ammyyadmin | 304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
Size

766KB
MD5

fb975974833411caa02f60e99801aeb0
SHA1

cabaee807c9cada7188323e9c780131481c076da
SHA256

304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2
SHA512

7090df5b5ea5e39e8a4c5ff282c46ddcd6199d4d576639395121c78af653c7997a9f839d96e96d934b4f26c42c139d707fad2292da8563af1156b4aa6f694aea
SSDEEP

12288:gpDNc/Xsfu2LVBRKf057C9lRt3i5olGJsxhzagJYa:g5N48fu2hBRK8ilRty5olGJsxNSa

Score

10^/10

ammyyadmin flawedammyy discovery persistence rat spyware stealer trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\tmp8432\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe	family_ammyyadmin

Ammyyadmin family
ammyyadmin
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

Executes dropped EXE 3 IoCs

Processes:

304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

pid	process
2292	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
2692	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
2960	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

Loads dropped DLL 64 IoCs

Processes:

304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

pid	process
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
2692	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 64 IoCs

Processes:

304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\cleanmgr.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\iexpress.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_isv.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\sethc.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\poqexec.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\resmon.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\shrpubw.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\dfrgui.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\eventvwr.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\hdwwiz.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\iscsicli.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\msdt.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\RunLegacyCPLElevated.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC10\IMTCPROP.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\makecab.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\msiexec.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\RegisterIEPKEYs.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\wlanext.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\logman.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\msra.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\ntkrnlpa.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\ntoskrnl.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\tasklist.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\certreq.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\mobsync.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\setupugc.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesPerformance.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\cttune.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\Dism\DismHost.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\reg.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesProtection.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\PresentationHost.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\Dism.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\ditrace.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\gpresult.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\MigAutoPlay.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\msinfo32.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\autoconv.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\OptionalFeatures.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\tracerpt.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\wiaacmgr.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\WerFault.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\auditpol.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\diskraid.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\findstr.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\mighost.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\printui.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\regini.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\SearchProtocolHost.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\DpiScaling.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_e54666f6a3e5af91\fsquirt.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wvmic.inf_amd64_neutral_b94eb92e8150fa35\vmicsvc.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\getmac.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\TpmInit.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\wermgr.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\mspaint.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\NAPSTAT.EXE	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\net.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\SysWOW64\bootcfg.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

Drops file in Windows directory 64 IoCs

Processes:

