expiro | 308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/01/2025, 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
Size

738KB
MD5

1ffd1c53b2738258c5b1028d22e70f6f
SHA1

3b69a4874b9751a12fe76c8a1d44bf260e590991
SHA256

308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd
SHA512

738518abe28406963cad86ec0c6e1807a1bc28aadd614c0766f48a84ebe8655733d257449c37520f731b40c50020e0f668585b1fad660988d321ce7857b36c08
SSDEEP

12288:g9mmpcK5VEjObxrx84BdEPSsKRIkgq/2oW0Qtn+nd62puFuNtyg2nIh/Qkge:g9mmqK5VEjObxrx84BdEPARIVqs0QQtr

Score

10^/10

expiro backdoor defense_evasion discovery trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 4 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2176-35-0x0000000010000000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2176-34-0x0000000010075000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2176-57-0x0000000010000000-0x0000000010108000-memory.dmp	family_expiro1
behavioral1/memory/2176-56-0x0000000010075000-0x0000000010108000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
defense_evasion

Executes dropped EXE 55 IoCs

pid	Process
480	Process not Found
2200	alg.exe
2344	aspnet_state.exe
2176	mscorsvw.exe
2764	mscorsvw.exe
488	mscorsvw.exe
2004	mscorsvw.exe
1756	mscorsvw.exe
1724	mscorsvw.exe
1444	mscorsvw.exe
1920	mscorsvw.exe
2496	mscorsvw.exe
1036	mscorsvw.exe
2440	mscorsvw.exe
2836	mscorsvw.exe
2724	mscorsvw.exe
2684	mscorsvw.exe
3068	mscorsvw.exe
768	mscorsvw.exe
1672	mscorsvw.exe
656	mscorsvw.exe
2908	mscorsvw.exe
2564	mscorsvw.exe
1792	mscorsvw.exe
1876	mscorsvw.exe
2096	mscorsvw.exe
1992	mscorsvw.exe
2584	mscorsvw.exe
2068	mscorsvw.exe
1492	mscorsvw.exe
2916	mscorsvw.exe
1304	mscorsvw.exe
1828	mscorsvw.exe
1140	mscorsvw.exe
1148	mscorsvw.exe
292	mscorsvw.exe
2076	mscorsvw.exe
848	mscorsvw.exe
1772	mscorsvw.exe
1812	mscorsvw.exe
880	mscorsvw.exe
2160	mscorsvw.exe
2636	mscorsvw.exe
1036	mscorsvw.exe
668	mscorsvw.exe
1816	mscorsvw.exe
2512	mscorsvw.exe
2472	mscorsvw.exe
592	mscorsvw.exe
2112	mscorsvw.exe
1792	mscorsvw.exe
3040	mscorsvw.exe
2428	mscorsvw.exe
2644	mscorsvw.exe
852	mscorsvw.exe

Loads dropped DLL 25 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
1140	mscorsvw.exe
1140	mscorsvw.exe
292	mscorsvw.exe
292	mscorsvw.exe
848	mscorsvw.exe
848	mscorsvw.exe
1812	mscorsvw.exe
1812	mscorsvw.exe
2160	mscorsvw.exe
2160	mscorsvw.exe
1036	mscorsvw.exe
1036	mscorsvw.exe
1816	mscorsvw.exe
1816	mscorsvw.exe
2472	mscorsvw.exe
2472	mscorsvw.exe
2112	mscorsvw.exe
2112	mscorsvw.exe
3040	mscorsvw.exe
3040	mscorsvw.exe
2644	mscorsvw.exe
2644	mscorsvw.exe

