expiro | 7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2025, 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
Size

516KB
MD5

ca3882a67bb3b56716858ead35abf79b
SHA1

060d9cc9edcd15cc3181c3892b7fdbb898bb4028
SHA256

7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3
SHA512

23a76db97dbb6b4413b191c3687bce216c6268f705485b0afdaca68e3083fc2c971346f76f05eb0adb460d87eec388e0184b72457af59175792b2ad4fde84731
SSDEEP

12288:smNRmNIhN36r3kfnCVUJym1oyzQANxmKizt:1NHXKrUfnCIzQADmKi

Score

10^/10

expiro backdoor defense_evasion discovery trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 9 IoCs

backdoor

resource	yara_rule
behavioral1/memory/5812-0-0x0000000000483000-0x00000000004B3000-memory.dmp	family_expiro1
behavioral1/memory/5812-1-0x0000000000400000-0x00000000004B3000-memory.dmp	family_expiro1
behavioral1/memory/5812-2-0x0000000000483000-0x00000000004B3000-memory.dmp	family_expiro1
behavioral1/memory/5812-3-0x0000000000400000-0x00000000004B3000-memory.dmp	family_expiro1
behavioral1/memory/5744-4-0x0000000000400000-0x00000000004B3000-memory.dmp	family_expiro1
behavioral1/memory/5744-5-0x0000000000400000-0x00000000004B3000-memory.dmp	family_expiro1
behavioral1/memory/5744-6-0x0000000000400000-0x00000000004B3000-memory.dmp	family_expiro1
behavioral1/memory/5744-8-0x0000000000400000-0x00000000004B3000-memory.dmp	family_expiro1
behavioral1/memory/5744-9-0x0000000000400000-0x00000000004B3000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
defense_evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe

Executes dropped EXE 8 IoCs

pid	Process
4984	alg.exe
2452	DiagnosticsHub.StandardCollector.Service.exe
3604	fxssvc.exe
2200	elevation_service.exe
1148	elevation_service.exe
1688	maintenanceservice.exe
3484	msdtc.exe
1344	SearchIndexer.exe

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3342763580-2723508992-2885672917-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3342763580-2723508992-2885672917-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\Z:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\N:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\Q:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\Y:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\O:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\U:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\X:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\R:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\G:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\P:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\V:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\H:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\L:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\M:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\E:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\I:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\J:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\S:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\T:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\K:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\Y:	alg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\wbem\bmpjglec.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\hjkhaojl.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\pjadikeo.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\openssh\eamjnqeo.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\nbbcdqab.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\ekfdcgkh.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\ofqfnhhp.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File created	\??\c:\windows\system32\lkfpjbgq.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\SysWOW64\pfjnjcah.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\SysWOW64\agkpgjim.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\perceptionsimulation\ddilieqo.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\SysWOW64\pqnmoeib.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File created	\??\c:\windows\system32\jnokemik.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\nooppnfl.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\kndfldfe.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\obkakffi.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\program files\windows media player\pgfpfpoj.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\lhbjhkab.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File created	C:\Program Files\Internet Explorer\ekchdkjb.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Internet Explorer\kjkookie.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File created	C:\Program Files\Google\Chrome\Application\dendjgfp.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\133.0.3065.69\elevation_service.exe	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\elidehmc.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\hfoijjjp.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\7-Zip\gkooamha.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\133.0.3065.69\hjdggppp.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\dotnet\ddnfppgh.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\miqfjfol.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File created	C:\Program Files\7-Zip\nccafaqk.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bf37c92e5aadb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031820a92e5aadb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be6d1692e5aadb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ee2938be5aadb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065fa2a8be5aadb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065d69c91e5aadb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006421e991e5aadb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b07148ae5aadb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f31838be5aadb01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe
4984	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5744	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
Token: SeAuditPrivilege	3604	fxssvc.exe
Token: SeTakeOwnershipPrivilege	4984	alg.exe
Token: 33	1344	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1344	SearchIndexer.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 5812 wrote to memory of 5744	5812	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe	87
PID 5812 wrote to memory of 5744	5812	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe	87
PID 5812 wrote to memory of 5744	5812	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe	87
PID 1344 wrote to memory of 2928	1344	SearchIndexer.exe	121
PID 1344 wrote to memory of 2928	1344	SearchIndexer.exe	121
PID 1344 wrote to memory of 5404	1344	SearchIndexer.exe	122
PID 1344 wrote to memory of 5404	1344	SearchIndexer.exe	122