304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-eventcollector_31bf3856ad364e35_6.1.7600.16385_none_5702948e8e63fc30\wecutil.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-takeown_31bf3856ad364e35_6.1.7601.17514_none_58116b392c3da43c\takeown.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-eventcollector_31bf3856ad364e35_6.1.7600.16385_none_61573ee0c2c4be2b\wecutil.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\psxss.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.7600.16385_none_7f0c7a3c17077fce\iexpress.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-rasclienttools_31bf3856ad364e35_6.1.7600.16385_none_6f1d25ec0a04d811\rasphone.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tasklist_31bf3856ad364e35_6.1.7600.16385_none_843823d87402ab36\tasklist.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7601.17514_none_a0cf62efee3228a3\wabmig.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_678566b7ddea04a5\PkgMgr.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\wow64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_dbd4d2796675bc72\SearchProtocolHost.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.1.7601.17514_none_eb70808bd228319e\RegAsm.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\ehome\McrMgr.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\ehome\mcupdate.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_regasm_b03f5f7f11d50a3a_6.1.7601.17514_none_a3c349b4bdac0898\RegAsm.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-osk_31bf3856ad364e35_6.1.7600.16385_none_aa93298fbb4246f2\osk.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-eudcedit_31bf3856ad364e35_6.1.7601.17514_none_b7be8a14d61db17a\eudcedit.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_23376bf5921e7b63\auditpol.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sysinfo_31bf3856ad364e35_6.1.7600.16385_none_4b49a2c2123fd42c\systeminfo.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-recdisc-main_31bf3856ad364e35_6.1.7601.17514_none_e2a1ffe0ca40cff2\recdisc.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7600.16385_none_655452efe0fb810b\poqexec.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_narrator-nonmsil_31bf3856ad364e35_6.1.7601.17514_none_8b63c5e0db87fde8\Narrator.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\ehome\mcGlidHost.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_infocard_b77a5c561934e089_6.1.7601.17514_none_583a8c60c0b305a1\infocard.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_6.1.7600.16385_none_c9392808773cd7da\cleanmgr.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_6.1.7601.17514_none_7f7f66788318015d\lpksetup.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\msil_loadmxf_31bf3856ad364e35_6.1.7600.16385_none_388de5065074b62c\loadmxf.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_6.1.7600.16385_none_9da1b3254ff796e9\msra.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehprivjob_31bf3856ad364e35_6.1.7601.17514_none_53393627486ae37b\ehprivjob.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-telnet-client_31bf3856ad364e35_6.1.7600.16385_none_1426830c3ebb712d\telnet.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24\ndadmin.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx35linq-edmgen_31bf3856ad364e35_6.1.7601.17514_none_0ca1fd81527e1e9a\EdmGen.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_6.1.7601.17514_none_d71fb1d63f05ef22\WFS.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\x86_netfx-netfxsbs10_exe_31bf3856ad364e35_6.1.7601.17514_none_3d9659600c3683e3\NETFXSBS10.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCmdRun.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-wmpdmc-ux_31bf3856ad364e35_6.1.7601.17514_none_f06adab455a2f1e9\WMPDMC.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\ehome\ehshell.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\servicing\GC64\tzupd.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_6.1.7601.17514_none_28c78887678afbb1\mip.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_e932cc2c30fc13b0\cmd.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-taskhost_31bf3856ad364e35_6.1.7601.18010_none_86608c5a70f925bc\taskhost.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-forfiles_31bf3856ad364e35_6.1.7600.16385_none_b1186146f739d0f1\forfiles.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ipconfig_31bf3856ad364e35_6.1.7600.16385_none_a82ee2a7319fa8f8\ipconfig.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a\ndadmin.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\WsatConfig\9683999d889dc0b8782c782e2fc1aee5\WsatConfig.ni.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sethc_31bf3856ad364e35_6.1.7601.17514_none_c0e644688bbad892\sethc.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx35linq-csharp_31bf3856ad364e35_6.1.7601.17514_none_7551b4792ac9630d\csc.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-winrsplugins_31bf3856ad364e35_6.1.7600.16385_none_722b680e4b585656\winrs.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_6.1.7601.17514_none_177a088436382a34\WMIADAP.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-autofmt_31bf3856ad364e35_6.1.7601.17514_none_e7fba6c91d7030e3\autofmt.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17514_none_6e37cb8c12652b73\ntkrnlpa.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-sysinfo_31bf3856ad364e35_6.1.7600.16385_none_ef2b073e59e262f6\systeminfo.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\ehome\ehrec.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-where_31bf3856ad364e35_6.1.7600.16385_none_b9c82ac6f7db99ae\where.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\splwow64.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..ce-useractionrecord_31bf3856ad364e35_6.1.7600.16385_none_8ee34c400d95f0ab\psr.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-cipher_31bf3856ad364e35_6.1.7600.16385_none_090b7101bec9a9e2\cipher.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253574a38b1ff75b36b	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = a36cf5e347a07b8942995d246e6594a6999d59ea604c4e7db7ba83aa5481dbf4e58068130ee2bac3f661c633b3656d170cc14f11d7cf6b357b391f16907ed277b5c9535c0986f00938d035	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

Modifies registry class 2 IoCs

Processes:

304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.exe \"%1\" %*"	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

pid process

2960 304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

pid process

2960 304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

pid	process
2960	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

pid	process
2960	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

description	pid	process	target process
PID 1416 wrote to memory of 2292	1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
PID 1416 wrote to memory of 2292	1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
PID 1416 wrote to memory of 2292	1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
PID 1416 wrote to memory of 2292	1416	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
PID 2692 wrote to memory of 2960	2692	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
PID 2692 wrote to memory of 2960	2692	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
PID 2692 wrote to memory of 2960	2692	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
PID 2692 wrote to memory of 2960	2692	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe	304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