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2039016743-699959520-214465309-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2039016743-699959520-214465309-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\Z:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\L:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\N:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\P:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\W:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\H:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\O:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\R:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\U:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\G:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\T:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\K:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\M:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\Y:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\X:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\S:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\E:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\I:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\J:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\Q:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\V:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File created	\??\c:\windows\system32\ikdckbpd.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\pbbagmgf.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\lmhnaimi.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\mclalcha.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\mlajembj.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\eabmbpjc.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File created	\??\c:\windows\system32\bqpglkak.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\alg.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	alg.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\lleonkbl.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\hlgolakq.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	alg.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\jalffhpc.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\syswow64\kgefijbp.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\locator.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\lpfogbbb.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\wbem\fjiddpme.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\nfebehjf.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\kgacdccg.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\jkgaipki.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\iilmmhmc.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ifpcoece.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	alg.exe
File created	C:\Program Files\7-Zip\hlepeenn.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\7-Zip\mgecidfd.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\miqfjfol.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\pijgofaf.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\fiokfbmk.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\dendjgfp.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ldcnmoao.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	alg.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\lhbjhkab.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Internet Explorer\elidehmc.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\lgamkbac.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\mngianin.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\pppjqpbi.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\program files (x86)\microsoft office\office14\ajldidoh.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hhfjjgab.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Google\Chrome\Application\jmofaklb.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\dakeokhg.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\lbhckibj.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ibkjjmkl.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pgildlkb.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\DVD Maker\clmaedbq.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\fpjkelgf.tmp	alg.exe
File created	C:\Program Files\7-Zip\cedpmnkl.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\olemadei.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kjkookie.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\kadmdonk.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEE07.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBD75.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB79C.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	\??\c:\windows\servicing\gcigbpgl.tmp	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDAA6.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	\??\c:\windows\ehome\gkdkgaba.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB28D.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE189.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mplciahi.tmp	alg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC3DB.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD098.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	\??\c:\windows\servicing\mfigaghj.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe
2200	alg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2116	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2116	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
Token: SeTakeOwnershipPrivilege	2200	alg.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe
Token: SeShutdownPrivilege	488	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 488 wrote to memory of 2004	488	mscorsvw.exe	37
PID 488 wrote to memory of 2004	488	mscorsvw.exe	37
PID 488 wrote to memory of 2004	488	mscorsvw.exe	37
PID 488 wrote to memory of 2004	488	mscorsvw.exe	37
PID 488 wrote to memory of 1756	488	mscorsvw.exe	39
PID 488 wrote to memory of 1756	488	mscorsvw.exe	39
PID 488 wrote to memory of 1756	488	mscorsvw.exe	39
PID 488 wrote to memory of 1756	488	mscorsvw.exe	39
PID 488 wrote to memory of 1724	488	mscorsvw.exe	40
PID 488 wrote to memory of 1724	488	mscorsvw.exe	40
PID 488 wrote to memory of 1724	488	mscorsvw.exe	40
PID 488 wrote to memory of 1724	488	mscorsvw.exe	40
PID 488 wrote to memory of 1444	488	mscorsvw.exe	41
PID 488 wrote to memory of 1444	488	mscorsvw.exe	41
PID 488 wrote to memory of 1444	488	mscorsvw.exe	41
PID 488 wrote to memory of 1444	488	mscorsvw.exe	41
PID 488 wrote to memory of 1920	488	mscorsvw.exe	42
PID 488 wrote to memory of 1920	488	mscorsvw.exe	42
PID 488 wrote to memory of 1920	488	mscorsvw.exe	42
PID 488 wrote to memory of 1920	488	mscorsvw.exe	42
PID 488 wrote to memory of 2496	488	mscorsvw.exe	43
PID 488 wrote to memory of 2496	488	mscorsvw.exe	43
PID 488 wrote to memory of 2496	488	mscorsvw.exe	43
PID 488 wrote to memory of 2496	488	mscorsvw.exe	43
PID 488 wrote to memory of 1036	488	mscorsvw.exe	44
PID 488 wrote to memory of 1036	488	mscorsvw.exe	44
PID 488 wrote to memory of 1036	488	mscorsvw.exe	44
PID 488 wrote to memory of 1036	488	mscorsvw.exe	44
PID 488 wrote to memory of 2440	488	mscorsvw.exe	45
PID 488 wrote to memory of 2440	488	mscorsvw.exe	45
PID 488 wrote to memory of 2440	488	mscorsvw.exe	45
PID 488 wrote to memory of 2440	488	mscorsvw.exe	45
PID 488 wrote to memory of 2836	488	mscorsvw.exe	46
PID 488 wrote to memory of 2836	488	mscorsvw.exe	46
PID 488 wrote to memory of 2836	488	mscorsvw.exe	46
PID 488 wrote to memory of 2836	488	mscorsvw.exe	46
PID 488 wrote to memory of 2724	488	mscorsvw.exe	47
PID 488 wrote to memory of 2724	488	mscorsvw.exe	47
PID 488 wrote to memory of 2724	488	mscorsvw.exe	47
PID 488 wrote to memory of 2724	488	mscorsvw.exe	47
PID 488 wrote to memory of 2684	488	mscorsvw.exe	48
PID 488 wrote to memory of 2684	488	mscorsvw.exe	48
PID 488 wrote to memory of 2684	488	mscorsvw.exe	48
PID 488 wrote to memory of 2684	488	mscorsvw.exe	48
PID 488 wrote to memory of 3068	488	mscorsvw.exe	49
PID 488 wrote to memory of 3068	488	mscorsvw.exe	49
PID 488 wrote to memory of 3068	488	mscorsvw.exe	49
PID 488 wrote to memory of 3068	488	mscorsvw.exe	49
PID 488 wrote to memory of 768	488	mscorsvw.exe	50
PID 488 wrote to memory of 768	488	mscorsvw.exe	50
PID 488 wrote to memory of 768	488	mscorsvw.exe	50
PID 488 wrote to memory of 768	488	mscorsvw.exe	50
PID 488 wrote to memory of 1672	488	mscorsvw.exe	51
PID 488 wrote to memory of 1672	488	mscorsvw.exe	51
PID 488 wrote to memory of 1672	488	mscorsvw.exe	51
PID 488 wrote to memory of 1672	488	mscorsvw.exe	51
PID 488 wrote to memory of 656	488	mscorsvw.exe	52
PID 488 wrote to memory of 656	488	mscorsvw.exe	52
PID 488 wrote to memory of 656	488	mscorsvw.exe	52
PID 488 wrote to memory of 656	488	mscorsvw.exe	52
PID 488 wrote to memory of 2908	488	mscorsvw.exe	53
PID 488 wrote to memory of 2908	488	mscorsvw.exe	53
PID 488 wrote to memory of 2908	488	mscorsvw.exe	53
PID 488 wrote to memory of 2908	488	mscorsvw.exe	53