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe

C:\Users\Admin\AppData\Local\Temp\7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
"C:\Users\Admin\AppData\Local\Temp\7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5812
- C:\Users\Admin\AppData\Local\Temp\7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
  "C:\Users\Admin\AppData\Local\Temp\7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe" -u
  2⤵
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5744

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4984

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4496

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2200

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1148

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3484

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2928
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:5404

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

Filesize
2.1MB

MD5
248c716c0023186c7f3d6b2e112fd9fe

SHA1
21e140d6f6d38d72b0713065800dfc1b7c91f0f3

SHA256
813219f1069a3e551855093a585740a8469f4c44171c3150b1df887e8d0b2eee

SHA512
4e2085220a2fd22f4fed7ce3f83468b1f7f504a124eced53549464b3536b009bd3c4d9ba0728f8a29de2fb51ad540f15f556bcef382d369c7543a29aa9232c78

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
658KB

MD5
fe8b6c88bda49e36f76c7026cea5bf45

SHA1
f7bf8b66905d728ce4ed78380a0770bb535ed034

SHA256
904381b4d2d878e1772057fca2adafc739c57fba786d996b881c1e4b915f2236

SHA512
4efa15765ced8873c2d606ac549d729cbe64b97b3e5c0e110c56e8de655910035edaeb483076e8fe72edc96eddc2ad596b35e97ca9d74d4ee908fdeff862bc0d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
945KB

MD5
c3ae64d750237721e5f70551074e531e

SHA1
58cea0a6b6a3614797da8bdd5012dd1d190a87e7

SHA256
b5c9ace8e055c98ff995ba0ae1215ba59b01c24bcdb8df60583212ba9bee77f7

SHA512
dc88677c45701e570217f670fd6cbfe81168c237be9ce422093767fc15c5b75eebc562a1985711f0030865d4d720ea4d1f91f4887fa32dc42d7a0e9924249941

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
7f0d6a665cb36d0e188b1106f9fcf61f

SHA1
f5ad94a624276a90a2795660ea4eaefaca9de5ce

SHA256
89fdc7f01aedc37d5d93686b615789d79704ee2ae973eb0e1b9e61f20ebd5d4b

SHA512
022ea7a3050645644d52cef26509d68c006aebb26c24d068e0a5eae0a955ae412a61cbe10648fbe05e28f19517bf975e6e9b2704740039a0aafa5dd29196ccf9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
255ef79ad2eb570f7dabd47c29f31afa

SHA1
6b11dae367a4a956077796f119b60fbd131f85fa

SHA256
7279cceef5c244475020b64f45d3e43d0f294ffb258cd184a368dd84b24d4185

SHA512
afc3aa1578e9d04514d59b159bc52a57ce5f2c9ad3917901e8c68cf4e4423242b8389d67ca28d3ad2f6b8cd682f3647fdb26c0589e83e9f7fdeb844ca4f5e554

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
e7f08acdb3be75833314224181e0bb04

SHA1
64730b6299e47e6b0ae33c30f2a6b945517e1dc1

SHA256
e9f2de2fa160658958da20fec1a6166678d5733eb881f42e4ec313d1c234b5a0

SHA512
ead4153669b487c08bc131bb1897e7399707c75c075fd084e9a4419307d343677cd14c24fd637b4837ac8849057ea15c92f24c7df4953f4c87be533d2ddb7051

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
8fa521e1dd5e90ee7686b5e65a12ce29

SHA1
243066c71d5a2e308a7655acda358b6461a001c8

SHA256
692758c1987b157e4f4b3942e30e7c6385d2e7f2f11cbee9260ba4909df146b1

SHA512
d17950b17e319ff2cd0b1abb8c1ffb8eaebc19c7e17258c9265e723d0957fa9829f3cf937a68e038267aff21d7b42d5a71084ee63668c5e23106c5df6e32ecb6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
4f5c5fe51b885154efdd4e2421687fd7