C:\Users\Admin\AppData\Local\Temp\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
"C:\Users\Admin\AppData\Local\Temp\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\tmp8432\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
  C:\Users\Admin\AppData\Local\Temp\tmp8432\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2292

C:\Users\Admin\AppData\Local\Temp\tmp8432\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8432\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe" -service -lunch
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\tmp8432\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8432\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
2c049b8589fa1de56074293c5fe1eff1

SHA1
bbdd64fd365a758abc058d74649de395a18bf8e4

SHA256
413dc16b60b2b0de22395649ab6d0e2d9ca6401c5f66f5ee99f793065ce59045

SHA512
d7dbda8f1e99190c88c455d7892aa41d16717a855e2a3ab6389cbd058073386af434789f5017c3542fe0a3512dae542cccb126a80d992d0b75dbab2fb30d22f5

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
f1181377bb0ea62909acb7f29b275e2f

SHA1
8c51a6e32e3423bf71316c9166b49b25aa3a2295

SHA256
b8617cdfc04e9e5bcf0fcd4df78f88e878ed7a9077c156f305844a317710fe73

SHA512
0687f9eef7aebc8f4d4f6cb2c7e6cd4cb454ac5fdf409d7ec3ffd3183dd92995aef3dc6015000eef1db83edd7595675fa1f375646102316331d075afed0da156

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
4cb889e527b0d0781a17f6c2dd968129

SHA1
6a6a55cd5604370660f1c1ad1025195169be8978

SHA256
2658cd46dd49335e739cafa31ff2ec63f3315b65ecc171a0f7612713d3ac702b

SHA512
297d2c05d2ac950faeb519d3e7bc56ea9d9fcab65b5dfdbba2720be8eddc8b2d5ead3dc7c122b82d6937be6c2d7bb88872dd7b80961138571245fba381daac3f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe

Filesize
126KB

MD5
da663e9e5037bc55b952ad92f79e0bd0

SHA1
19607b4f96bfdefe7fea1ac9d8230e4b7f600ca5

SHA256
401185b2927f7ef2556576cfe6655796762dea7c87389945226def056e204753

SHA512
03116ca56fdd5f4ecbfd043125d93f59e29a2920c517fef30a3313230959ce5ca1a9721090d5cd90f0b9af2f12d3743de0ada8e2a2e8dc689af6951fcbd072dc

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
445KB

MD5
1191ba2a9908ee79c0220221233e850a

SHA1
f2acd26b864b38821ba3637f8f701b8ba19c434f

SHA256
4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d

SHA512
da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
633KB

MD5
a9993e4a107abf84e456b796c65a9899

SHA1
5852b1acacd33118bce4c46348ee6c5aa7ad12eb

SHA256
dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc

SHA512
d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

Download Submit
\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
634KB

MD5
3cfb3ae4a227ece66ce051e42cc2df00

SHA1
0a2bb202c5ce2aa8f5cda30676aece9a489fd725

SHA256
54fbe7fdf0fd2e95c38822074e77907e6a3c8726e4ab38d2222deeffa6c0ccaf

SHA512
60d808d08afd4920583e540c3740d71e4f9dc5b16a0696537fea243cb8a79fb1df36004f560742a541761b0378bf0b5bc5be88569cd828a11afe9c3d61d9d4f1

Download Submit
\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
455KB

MD5
6503c081f51457300e9bdef49253b867

SHA1
9313190893fdb4b732a5890845bd2337ea05366e

SHA256
5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea

SHA512
4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

Download Submit
\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
455KB

MD5
e9e67cfb6c0c74912d3743176879fc44

SHA1
c6b6791a900020abf046e0950b12939d5854c988

SHA256
bacba0359c51bf0c74388273a35b95365a00f88b235143ab096dcca93ad4790c

SHA512
9bba881d9046ce31794a488b73b87b3e9c3ff09d641d21f4003b525d9078ae5cd91d2b002278e69699117e3c85bfa44a2cc7a184a42f38ca087616b699091aec