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
"C:\Users\Admin\AppData\Local\Temp\308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2200

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2176

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 19c -InterruptEvent 188 -NGENProcess 18c -Pipe 198 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 194 -InterruptEvent 228 -NGENProcess 230 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 228 -NGENProcess 194 -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 218 -NGENProcess 230 -Pipe 18c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 238 -NGENProcess 22c -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 23c -NGENProcess 194 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 230 -Pipe 188 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 22c -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 194 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 230 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 250 -NGENProcess 22c -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 194 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 230 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 22c -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 194 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 230 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 22c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 194 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 230 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 270 -NGENProcess 26c -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 25c -NGENProcess 230 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 268 -Pipe 19c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 26c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 19c -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 188 -NGENProcess 258 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 188 -InterruptEvent 224 -NGENProcess 238 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 21c -NGENProcess 1d4 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 18c -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 18c -InterruptEvent 1d4 -NGENProcess 258 -Pipe 188 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1f4 -NGENProcess 1a4 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 1a4 -NGENProcess 18c -Pipe 19c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 1a4 -NGENProcess 1f4 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 1f4 -NGENProcess 1d4 -Pipe 18c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 230 -NGENProcess 224 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 224 -NGENProcess 1a4 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 264 -NGENProcess 1d4 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d4 -NGENProcess 230 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 26c -NGENProcess 1a4 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1a4 -NGENProcess 264 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 270 -NGENProcess 230 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 230 -NGENProcess 26c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 230 -NGENProcess 270 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 270 -NGENProcess 1a4 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 28c -NGENProcess 218 -Pipe 178 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 218 -NGENProcess 230 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 294 -NGENProcess 1a4 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1a4 -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 29c -NGENProcess 230 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 230 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
538KB

