expiro | 7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2025, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
Size

516KB
MD5

ca3882a67bb3b56716858ead35abf79b
SHA1

060d9cc9edcd15cc3181c3892b7fdbb898bb4028
SHA256

7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3
SHA512

23a76db97dbb6b4413b191c3687bce216c6268f705485b0afdaca68e3083fc2c971346f76f05eb0adb460d87eec388e0184b72457af59175792b2ad4fde84731
SSDEEP

12288:smNRmNIhN36r3kfnCVUJym1oyzQANxmKizt:1NHXKrUfnCIzQADmKi

Score

10^/10

expiro backdoor defense_evasion discovery trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 9 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2796-0-0x0000000000483000-0x00000000004B3000-memory.dmp	family_expiro1
behavioral1/memory/2796-1-0x0000000000400000-0x00000000004B3000-memory.dmp	family_expiro1
behavioral1/memory/2796-3-0x0000000000400000-0x00000000004B3000-memory.dmp	family_expiro1
behavioral1/memory/2796-2-0x0000000000483000-0x00000000004B3000-memory.dmp	family_expiro1
behavioral1/memory/2604-4-0x0000000000400000-0x00000000004B3000-memory.dmp	family_expiro1
behavioral1/memory/2604-5-0x0000000000400000-0x00000000004B3000-memory.dmp	family_expiro1
behavioral1/memory/2604-6-0x0000000000400000-0x00000000004B3000-memory.dmp	family_expiro1
behavioral1/memory/2604-8-0x0000000000400000-0x00000000004B3000-memory.dmp	family_expiro1
behavioral1/memory/2604-9-0x0000000000400000-0x00000000004B3000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
defense_evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe

Executes dropped EXE 9 IoCs

pid	Process
4172	alg.exe
4924	DiagnosticsHub.StandardCollector.Service.exe
5020	fxssvc.exe
436	elevation_service.exe
5996	elevation_service.exe
5712	maintenanceservice.exe
5376	msdtc.exe
2916	SearchIndexer.exe
3048	TrustedInstaller.exe

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-446031748-3036493239-2009529691-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-446031748-3036493239-2009529691-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\G:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\U:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\Y:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\Z:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\M:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\O:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\P:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\V:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\H:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\I:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\N:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\Q:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\T:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\W:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\X:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\J:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\K:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\R:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\S:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\E:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened (read-only)	\??\L:	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\afmlloec.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\agbbafod.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\perceptionsimulation\mlbmbnbo.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\ofejenkg.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\alg.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\obkfmfcf.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\SysWOW64\pphaicol.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\ooglalnl.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\vds.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\clfogefi.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\diagsvcs\apnhqlhm.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File created	\??\c:\windows\system32\gfcclpno.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\moldmiia.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\hiedmopb.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File created	\??\c:\windows\system32\hhanpedf.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\adljqplg.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\SysWOW64\emekffhi.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\kojlblil.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\windows\system32\wbem\omompqfl.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\7-Zip\gkooamha.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\jmofaklb.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\7-Zip\nccafaqk.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Internet Explorer\pppjqpbi.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\dotnet\ddnfppgh.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\obkakffi.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\bfaqfpoi.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\elidehmc.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Internet Explorer\kjkookie.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\133.0.3065.69\gaoghfao.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\fljajkbb.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	\??\c:\program files\windows media player\pkigemkf.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Program Files\7-Zip\lncjookl.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	\??\c:\windows\servicing\dkeojdpn.tmp	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065aa5b0fe6aadb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe609610e6aadb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ec39810e6aadb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d45a1211e6aadb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006533650fe6aadb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cbd1620fe6aadb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000390a4211e6aadb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007296670fe6aadb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe
4172	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2604	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
Token: SeAuditPrivilege	5020	fxssvc.exe
Token: SeTakeOwnershipPrivilege	4172	alg.exe
Token: 33	2916	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2916	SearchIndexer.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2604	2796	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe	86
PID 2796 wrote to memory of 2604	2796	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe	86
PID 2796 wrote to memory of 2604	2796	7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe	86
PID 2916 wrote to memory of 4704	2916	SearchIndexer.exe	111
PID 2916 wrote to memory of 4704	2916	SearchIndexer.exe	111
PID 2916 wrote to memory of 4632	2916	SearchIndexer.exe	112
PID 2916 wrote to memory of 4632	2916	SearchIndexer.exe	112