Download Submit
\Users\Admin\AppData\Local\Temp\tmp8432\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

Filesize
726KB

MD5
3178f23055b264687995248286a1203b

SHA1
cf90f321c3cccb006698c4665ec65172c221d979

SHA256
7895cba4fd1a4f2b5679e8fea1c5b5cbff35ece25dc7e64d49e9de98e52193c8

SHA512
94ca4626f83260edafc2c36346c33be0f12bd46d93b18b4ea336e82e5db1be857f41d475a40913343ad6dfe61bfcaa13fbc75a6853b3f7e071b2580f9aa065ef

Download Submit
\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\accicons.exe

Filesize
1.4MB

MD5
a1cbf221f65a4a957a1561e94c05d2ba

SHA1
f737fc584cc642e8b808a316faf0eeac8360d344

SHA256
cf4c6c14eca09ac8345555b82585c6138f7388de63fcd626b0c19bd88b9231a8

SHA512
83dadebac14d91aa9c41d8b516f369b2a318fb58bf1e05437468d4f339639e431f981b8841f3bdf84b0d8b86b9e0a918900b559d1a327abebeb25a35a8954295

Download Submit
\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe

Filesize
174KB

MD5
878e68f3e1f33e6b17cdd8fe8cf506da

SHA1
c0eb82f75d1b263e2f3969774d9c028603ce82ab

SHA256
62a7da29711b99bcf1df9e9e58381356f483d296746aabf3c5693453e1640551

SHA512
6e3651adc0de4117220cf21ee4bcddd74f25aedd571968ebb0dfd2064277e22eeca6de1dbc07026bc034f26da439bedc88f9336c9136a135208ec9a0e85198fe

Download Submit
\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe

Filesize
458KB

MD5
468d5cbec799d161d4d994374c7d8624

SHA1
2aefec2418c6dc3ea12280302251aab7d4232f7b

SHA256
5c801819fe938ac3f8a7e412147c6651cf662e9f67d262cd4879bac7fba960f6

SHA512
f26b734b639d75c0fbb51c7d4faf08cfe34d623a2f4e14efd07f3eb5836c8b3f1a1b4c8342a45f8be236352ecc20c990da9c95ba4b8359e04880cb4fdacedef5

Download Submit
\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe

Filesize
318KB

MD5
73887e89d99d6624e69f8bd46dbf4c55

SHA1
8a239ba6001f5f4f9c27b018ef744f1bc8a960f9

SHA256
37a7e757122e9384b75f15022e07a429860e741f72b67986d155ac24259835c4

SHA512
f5c061f1d9e2a72044fbcaca2cf50330a89b0ef7c960f3cc6720760d8c048a20b5d10b8ea454a33fd9d2ca25b19d251b477ea838a2854b4a7756a5b89d3430fc

Download Submit
\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe

Filesize
557KB

MD5
fb3c8178ad435b5b2194d5ce774e1f53

SHA1
f8ffa7825a628ae2d3be6d1a82281985f8029427

SHA256
8263b2fd09374585546353e8b61439dec4fb6e26d547d5ebed7696cab7dc8060

SHA512
e0ee5d6d9d0eb5b9724ca2cbfc642241c5b8e7b48d4b724473a5af7665a25442c22fb365e1431f567cf88c3f550d411d99818bb9346e29dd1730a43712425a7c

Download Submit
\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe

Filesize
41KB

MD5
4c881240e9ba65c1c640e321e2f2365c

SHA1
6b7c6c2b9f431a48aec9f592d170c4e55fab8603

SHA256
be830fe2aec6b95335bb645c5ddaab950aac2f8f2c7df8b3c72311a52df13af1

SHA512
7a4ee9b1404c421364cb074d1cd0e627c2815e977661726a228f46908d8362259383e6953bec5bc73ea6a55be2fc5bc9e9d38c08484ff3b7fc309b449c0d0282

