expiro | ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9

Analysis

max time kernel
113s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
Size

653KB
MD5

1559eba1084a34643e6456d416478ca0
SHA1

b6bef8dd97c615df23733745fa02986ffcb60e34
SHA256

ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9
SHA512

bfc027e4d82f1958d552837b2ac5a5f75b4ab9d77095c60a9c5f4eb0730dd6a38a56e9dcd834ba073037a08675bffdfc3bc22c9dce61666cd454d060a647cada
SSDEEP

12288:JTYkuB+NC7dTWJ3s0gKhdQw66zqHR7L3jwAS+QWE3PfQy75alnnEX7nuoK6HQDX3:JsB+Nytop966zqR7jUAFQWeXQy70yTPK

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 23 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2600-2-0x0000000001000000-0x00000000011DA000-memory.dmp	family_expiro1
behavioral1/memory/2912-29-0x0000000010000000-0x000000001026A000-memory.dmp	family_expiro1
behavioral1/memory/2852-74-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2096-101-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1232-118-0x0000000140000000-0x000000014042E000-memory.dmp	family_expiro1
behavioral1/memory/2096-123-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2176-129-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2268-131-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2176-132-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2268-154-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1844-156-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2268-157-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1844-172-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1600-174-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/872-175-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1600-185-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2892-186-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1600-187-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2692-209-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2892-210-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2692-216-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2532-222-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1920-227-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 19 IoCs

pid	Process
2912	mscorsvw.exe
464	Process not Found
2908	mscorsvw.exe
2852	mscorsvw.exe
1780	mscorsvw.exe
2096	mscorsvw.exe
1232	elevation_service.exe
3028	infocard.exe
2176	mscorsvw.exe
1056	IEEtwCollector.exe
2268	mscorsvw.exe
776	maintenanceservice.exe
1844	mscorsvw.exe
872	mscorsvw.exe
1600	mscorsvw.exe
2892	mscorsvw.exe
2692	mscorsvw.exe
1920	mscorsvw.exe
2532	mscorsvw.exe

Loads dropped DLL 10 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
464	Process not Found
464	Process not Found

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-3692679935-4019334568-335155002-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-3692679935-4019334568-335155002-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\windows\system32\okpepeof.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	mscorsvw.exe
File created	\??\c:\windows\system32\kipoopid.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\windows\system32\nbldhpnm.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\locator.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\windows\system32\nkjellhd.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	mscorsvw.exe
File created	\??\c:\windows\system32\wbem\cnlgmjjj.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\mfbjcjhe.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\windows\system32\hpaljpjm.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	mscorsvw.exe
File created	\??\c:\windows\system32\aiknjkhm.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File created	\??\c:\windows\system32\cmbbijjd.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\vds.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\windows\system32\iednlndj.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\windows\SysWOW64\ochinogh.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\windows\system32\memcaqmc.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\microsoft office\office14\aoemffbb.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\program files (x86)\microsoft office\office14\pifdiegg.tmp	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\khjbnjkg.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\jifdnfjl.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\program files\windows media player\afeeeaid.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\epieicgd.tmp	mscorsvw.exe