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe

C:\Users\Admin\AppData\Local\Temp\7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
"C:\Users\Admin\AppData\Local\Temp\7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe
  "C:\Users\Admin\AppData\Local\Temp\7a8ec03a1abbdfb51def7aa41c2e672a7d8432257778e98c100aa0decc522bb3.exe" -u
  2⤵
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2604

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4172

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4880

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:436

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5996

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5712

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5376

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4704
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:4632

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3048

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

Filesize
2.1MB

MD5
24d8ffbe06e6067126b81337416344e2

SHA1
6ec723f11b27b29c964e1a928e2a5f6df408cb26

SHA256
4410f71adc253baf7d5b765da7d22ebf5fbe3e60c851b2fc33973569ef2e9bd5

SHA512
678368eb35d13fead938a102dc454cb5b357f7eb2ffbb95c56b91aaaedc987faabcc7f0aa90c452d22d9b70402260d8ffe2e977c96ce3ec6977a271ba02027e3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
658KB

MD5
96db9bae9ae13418ad570321553e0331

SHA1
7c087d42142599f4e7e41e3e2cfc01f80201dd7c

SHA256
2214b5247d304ede2e54bb466e638461f68cf8c34ed3acf3d57ae0fadaa37407

SHA512
a297f02e5f4dc38da21e358bae1e3a7d572626725832b7366793db94c8c62b90ac2bd9eeefc25dd1f4c264e5420798a772240143f00af5751c946f8bd2e2d592

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
945KB

MD5
c3ae64d750237721e5f70551074e531e

SHA1
58cea0a6b6a3614797da8bdd5012dd1d190a87e7

SHA256
b5c9ace8e055c98ff995ba0ae1215ba59b01c24bcdb8df60583212ba9bee77f7

SHA512
dc88677c45701e570217f670fd6cbfe81168c237be9ce422093767fc15c5b75eebc562a1985711f0030865d4d720ea4d1f91f4887fa32dc42d7a0e9924249941

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
7f0d6a665cb36d0e188b1106f9fcf61f

SHA1
f5ad94a624276a90a2795660ea4eaefaca9de5ce

SHA256
89fdc7f01aedc37d5d93686b615789d79704ee2ae973eb0e1b9e61f20ebd5d4b

SHA512
022ea7a3050645644d52cef26509d68c006aebb26c24d068e0a5eae0a955ae412a61cbe10648fbe05e28f19517bf975e6e9b2704740039a0aafa5dd29196ccf9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
255ef79ad2eb570f7dabd47c29f31afa

SHA1
6b11dae367a4a956077796f119b60fbd131f85fa

SHA256
7279cceef5c244475020b64f45d3e43d0f294ffb258cd184a368dd84b24d4185

SHA512
afc3aa1578e9d04514d59b159bc52a57ce5f2c9ad3917901e8c68cf4e4423242b8389d67ca28d3ad2f6b8cd682f3647fdb26c0589e83e9f7fdeb844ca4f5e554

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
e7f08acdb3be75833314224181e0bb04

SHA1
64730b6299e47e6b0ae33c30f2a6b945517e1dc1

SHA256
e9f2de2fa160658958da20fec1a6166678d5733eb881f42e4ec313d1c234b5a0

SHA512
ead4153669b487c08bc131bb1897e7399707c75c075fd084e9a4419307d343677cd14c24fd637b4837ac8849057ea15c92f24c7df4953f4c87be533d2ddb7051

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
8fa521e1dd5e90ee7686b5e65a12ce29

SHA1
243066c71d5a2e308a7655acda358b6461a001c8

SHA256
692758c1987b157e4f4b3942e30e7c6385d2e7f2f11cbee9260ba4909df146b1

SHA512
d17950b17e319ff2cd0b1abb8c1ffb8eaebc19c7e17258c9265e723d0957fa9829f3cf937a68e038267aff21d7b42d5a71084ee63668c5e23106c5df6e32ecb6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
4f5c5fe51b885154efdd4e2421687fd7

SHA1
d049bec40cb741c878fee639d5136092ab909dca

SHA256
f2cdcb0943ca9f3541972526617f2ad0bae241647fbc24fd91473be7a4bada4b

SHA512
e33efd98047bebfadc82da413dee6b82da5cd3f351e34e7ff47e2b4a84ebcd463c9666a82b721c04e676e502a459ae2a07c726a0d4022ab46dfe31579a2c239f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
742KB