Download Submit
\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe

Filesize
296KB

MD5
0fefa3d55a002ddfee5ce3c685fb3329

SHA1
34893113f1c751a1eeb09d17d176b808a29a4a8e

SHA256
c4bcbb08ad69a76f0bb188ab91be1f21c43b93dc2c9d739b7c5119eb0884ed97

SHA512
c1321016c5391b4ec913e7e2538699442d759a90730077815b18c9dc7daf2fad43127b20036426d3948e4f8aa82727d79ca34f611ee52cd81af1b70224626e74

Download Submit
\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe

Filesize
3.6MB

MD5
a94f27898365a15c2ad064f2b7120a2e

SHA1
c269b8c203adfaaaba2f55bc2036f91c121ac0ea

SHA256
716432b309bda8358c700b3e7680c1fe051908bf546786db3b2912c73937c95a

SHA512
6661b16b6db191be0eedcb78a32466f334c63a428bd3733bd41c7f2e940b2bf9f0251693202f02b57076293e278d27252a26c196421d463e5c34f5a77f00a3ed

Download Submit
\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe

Filesize
405KB

MD5
03b8c0ea3697262d419d6077f90cc816

SHA1
aeea37cba8e570940273a03760c989d870cb34de

SHA256
47496b537c0dd19d3df7f94b48db2cd6d87446984372ae079e6e6815e2085224

SHA512
ad123b1417478c3a2f6134a750ec5d3bace8781c1ade974e1286378de569639e188727999ec2be386a5ac9a64ffb3d7cfd69a028bd2a4eaad62dc4b38dd0ee7b

Download Submit
\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe

Filesize
1.8MB

MD5
c7ca74a7f624e8f57f3d62d9b59cc0fb

SHA1
5aa194c4983276423606944133080c0337ef0afe

SHA256
1e83c1a2f6f2b7080c7fefccff1fde4bb14aa8a57e851817c92a6f1c946ca17a

SHA512
4b25f903d4fbbcb13a7866eb4b2c3af1631dbd2532b7418df7570c969c459b84a684276dfe373628f595fd647e4e06f899a26e9083b9df9347415bdd1f3ae4f5

Download Submit
\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe

Filesize
1.4MB

MD5
4ba6116a63c53a64aaf044bcca71feda

SHA1
136e1e672f1d3dd5cfe3b69f9baf8bac8b847120

SHA256
aa144b2a0303a5740f87a24b8a906c0f54828390bc333d146c07aa35f21962bf

SHA512
9dcba4dc77c7c0e704537b77178b8edb7318e6554edad6f5b76e6e5fdc170eb612854349fc0aa671d44f2e8ddfb6e7b12134b3089653229980380086ec2bff5c

Download Submit
\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe

Filesize
41KB

MD5
b45a8c2c93316563941adb4f17284492

SHA1
75b6bd7e8f031fccf9a73e3d9b51916241dbd73c

SHA256
5c18291c481a192ed5003084dab2d8a117fd3736359218fee2aea1a164544c9e

SHA512
07367ccbcefbbba39e0a6fc4f79b87db8669ac420c9e512f78af3175ba5e6f8bd956895e6d1b75faa99848ddf9d41430f3602c374441ccedb0f68796694465e8

Download Submit
\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe

Filesize
41KB

MD5
ba47dd9e8e3f77169f277290ea04282a

SHA1
fba3d13e8a832fadd15e445f3e6926c6e2014ea8

SHA256
e63348ab0af39ec780937d0e719964ed6a738fd43134885649890cb395492a50

SHA512
c406840c6a75929d3dc1ced9fedcdfc7af725670d1976be608eae81c33184a958291c09aaea0b5191da35e5bb87b18860f3eeccd040faf0b5776973eb8e9869b

Download Submit
\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Filesize
96KB

MD5
7825cad99621dd288da81d8d8ae13cf5

SHA1
f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

SHA256
529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

SHA512
2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\ComSvcConfig.ni.exe

Filesize
400KB

MD5
3d8f236d75230c3488eb188dd32eee11

SHA1
740b130f3e11c76be7e7d135d9220997f1d056e6

SHA256
a166762ec0d9b077afcc908f4af6dd5e9ec3fb195acaeac13f9fe304989c3db7

SHA512
a8e5f60cafd7a85ed4958ee2095dd4423463cd7010c2f79d7e972203e9accf0e400763ce9252914a9a1c700ad3e773bdb0c0fb50f26bb9fc02549ada9ee5c7ea