MD5
99c5854a27ef1675cc461042b608cf08

SHA1
59c22800c64feb70ce7c0eff96a8b63e9d396e80

SHA256
0ec23dcb197cf3a15dd91a84f83599326a36927b1185f1c2e8eb16200fa8ee28

SHA512
9a81157cf4c7d2f8db32a6f036c7350263a3101cfaf1b63b86bcdf53c4303b644c16ef1a849fe817587fe1ba294ceea58e33d157417c48960621ae8a0bbfae9b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.4MB

MD5
3648e0a3dfc8580feaf8b4d45cc16afb

SHA1
340c34e9e7eb0a9ad17125fefcaf3fc8f5a7b66c

SHA256
78af9363ac1132133b3352c04cffc3b57dfd6751419539e1a8c8a59f5667943b

SHA512
fc11faf2a751a891a5f0932652baa7ef8ade9c869721789b67511a971960653b3fa54471157d9f298bc3921ad6f4ba136022324efd9f2d07b44deaf990dbdf3b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
3f565f97290bf7a8196b4b1dfac97ff1

SHA1
ed33aae0fca0d666d9ca50e6e3ba0d640f66bd2f

SHA256
c99a7a7c2ef1d23c4f06f93b3ab79ce8e72ef3c310a8155e060db1dae5dc24a4

SHA512
dff1e3851df7ccf32e325d62bf4b5996788ad48d04b171b93c0d41659ecd3554d2675965fb5d7e252ff5e23b78abfd54b2fd56fe0439b61e30d4825f394bfdda

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
435KB

MD5
0bded1fe31600c3b41b513299179104b

SHA1
119bf090464f461c1bb10d686da19fca5dfd4e27

SHA256
b58deb050cc4ef19e038e187222d39e5129568ae7308a7c1be7175bf3bb7998c

SHA512
091f35085204e13f96b30068ba7890a58f34e102fc76f617a7d327e04a709c3157ec3c5057d1d493f055b6777fe26e3ca74f75bf612c90180bf675d10eacb23a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
457KB

MD5
bf69dc78848041bcb8c4668815b18248

SHA1
03b99b8685d62046276a4ab9f64e60d866fd75c9

SHA256
94d33a2ab5a42dacd5db9b0418c4de456d517c0630b56d423aa22afd8318e13a

SHA512
e13ca83df5f2e7ef2faa201474c3a35a489459fad438cfec546b7f3443b0a0aae767144eecf481c94d394d89ebe2e6c4e1ef43d80f31514bebfeea28bafaeacd

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
1a19f70901b947692cc03b8ae08246fe

SHA1
574147fb089f7729e4e09fc3a99d2693baaf24b9

SHA256
5365d7b6218310059071ea0d19ae801805924ca6e661c3c58ba342a2cf664b2f

SHA512
47924d0151ebede288cbc6dfbd0027c1369ee42577e72b69e1b6d336e764f5cf02befbc37f5f90344f6e16331877b1e01a514935f44cbc195e7ef95bfcc32907

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
a7b934a19a608efbbfe7d9199c8aef01

SHA1
6c47b8bc29f02a5abfbf3cc7351ed6c6d4168fb8

SHA256
ad80f2bcbec24513184b8df5760f879710d801b9fb6b7ed10667460bedcc4d73

SHA512
a2d30c7fe12b301cef406a106eec779dec1b3b3371a6c93e93ec9b7cdf968b0b295e8d347ad8637fa5436ddd137cff6fd7ab2fd28351385d54f6615fbd2d8990

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
06897c94792dbbcb14a953e9924e723a