MD5
faa2770f48dc3169e954bb1fa8f3bd0b

SHA1
3f19949d25d8f56aaa88d6e94053b93030838307

SHA256
260b28c0de17de1a798a13d35093cc127c4501520ec0724841860ace33c7288e

SHA512
361aa15a8c85defccba8cef12e9df112d4710acc0bff551b079fdba493c5171c31e9c4c2a600bb4499d9af80c900a88153343afd1fedbfdf87e72729577d6521

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
f97bbb63a776f3bcb7df211af499a0a4

SHA1
5faa186aa8dd775fe65e8f39d0dd7d03586ed7b2

SHA256
433f77080d79d295bee7125d037e5b66f9c8cb8fb33b880e6e453e9a14dc6023

SHA512
db5900b13bbc468c8921bff412227fd23e71df8f0d53502ca3b1a9b7dfb4d3272ef241ff27ea3093ee4cf06b2de591f5db63367f5acc89da7d831fe9dbd8c047

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
058482fa689f6acd8cbc88f93f06ab7e

SHA1
7b8cff99396b75c036d859029f449ed8b3696054

SHA256
39ad177325601ea586b3c3141ae91343265402d7a1a6f9639c09c4f914714e7a

SHA512
5dfac8bdb8068bbdb9cbfa64220af3c0d246bf1ae4660de6a3a1b036472e9a8cfef75a6c339937fb4450e288af38bda8f481f67b3887dc6cdc63c38cd6a66fa4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\fljajkbb.tmp

Filesize
637KB

MD5
66bbc2656111013ac7b7da6c5adabc7f

SHA1
3d7368de86bd6e47ca01415c63312b3eaf928d5b

SHA256
6d2dc7a3794df66f6c40b92aa9de1634a54286b473ae03b325d3ab782d716199

SHA512
80a933aa437b5d5be2f28e681cc85c68bedb3327a43644476f145427fc7bad5970c0cf3875c604887ad46985d336311d1a8cd105e1517dc68482af0fcb7e69a2

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

Filesize
2.1MB

MD5
e9684938b4e0398acefe7477a08f8965

SHA1
c60b2278389342fe52a6a6340119a091dba44082

SHA256
919e246a71b6402130cb3190eac323cbd1a080690a7a0eec8cd6c43f174ff85a

SHA512
5348f3ce428dcd964b6598c965f251e0ed3825122a8d6b357ce8eb1291420dd6ba4a85d6dc811f764c3d0a4d7325d85f872a6d124807714268a183d7847c15df

Download Submit
C:\Users\Admin\AppData\Local\afaerdkr\ndpdggjf.tmp

Filesize
629KB

MD5
778055ddc9fbe1c6b8eb750b7e383a02

SHA1
9c23a8cfdeda144b7869960d19d4dd18a262419e

SHA256
df1771874c8605edc4af2a677bd7716e3ba7645e15e7476cb8e0091c8130d3ca

SHA512
14eb64c562b9c67bd1ca4e38fe5b9778917072e52930135fe18c3135112aa44c5989c8c7f6fd8e9fe82bc80723c6df4b929de5a664bde665569b45874482fd66

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
822KB

MD5
bd832708567d93951fdde207ecf25702

SHA1
f7ae3ec184f9394930a55517dda784c2dcb10a3f

SHA256
c4daca4cdc128612a82a1202966ba2471e8fede03eddb268cc717ce04be4af22

SHA512
749efc435b6b11f64635dd09631d134dfc7be70406294fea2112991d27e293b41f2a42e1f964bc2fdfed4b057d72c21d3c0b7a9a15535c6ed1805d26eb78489a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
491KB

MD5
32a45988d5add3b49c932f1106333a09

SHA1
6c5b6030e049898469f278ef2b5c4ec7ddef7582

SHA256
44c09afa9696b93b4253014f695554b0d593d9ae6caef605349c0dc5aef35009

SHA512
7aefb5ff44e2859ee5414d056ec14e2ee9aeb155ba453476ea08f66c98808ddab2991dad69e7697f938dceda80072e569cc7a6a11b51730ca8eb5513a9eae098

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
89d6de302734881c2e0dac21d8c81fa6