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\af28543d9b3e7d9f110448ecce53cd72\MSBuild.ni.exe

Filesize
130KB

MD5
964ac76c0270a090775b3c50038ff055

SHA1
a67c5ec10ac8438eb76bf5722dd542f15373172f

SHA256
ac3e903abe28c17222e72637757f962608199bc5e7ff7967b8238c18be69d75b

SHA512
5e0180eebc0338004cb64a4418b447f170a64c11f270b0e9fa88a1e951e5a7e086cd7ee55ce6c1ff862627e2d82acb257362b915204367dc5984aec2c5410430

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\0bae62c3fc6c327ed24989263988173d\Narrator.ni.exe

Filesize
2.5MB

MD5
3eed6f329c4f28612c8c42fdfadd62ff

SHA1
f09ae7c1297e9d11d3f4ecc73ef6efff92002e75

SHA256
4cb0ba17be3f6eb4865534bf5a89171e4721f46718c23c75a55ba2ec1d3f3e2f

SHA512
83257b68a4879c654e934243f794f52503f071c6b4c53025dfb0051fd849dfd371c8473958d98b38e842951a605c56f10435d0243ba10d582f128bde0de26d86

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\1bc1ee3c3aa45d28dcf4657bceb2fcb4\SMSvcHost.ni.exe

Filesize
357KB

MD5
be199c54c931575046d967fe1e4cf282

SHA1
4181403d26da1f3c4576cb898ccb9689df1a5070

SHA256
c7c27b0c6efd5b82e2bb030dfb31d14656190dfd5ae2b4b58bf42f1e8e70a2b8

SHA512
29256884363216244edf69102fca7f330c2152b1b0c493a2b89de9d9a5fa59e479e14314be3a6d94e4e61d595a1f649c8cc91bef521d5f4eb29052e84a0b1f82

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\96a8bdafba9f9d3e33cd974bfaa67e58\WsatConfig.ni.exe

Filesize
313KB

MD5
9a382764c39b17671c5a8654f5342f12

SHA1
e4cff845d1353bbca2d74fb21a45ebbc68f9079c

SHA256
3a492d88db86054aa304c0c484fa3fb5f32f1e3ddb558ad0a8c8a41431ffed73

SHA512
77b9e6b6172ffa7bc17b0d781c9000c12e18ad3fab1cb48b2a430ce8bd891f14f749c49492e14d19f1b366993aaccbe9ca04e0f4beb94a0e2c17c499987576bd

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost32\c899de3549784161aa66610d5735e4f0\ehExtHost32.ni.exe

Filesize
248KB

MD5
47733f3bbf08075eda4e3fd8b9acf9dd

SHA1
c5e49e401585b3a44c778e225e6d2f16b7991ea0

SHA256
e5d3c4a3be87066536738d1c04f3b15b837b6edcfa7983b3fbade4d92b2d3716

SHA512
41984d9982c18fc88fc03f9eba8c36640f191a41b70b57956001f7424a8ad73ae6c5c47e8daa1f9087c0cf27fe980a77261d01755e479549a05e322494431d53

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\ComSvcConfig.ni.exe

Filesize
625KB

MD5
9d05c89e4a47ed122d90437dc167b0ed

SHA1
1a038a315c5942741db76c133b489a713688b60d

SHA256
d7ff8ea17c69a85e5ffcee9da403fcf673ac4814b92295c950d9686f20f91133

SHA512
2800a5e97e45cba5fb43ec36825f8a2704ec51e9437a8d76bb88b7d847690095bd7590d27f723391c898c44de212328cb020dbd992e830e33fad946f5da3b5ac

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\MSBuild\1a154709cdfe214029ea88c51ab2b579\MSBuild.ni.exe