SHA1
d049bec40cb741c878fee639d5136092ab909dca

SHA256
f2cdcb0943ca9f3541972526617f2ad0bae241647fbc24fd91473be7a4bada4b

SHA512
e33efd98047bebfadc82da413dee6b82da5cd3f351e34e7ff47e2b4a84ebcd463c9666a82b721c04e676e502a459ae2a07c726a0d4022ab46dfe31579a2c239f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
742KB

MD5
faa2770f48dc3169e954bb1fa8f3bd0b

SHA1
3f19949d25d8f56aaa88d6e94053b93030838307

SHA256
260b28c0de17de1a798a13d35093cc127c4501520ec0724841860ace33c7288e

SHA512
361aa15a8c85defccba8cef12e9df112d4710acc0bff551b079fdba493c5171c31e9c4c2a600bb4499d9af80c900a88153343afd1fedbfdf87e72729577d6521

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
f97bbb63a776f3bcb7df211af499a0a4

SHA1
5faa186aa8dd775fe65e8f39d0dd7d03586ed7b2

SHA256
433f77080d79d295bee7125d037e5b66f9c8cb8fb33b880e6e453e9a14dc6023

SHA512
db5900b13bbc468c8921bff412227fd23e71df8f0d53502ca3b1a9b7dfb4d3272ef241ff27ea3093ee4cf06b2de591f5db63367f5acc89da7d831fe9dbd8c047

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
058482fa689f6acd8cbc88f93f06ab7e

SHA1
7b8cff99396b75c036d859029f449ed8b3696054

SHA256
39ad177325601ea586b3c3141ae91343265402d7a1a6f9639c09c4f914714e7a

SHA512
5dfac8bdb8068bbdb9cbfa64220af3c0d246bf1ae4660de6a3a1b036472e9a8cfef75a6c339937fb4450e288af38bda8f481f67b3887dc6cdc63c38cd6a66fa4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\kellfkha.tmp

Filesize
637KB

MD5
83b0f6a2a70434d0148c98aca3edf114

SHA1
e5a7c64c8f197f654da2349e9a9de8ec9e94d953

SHA256
d95578e2855b12d5910f8fc9f09ad5294983c9771fbc4331fdf4d79dfc6b552e

SHA512
f4714afddb8d3516821f88b9a11158e562bdd5f71cda780446b752466aef1330198f6a4664750fb6b7c2c674eb35a2e177dffe33f7069005fbec329d7e44e926

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

Filesize
2.1MB

MD5
bf523f41f3d3f09566fe910f9ecaa84d

SHA1
4d3615491b0332e639e0cdd62faf4e2b21d25020

SHA256
64d38fadea44dc362d55080b0ec38235715fcdbbc56c8fe66ffaed1f244ad8ca

SHA512
67e42dbc0b5e99c688e71d63b6306c3998dee2756d0fb8fbb64ed28808ac3db7071abc6eb1807dff2ef24f08aca9bbff7e3372c2062d136b00f3364fd8683a91

Download Submit
C:\Users\Admin\AppData\Local\mmdnnlel\jifnfhhp.tmp

Filesize
629KB

MD5
ad52a8104d066fbdb9fffb438feb3202

SHA1
442040106dcd2337b0bdda4513a2377fb68edb77

SHA256
6a1e4cffb4f88f330b465874d6f3f7aac3260555249d811c59c814625191c8ae

SHA512
f5ed092f1d78e3bf0cb657c73af8ee93dea4aafc9b988fe3f6eb98a7a170877ca801f7a9ce05ba638f6354714e49add376ccedbf6415565dd36edf51066191d4

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
822KB

MD5
5894a9ffab286427a0e87830f8cdbbeb

SHA1
f11cb499241287262b3188231c396068cd608d4a

SHA256
ad0a84e6f8300d823e56b96437a7640749203be3e93197469ffaadd2c01d1c8c

SHA512
e3d5e626d14da18f4a4e46a49ac60b5d97094002065f5ed7b38de78fde5ff7203c4d5ea845a106652157a64ad224121fcf59571542d07f1c5611918fe0077b2d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
491KB