SHA1
587bd6640914b099236c5b87d052c91ada34603c

SHA256
aa7ec11cad5d9c388f24b268b986b504c2bbc2646b9049dcf174daae0cd9a156

SHA512
8b36dab9e3ff3146156bf7e09ba63b3d63fcac33cd328f3894a0649233383a7a116ba4ea0fccc7e6a1a058c1d2d97c3d8f2ce7230eede2fe90fdeebe688b391e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

Filesize
148KB

MD5
ac901cf97363425059a50d1398e3454b

SHA1
2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7

SHA256
f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58

SHA512
6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
34KB

MD5
c26b034a8d6ab845b41ed6e8a8d6001d

SHA1
3a55774cf22d3244d30f9eb5e26c0a6792a3e493

SHA256
620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3

SHA512
483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
109KB

MD5
0fd0f978e977a4122b64ae8f8541de54

SHA1
153d3390416fdeba1b150816cbbf968e355dc64f

SHA256
211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60

SHA512
ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

Filesize
41KB

MD5
3c269caf88ccaf71660d8dc6c56f4873

SHA1
f9481bf17e10fe1914644e1b590b82a0ecc2c5c4

SHA256
de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48

SHA512
bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
53KB

MD5
e3a7a2b65afd8ab8b154fdc7897595c3

SHA1
b21eefd6e23231470b5cf0bd0d7363879a2ed228

SHA256
e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845

SHA512
6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
28KB

MD5
aefc3f3c8e7499bad4d05284e8abd16c

SHA1
7ab718bde7fdb2d878d8725dc843cfeba44a71f7

SHA256
4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d

SHA512
1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
27KB

MD5
9c60454398ce4bce7a52cbda4a45d364

SHA1
da1e5de264a6f6051b332f8f32fa876d297bf620

SHA256
edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1

SHA512
533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
130KB

MD5
2735d2ab103beb0f7c1fbd6971838274

SHA1
6063646bc072546798bf8bf347425834f2bfad71

SHA256
f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3

SHA512
fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
538KB

MD5
e6c1ee0d9186f8417799f1d93b786666

SHA1
80343370116d8fa89a8f12abe997a7b49fb10672

SHA256
14b1ce213fec27e139098853419b42e10ee56674ca9fc0fd018b7e5c30d03cc8

SHA512
cad6ffe66b515849da490cf7bec01908d4336d1ca24bed455c3987ed3fc753a3a9150a69fd14ccbc0755283429774dfcb0f89809af8bf928bdef9ff5cd88bf3d

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.9MB

MD5
c7bf4a7fb42f37b1b3354834fbc30958

SHA1
f4cdc848fc02d2ebd6363a03eb3d52dac3835787

SHA256
1a317dedfbc807c998489315a271508eabffb8629b88da6984e10c483ac2baf8

SHA512
c16263c92f28508bc38b873b3345f28e814779ebecdca5c0231a10315070a708dc5d49a0f10d54dd5223091f73f5f648b08d7f3b5425c91252f6975c98f5aa4d

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
613KB

MD5
989b7885d712a0b0fa7b50a06afa1373

SHA1
98f2791ce4a50ebaeb70f3739837954bdc60a25a

SHA256
eea0d6e5406a9aae1c9d9d40317d4f490982040a30b78f38a97bf8ac75e31bf7

SHA512
396f20c36c573f518c4799263864d870d1df029df0da4beb11b68bce942635a159d3130e8eb4ec34ebfb1036e216533fd1b2d3fe92b12b1394d94831f567b8e8

Download Submit
\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.0MB

MD5
03aa70cea9b9cd6d488554b3aff8faa4

SHA1
b39ad63bdf228a4de72d2aff93f9ad87335a2d30

SHA256
509274f2b244b7827c885952769e9967133286201ff448e889227ee627db175b

SHA512
b41ceadc51e58e6bb6a65c0174dea3c84c6edf9c14c409857b90caa471c37f42593a54e66760f775c3bef2acaa0b88518615763e8236429952004e86ed9b431b