Filesize
180KB

MD5
05e36f79a5c467e3ca08e45faf0c5f70

SHA1
5d6181534d08542f1b0ab6715957fad16e5739f0

SHA256
321b2b1d180b4eb0bb5402fe6417f7f892a9dd68089419274f35dd555820cd35

SHA512
ea101db846d71a56f40413e98b3af02413cae88075992145cb41d22c9b807fc693bb4b098685ce0c76492a7126c61110f6990ee3653e8ffb09759284510ac57a

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Narrator\4cc02fad33053737088d4c18267ca0a0\Narrator.ni.exe

Filesize
3.4MB

MD5
3f4caf23c20f9619eca3aed9c2e65c2e

SHA1
996105e511514fb159393b4dfb93b460c7480048

SHA256
1f0302c8548c27fd60ff6632439c35ca126ad1b0dbb81b519b51ea608f7f77f6

SHA512
1f161c8672e784a30ecc2a686304e43922e5a0edae4f3ebd5508469098e825098f20ea38f2bd87e186e568f6c8687bb10506707d55ac58dd04c8220e3abd929a

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\SMSvcHost\04d794428d635f6a82ac57dd3d6f3628\SMSvcHost.ni.exe

Filesize
513KB

MD5
62967de0f374091654ca38ee3c6fbc9e

SHA1
bf50344e712e4b77ac294fa1c9f7db2202dc0197

SHA256
28c02c23b266c4ab7caf358d45e16dabff1860ed0a482831bf894e9bac933efe

SHA512
7b2f8ee059b91b2e71fe211dfaa766e8aca4a8d9d47a65cc0c77fa8f67b1cc78a041f35821ab0f4105c873b5ef54961537bbaf49a27f8a390bfedef9d4a920dc

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\WsatConfig\36ca2928b2191011831ab673861c6ac6\WsatConfig.ni.exe

Filesize
458KB

MD5
7acd160d1b2bc36545b84fac6431a57e

SHA1
8d2bc694f41c2e33e89259c93feddd48a15b7146

SHA256
36061f7328bbdf2ccec4d1f4311ee6167a1665d9ba2ac3d72bffbfbc94c9bd83

SHA512
824f787db00e30832afe2557bfba758dcb141f7b9d06b232f0d36298442b1742e1fb838f2875509f5d2cdf65e674103bc1049fc3def72adced50ac1b631ebca2

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.exe

Filesize
380KB

MD5
f9a4bfd4196f83ef1eb500392c6d3d99

SHA1
c9a33aad1db15ec3adf3b66a6a81135900f30dc9

SHA256
ce7b972b9589e09166861d8540b92d94946ef876b04c67a6db729e0f49e03b12

SHA512
1d9e89da4bafe842056d7c7a761c38461b8e8f6523afbbfca4846f87900d1b8c3f0b3b4093aac06772445e5b79f8389ea18ed8829bbb5a2a25659cd1b7363a91

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\f30beba36940b5a2b55a32ea7f42d694\mcupdate.ni.exe

Filesize
534KB

MD5
dde8839804f75e5064018702c7554af0

SHA1
600ef05608140f3eb8bb6e2594b82d9702b64424

SHA256
077f9b1085499c647ad016e27f3e68b19c96fcfa1654f52ea6bb612dcf38232c

SHA512
d9abf3cb9ea52ddbb1b63ff90b947ff477090164a3c976c0ec19668e4808ef775eddc983fe10d852b0036c63f608540c5679fc2e5feee445a2ce79469a88ef78

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\ComSvcConfig.ni.exe

Filesize
478KB

MD5
291f784cb2766a2c4faa95ff257e6b05

SHA1
413464efcb3068ef1e6bee2cd2ae977a7dd515cd

SHA256
83599c19b460e2e99a130495197c0f5ff79f8152174927fc3d50a1dc6db93ee7

SHA512
c587ecce4de60399d778ddcdd6754fc5a200d1c5bfaab9f1185247ec8b76c89d257cc45b714eea711622918f8b94d06250515a761c430240b05efd95c9ad6682

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\b93c627ec2e15c2675bcc81edafb10be\MSBuild.ni.exe