SHA1
237d5b34b8f783583a46042d8822c021ba814a7a

SHA256
b249d5790fd4a3c82cea8d1417bff27b74329df90da535477edb2ca4aacfa552

SHA512
636410db4a2f7a6175a876bb0ad17e18d275730edf943b4ba832b67cbc5fb0d1780e1dd78b66e3d8d20ff80f15587874310cab2c516e9acaac93e0b1a7aaebf5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.3MB

MD5
74a563430e2f464193e5e18aa45753eb

SHA1
9a3b1aea4f66660a44c6bae7e4e9703339af8bc3

SHA256
1a396acaa857d0f01b4f718dcdc29b56ffe4eac95a1eb1bcfcdc5a6d54051013

SHA512
dd80684d15908a6ef1484cc89adf532f5c0c63e92268f33df5539b9595f135c9225a3dfd0417015c23ca9a7c82a36c5a0058ddbabdb0ff940a5f2b8f39c20cac

Download Submit
C:\Windows\System32\alg.exe

Filesize
493KB

MD5
4c66fb40c788cd947432374f692c671b

SHA1
7ea4cfab14633fa59a8e4ee4a4fe5f3ea8cc5f1d

SHA256
f84dbbe545e5b5fbbd4664f5a9a21e187f8fbf7800a23b0eb0babde735e47b8f

SHA512
8275551f64cdb693f537902dedb7412cbfe1a8855e93cba5f0c12086a15ee42e59f5a128e84e9f4a82191c65b1ddb1e8a2e56407a2e4088f265a29de9276a73b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
544KB

MD5
b9ccd6e849da0181d3993946c25ec1a0

SHA1
a9675660a4b1939bd04b6fd6caac0d23d628b53d

SHA256
d0f0804921687fda47db9306cb50254c32afbfed60d9ba9bbd0dc4f9fcf3b817

SHA512
cb152459e5f602703e59549425bd09ccdcb04d0862bd35a4f1dd967fcf182bf9e7d29a32ababd0447f9bd72beefb266833dd422e2c093a16b4a79eb2993f18f2

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
C:\Windows\system32\windowspowershell\v1.0\powershell.exe

Filesize
839KB

MD5
6fb1b78229000870f3e399bdcacb8b94

SHA1
5ef959b18bb61e7890de702d53da69affd1982c3

SHA256
1fab7623b4890495661253a202aa49fbf995f42540b98516e87d1c14fbc6515d

SHA512
52083720faa7fe095158248d2dc3129dbb073917e0fb56f4ca49527163e9ab2a9d9d9cb98da148e67fa5a6c01dea749ae4c84bee3a1a6bbd6bb243838fbf3198

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
71d611df00ca89d3ff7f18fce66e7ea6

SHA1
1cfcfa3be8b62a893381631689b1b7d29a529025

SHA256
ffabfb9044e5c0b6be882d07dbb25e9ec9443e215f44d7ebe1138d9acf3d6bff

SHA512
7754ab592339982c078339f1861f404112fd3f7680605c1e0f0f2fccb41bb833db55728e224e20ec1ae91e2fd95a556f9abae5fd95c9c3eac7fc9eb34f64ac36

Download Submit
memory/2604-4-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2604-5-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2604-9-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2604-8-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2604-6-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2796-0-0x0000000000483000-0x00000000004B3000-memory.dmp

Filesize
192KB

Download
memory/2796-2-0x0000000000483000-0x00000000004B3000-memory.dmp

Filesize
192KB

Download
memory/2796-3-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2796-1-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2916-233-0x000000000BBA0000-0x000000000BBA8000-memory.dmp

Filesize
32KB

Download
memory/2916-230-0x000000000AC60000-0x000000000AC68000-memory.dmp

Filesize
32KB

Download
memory/2916-198-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/2916-214-0x00000000025F0000-0x0000000002600000-memory.dmp

Filesize
64KB

Download
memory/4172-65-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/4172-29-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/4172-73-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/4632-287-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-294-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-296-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-297-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-295-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-291-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-290-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-298-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-299-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-300-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-303-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-302-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-301-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-304-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-309-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-308-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-307-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-306-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-305-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-293-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-292-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-289-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-288-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-286-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-285-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-284-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-283-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4632-282-0x000001F7DCE40000-0x000001F7DCE50000-memory.dmp

Filesize
64KB

Download
memory/4924-88-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/4924-46-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download