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe

Filesize
510KB

MD5
feec39d87e27d8df38c606eb5fa134a8

SHA1
5ed9cce6faa27c08b8b16b5b8e68374c98d43373

SHA256
dd39b33e3651eb4f6880b81d68307a628f8b6aeab6e1cc52734e0fc05e29810a

SHA512
e9fc10891364e45d5f98cc31038b1d8280f7eecb505bdbf5a709599aaf61ccafc3f7545f72eae21329203c5c56e316204b58ff0c108036a6f1a7225b83937371

Download Submit
\??\c:\windows\system32\locator.exe

Filesize
409KB

MD5
41205d195e8f1188a7f0d78a085573f7

SHA1
c976cd508c9124a3ab67d7bdcad558a32419d48e

SHA256
fdb0cdf8212643f7172296ac5b8be85857a36920b3c35ba987d0c015fc791d11

SHA512
226929bdbe0f4c2f9932c5206e1cfd9f1b148423934bba8e2f1093b17900aa01399c3dffc08e56e53b788203e302651163b8a2c63adf4daab5a47069731e2111

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
537KB

MD5
f2fe49183e45a9e1afc4121398ed8f76

SHA1
cdd1670f445c8323e518d5dac3b152bcbb609fc4

SHA256
25dcf6b5b50277014e7768bf143d6c96bb3704fe38d6e12c9fa3a79e4d83dd3a

SHA512
5611018d088927693f9895f35aae34c33a54643263f69d2d77a39eaa0a3f8b87e2efa736481187ce5b87c7e19ebd57c98b65dac055233095c17a332d30980ba8

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
523KB

MD5
4183d8cf0a82cf9caad349570cef8b45

SHA1
c8bd222e039e3c5ff614784cf532d4b33259b318

SHA256
ff5554f4cdaa494b59de876768f9816d3a4c30da29d2b602865a68ded1cd2437

SHA512
803358456af9922697c0eb95200e140f9da843e245ff978cabe269019b6028c68ac79e3de1a31a3e93ded7247a93b90f452158c0d0aa418eb2eacb50e5965a79

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
413KB

MD5
5e1c60de0c5265f5e8867f56f83ff7a5

SHA1
cbccaa1e584a1dc1e9a560b249fc2fedc0523d13

SHA256
d190456c448287044f6f0404785dd744f09e10b6b9850ac303ad95ccd2be43ed

SHA512
476b695fe1dd58febc6dc5c33d3d09d496fab78b8c8cb222baf1be18dced8336ba782a55ccbed43fb14a3d75de35ee9061015aa7cd2d2e945d645eaa9f90be75

Download Submit
\??\c:\windows\syswow64\perfhost.exe

Filesize
419KB

MD5
0d50d7c7ea27d40d64c5e0e303547d2b

SHA1
07197ec4d007b7c13cf1051b7c20e66b82126395

SHA256
3973476291b19ee85c042a32241ebbbd7afb0f0cc6cef028a77b8652d59c89d7

SHA512
aaea1071ad9e919a654607d0dfdf928b56b354ec5c4c73a4adc4a37d9a2ae9e53f485062a586a02e3566dc1ad1172d38811b0ae396047ed8053fe495c203eecb

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
480KB

MD5
cc81ff543c763eb9d9364cffd375c91a

SHA1
43e0d6d206bb1117edd7bbee4147bc9dfd0dfd5d

SHA256
7cca554390b2cb0b693b789f995e99125684f11fe7b6231e19e608b6e8e81626

SHA512
50ce27a7c35dffa52996e33745a2859484cb4d76bc596c692d3784e7420b16ae4429b35a66becd7b9b4e9af683c1007b6f8d4f14256a283a8a28f6eb55438921

Download Submit
\Windows\System32\alg.exe

Filesize
476KB

MD5
f76811a28dcdf8d2e6b7be2f0024a721

SHA1
bbe4575e5f26bcf60c7828815f96ccc40fdce526

SHA256
71b51c877351ab32ce00025be7029abe999d0b42c030f1ef362e5f66c807943d

SHA512
275115f992b5d384ad6d3782e99dd99cea47cabfea9c2b854436b9aa4b814aee8fd82cdc00fe9dd4c665325edb0798209578d5f587c647924b211469eb9e4c92