Filesize
807KB

MD5
dab25251ba5e2eb52452389ff87a4398

SHA1
703c7654070de4c475e1846066c7073862cfe515

SHA256
c5c5f5b5a252c7a113b4241ff92ddf166c56c2f85b424127e44fb8fcc82f6859

SHA512
5dfa957614f8ac86aecd80ea34454cfc68b6b79c7cf2f9d730381804eab3161d3f82c739bba981ce2204e9feefca7046a42a72024f9fb86dd66e1a90bde58544

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\SMSvcHost.ni.exe

Filesize
352KB

MD5
c5dfa8d052601fac9ec4ce64f6ed1c26

SHA1
7315f8fc8659d6a584f41b65a65c25db3fd61d2d

SHA256
d00adb98e24f4f8aa72272e3d107c39b009b49b3d998efae264e1cf85a147544

SHA512
857f2cea5ef70bfa9de1547fe5307bd6747c92fe3d660f1d2942bbc0d936180aca2c8fb78dedf8649038b826fc46ed76ec6749baa85d4588e668c0084bb2130a

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe

Filesize
312KB

MD5
4e2d24771514434042f1c14d6766b2cd

SHA1
7e80cf945e922f61751b363370e41db1b1674ad2

SHA256
e66cda8cb1596ef5bfcc0d932e0a5ed32a2e1618b939ba8cf6d1dc5f8c68166e

SHA512
e5a51709d31ef8aa7180efc6418d493d568df4c5cfc1e8fc0b3de98c53fdf8285a7d5f34f099f85ce90432bf86e6c23a07af6e767d827c91c46854ee0c988cc0

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\9a69a26417a09c2d9d7f67bf7592bd74\ComSvcConfig.ni.exe

Filesize
609KB

MD5
e918cc8c6e133fd8e10e281365485847

SHA1
03b4a11d44157a3b4bf1ffab668bd8d2b56ca661

SHA256
ca8d280ee5d587d90d7a93000231e4455fc2c9c2f737f8fa28bf4343f68c197d

SHA512
a1b73f59a2594cf0f66aecb06c8e0df2d6e65733e54f4976713a9b1b88d8fea75b2ac8578c4db9e170dd4069418b08c836a29f5620dc2678e16ef9828122e6f8

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\f4a88265ac4ad47978daef8c5482fd30\MSBuild.ni.exe

Filesize
981KB

MD5
8f5bfeb3134fb724246a6c078b3279cd

SHA1
4739f08137adbfa8290065267ce4bc3710361342

SHA256
3b04d60ddc16805fb40687ad59a93d12b6e779627d5c60e1fdb3aa4dcccaa33c

SHA512
0382a391220a7a87ca60396064f593d269322bca42420491600c6f7202f2f5211503bcda9bc943e415afba9ad0b4aedd0206cc8087b3ba981c7d7bce4eadc485

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\0b4d4e172e8054cb61d27f5ab9e0e445\SMSvcHost.ni.exe

Filesize
438KB

MD5
248d6c0400fb79bdaa17295b22d53af6

SHA1
a07124d125884cd392b0284d6075ed451563bfd4

SHA256
dcb47d1651b403c89c334658b0b68291c32834acdd07992c17577376eaf88910

SHA512
87bd49f469055884d4493f587cacf3dfde75a7341fc71e46c48811c30cfd9ccc620c13bffa38fe60596bc145d93e592268e9802ed2cb7146cfac72cda34fc91d

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\WsatConfig\9683999d889dc0b8782c782e2fc1aee5\WsatConfig.ni.exe

Filesize
427KB

MD5
ad92e20a4058f14f5eeb5c1dc9ae6ec9

SHA1
2f4b8268cb53c6eac4de6254a9ae9a82bfada766

SHA256
26df80ab22b280be68805bde83d4350443fa6c38b6da76fc2831af11208883e6

SHA512
638425063e20dadb8cad8232e7fbf345780e904f9ea26b262f58515b19587c2f1353e47f74c83990f8b08c1c3f67a686fd86ab93432524c7681616cce0a4bdb9

Download Submit
memory/1416-82-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1416-84-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download