MD5
b489cade369c6a0c0c696c9aab74b2ce

SHA1
606e7d15fe0d2daa40aab47660769fe2f8676834

SHA256
869832412dfe6b10dc37f75ec08f427a14ed4a132117c3a587dbd21651ee9347

SHA512
9ac276e73dc8eab420bba392054cd8b06356febfc6358d0c36c81ecad03fb2199b6163e26867bf643d4d5e470566c980c417ab62042263b7bc5b611e45097b1e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
d30af99601a5a436eda3c82d3990b2d5

SHA1
bf625b703d9c2fad6d747f7a0cd60b04eb97242a

SHA256
c8bc7e455c6dc97db8894d964ff1a26131a40112309753ffb5f24521cd2aa997

SHA512
35a62a872d38c722d0301ab5049b046ffd6ef0a09b3fb04d4fd46197d467734eb29d054a14742e1d31dacfac9e27ae0b4c262a23bc6f50a2ffd75666c2f758f0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.3MB

MD5
ca7a58904cb52774b3e89029d79a87cf

SHA1
d56bd6a665b7d1ced98bee807705118505656e7c

SHA256
15013897a3158a0edc3faa56e2e76b83eaedd55fbca6337cb8d4763d302837e2

SHA512
d7febaadd4c4ff5bb98ce151087fc36352bd5dea7691f9eb5cc520910f3cd0973753cb8276e685900cff112ee611a688faecf6b129307d95e917ea40e9c703c6

Download Submit
C:\Windows\System32\alg.exe

Filesize
493KB

MD5
b29218da705ec975f48c3e629d8aba99

SHA1
9c9fe86fe67f5a49b45db48ee5002ed7a8d572e4

SHA256
b0989424b4db674476aff9781e66a9c2cab82b894ecdc0a81d8a8713e59dd566

SHA512
1d8c7fc9dba53a9bd9403444b4de7f539c96b726522533823162ccd3b0af092b36abed84ceef8bc4a24985c04fbe77a6ca592ef07f4bf6d5ce62af0d92c596ec

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
544KB

MD5
4aa22da0b6c7d704ebdbad01af10f413

SHA1
ca9b19689aabac9e3947f9eed7198b485b9dbfa5

SHA256
2e886f6caa4a78371063aba5e973ca31f8c22880b6ae2149724ffab64284f9cc

SHA512
de9a2305865f0997dd1d6fba3f0dec29ba9385e3a5c1e0b0a13715462c192fed1f6bb71b7658704ebb8f39e028472a770fd1bb69700100b2e203a9c584b15afa

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
e72198c230648613333e4cbd69b50604

SHA1
8fb9f380f3403d5aa4e1866c8eff0d73e8dfd9d7

SHA256
9da2b08059e13e491492aa3f0d3e1d5d92a816c587a3a2d50a3f7130ecf08153

SHA512
d10ba685ffa9c91040a828aaccb0038405d0d428d49738d622ab12dc0893ecedfc89868f73adf2aff137ec958188c624a438cf6c28968efe2a382a614b9f85bb

Download Submit
memory/1344-291-0x0000000002650000-0x0000000002660000-memory.dmp

Filesize
64KB

Download
memory/1344-274-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/1344-306-0x000000000AC60000-0x000000000AC68000-memory.dmp

Filesize
32KB

Download
memory/1344-315-0x000000000CEE0000-0x000000000CEE8000-memory.dmp

Filesize
32KB

Download
memory/2452-85-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/2452-46-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/4984-29-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/4984-66-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/4984-65-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/5404-340-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-347-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-363-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-364-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-337-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-338-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-339-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-342-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-341-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-360-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-343-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-345-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-346-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-344-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-348-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-350-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-351-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-352-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-349-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-362-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-353-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-354-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-355-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-357-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-358-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-356-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-359-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5404-361-0x00000151452B0000-0x00000151452C0000-memory.dmp

Filesize
64KB

Download
memory/5744-9-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5744-6-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5744-8-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5744-5-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5744-4-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5812-0-0x0000000000483000-0x00000000004B3000-memory.dmp

Filesize
192KB

Download
memory/5812-3-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5812-2-0x0000000000483000-0x00000000004B3000-memory.dmp

Filesize
192KB

Download
memory/5812-1-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download