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB28D.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
59KB

MD5
8c69bbdfbc8cc3fa3fa5edcd79901e94

SHA1
b8028f0f557692221d5c0160ec6ce414b2bdf19b

SHA256
a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d

SHA512
825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB79C.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
210KB

MD5
4f40997b51420653706cb0958086cd2d

SHA1
0069b956d17ce7d782a0e054995317f2f621b502

SHA256
8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553

SHA512
e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBD75.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
42KB

MD5
71d4273e5b77cf01239a5d4f29e064fc

SHA1
e8876dea4e4c4c099e27234742016be3c80d8b62

SHA256
f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575

SHA512
41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

Download Submit
memory/488-314-0x0000000000620000-0x000000000064A000-memory.dmp

Filesize
168KB

Download
memory/488-306-0x0000000000C50000-0x0000000000CDC000-memory.dmp

Filesize
560KB

Download
memory/488-313-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/488-309-0x0000000002E60000-0x0000000002F4C000-memory.dmp

Filesize
944KB

Download
memory/488-308-0x0000000002E60000-0x0000000002FFE000-memory.dmp

Filesize
1.6MB

Download
memory/488-307-0x0000000000C50000-0x0000000000CF4000-memory.dmp

Filesize
656KB

Download
memory/488-315-0x0000000000620000-0x0000000000686000-memory.dmp

Filesize
408KB

Download
memory/488-312-0x0000000000620000-0x0000000000644000-memory.dmp

Filesize
144KB

Download
memory/488-310-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/488-311-0x0000000000C50000-0x0000000000CD8000-memory.dmp

Filesize
544KB

Download
memory/488-303-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/488-304-0x00000000003A0000-0x00000000003BE000-memory.dmp

Filesize
120KB

Download
memory/488-305-0x00000000003A0000-0x00000000003BA000-memory.dmp

Filesize
104KB

Download
memory/656-202-0x0000000001010000-0x00000000010CA000-memory.dmp

Filesize
744KB

Download
memory/2116-5-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2116-4-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2116-2-0x00000001400BC000-0x0000000140175000-memory.dmp

Filesize
740KB

Download
memory/2116-0-0x00000001400BC000-0x0000000140175000-memory.dmp

Filesize
740KB

Download
memory/2116-1-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2176-57-0x0000000010000000-0x0000000010108000-memory.dmp

Filesize
1.0MB

Download
memory/2176-34-0x0000000010075000-0x0000000010108000-memory.dmp

Filesize
588KB

Download
memory/2176-56-0x0000000010075000-0x0000000010108000-memory.dmp

Filesize
588KB

Download
memory/2176-35-0x0000000010000000-0x0000000010108000-memory.dmp

Filesize
1.0MB

Download
memory/2200-54-0x00000000FF630000-0x00000000FF763000-memory.dmp

Filesize
1.2MB

Download
memory/2200-46-0x00000000FF6AA000-0x00000000FF763000-memory.dmp

Filesize
740KB

Download
memory/2200-20-0x00000000FF630000-0x00000000FF763000-memory.dmp

Filesize
1.2MB

Download
memory/2200-19-0x00000000FF6AA000-0x00000000FF763000-memory.dmp

Filesize
740KB

Download
memory/2200-50-0x00000000FF630000-0x00000000FF763000-memory.dmp

Filesize
1.2MB

Download
memory/2344-28-0x000000013F650000-0x000000013F77C000-memory.dmp

Filesize
1.2MB

Download
memory/2344-27-0x000000013F6C3000-0x000000013F77C000-memory.dmp

Filesize
740KB

Download
memory/2344-52-0x000000013F6C3000-0x000000013F77C000-memory.dmp

Filesize
740KB

Download
memory/2344-59-0x000000013F650000-0x000000013F77C000-memory.dmp

Filesize
1.2MB

Download
memory/2764-73-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2764-53-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/2764-51-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download