memory.dmp

Filesize
2.3MB

Download
memory/2588-415-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2588-418-0x000000001C730000-0x000000001C744000-memory.dmp

Filesize
80KB

Download
memory/2588-417-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/2588-420-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2748-487-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2748-489-0x00000000007B0000-0x00000000007BA000-memory.dmp

Filesize
40KB

Download
memory/2760-35-0x0000000010000000-0x000000001028A000-memory.dmp

Filesize
2.5MB

Download
memory/2760-80-0x0000000010000000-0x000000001028A000-memory.dmp

Filesize
2.5MB

Download
memory/2760-36-0x0000000010000000-0x000000001028A000-memory.dmp

Filesize
2.5MB

Download
memory/2832-62-0x0000000140001000-0x0000000140003000-memory.dmp

Filesize
8KB

Download
memory/2832-61-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2832-166-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2968-324-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2968-321-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2996-54-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/2996-46-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2996-161-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2996-162-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download