Drops file in Windows directory 44 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aiflbimd.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mbbhefbf.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\bplpimdn.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\jdaccfhp.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\ehome\immiqicm.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\kaeggchj.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\ihiodkka.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File created	\??\c:\windows\servicing\gogbbnon.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File created	\??\c:\windows\ehome\epnnmoam.tmp	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2852	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe
2852	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2600	ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
Token: SeShutdownPrivilege	2852	mscorsvw.exe
Token: SeShutdownPrivilege	1780	mscorsvw.exe
Token: SeShutdownPrivilege	2852	mscorsvw.exe
Token: SeShutdownPrivilege	2852	mscorsvw.exe
Token: SeShutdownPrivilege	2852	mscorsvw.exe
Token: SeShutdownPrivilege	1780	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2852	mscorsvw.exe
Token: SeShutdownPrivilege	1780	mscorsvw.exe
Token: SeShutdownPrivilege	1780	mscorsvw.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2096	2852	mscorsvw.exe	33
PID 2852 wrote to memory of 2096	2852	mscorsvw.exe	33
PID 2852 wrote to memory of 2096	2852	mscorsvw.exe	33
PID 2852 wrote to memory of 2096	2852	mscorsvw.exe	33
PID 3028 wrote to memory of 2632	3028	infocard.exe	36
PID 3028 wrote to memory of 2632	3028	infocard.exe	36
PID 3028 wrote to memory of 2632	3028	infocard.exe	36
PID 2852 wrote to memory of 2176	2852	mscorsvw.exe	37
PID 2852 wrote to memory of 2176	2852	mscorsvw.exe	37
PID 2852 wrote to memory of 2176	2852	mscorsvw.exe	37
PID 2852 wrote to memory of 2176	2852	mscorsvw.exe	37
PID 2852 wrote to memory of 2268	2852	mscorsvw.exe	39
PID 2852 wrote to memory of 2268	2852	mscorsvw.exe	39
PID 2852 wrote to memory of 2268	2852	mscorsvw.exe	39
PID 2852 wrote to memory of 2268	2852	mscorsvw.exe	39
PID 2852 wrote to memory of 1844	2852	mscorsvw.exe	41
PID 2852 wrote to memory of 1844	2852	mscorsvw.exe	41
PID 2852 wrote to memory of 1844	2852	mscorsvw.exe	41
PID 2852 wrote to memory of 1844	2852	mscorsvw.exe	41
PID 2852 wrote to memory of 872	2852	mscorsvw.exe	42
PID 2852 wrote to memory of 872	2852	mscorsvw.exe	42
PID 2852 wrote to memory of 872	2852	mscorsvw.exe	42
PID 2852 wrote to memory of 872	2852	mscorsvw.exe	42
PID 2852 wrote to memory of 1600	2852	mscorsvw.exe	43
PID 2852 wrote to memory of 1600	2852	mscorsvw.exe	43
PID 2852 wrote to memory of 1600	2852	mscorsvw.exe	43
PID 2852 wrote to memory of 1600	2852	mscorsvw.exe	43
PID 2852 wrote to memory of 2892	2852	mscorsvw.exe	44
PID 2852 wrote to memory of 2892	2852	mscorsvw.exe	44
PID 2852 wrote to memory of 2892	2852	mscorsvw.exe	44
PID 2852 wrote to memory of 2892	2852	mscorsvw.exe	44
PID 2852 wrote to memory of 2692	2852	mscorsvw.exe	45
PID 2852 wrote to memory of 2692	2852	mscorsvw.exe	45
PID 2852 wrote to memory of 2692	2852	mscorsvw.exe	45
PID 2852 wrote to memory of 2692	2852	mscorsvw.exe	45
PID 2852 wrote to memory of 1920	2852	mscorsvw.exe	46
PID 2852 wrote to memory of 1920	2852	mscorsvw.exe	46
PID 2852 wrote to memory of 1920	2852	mscorsvw.exe	46
PID 2852 wrote to memory of 1920	2852	mscorsvw.exe	46
PID 2852 wrote to memory of 2532	2852	mscorsvw.exe	47
PID 2852 wrote to memory of 2532	2852	mscorsvw.exe	47
PID 2852 wrote to memory of 2532	2852	mscorsvw.exe	47
PID 2852 wrote to memory of 2532	2852	mscorsvw.exe	47

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe
"C:\Users\Admin\AppData\Local\Temp\ec1a1baf23225c897f846d8e55e7d2e76404324f00c5b1673702aff85ae883f9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2912

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1b0 -NGENProcess 1b4 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 230 -NGENProcess 1b0 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 21c -NGENProcess 240 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 250 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 278 -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 240 -NGENProcess 1b4 -Pipe 130 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1b4 -NGENProcess 23c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 278 -NGENProcess 240 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 264 -NGENProcess 240 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 28c -NGENProcess 250 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2532

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1232

C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
"C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3028 -s 436
  2⤵
  - Loads dropped DLL
  PID:2632

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1056

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.2MB

MD5
c34d4c87e85f18c8dbac515d386cc36f

SHA1
65f1e503f59f9b155975ff9c5298beb8a2bf6f6b

SHA256
9064eaedd592d680047d16c5d4c648096f4eefd1b4f23c177ebba661a9e7ccb0

SHA512
1b8c7cb48b449c0974da1819afb15f652837e70c92c7feeb8bc7ff7b2e7938635d25f282a72171ce3174178119049beba45641b2cef48ed0911b7688ff8bfa2d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
733a59e5c9406455b454a05075b54a30

SHA1
97993d9431ff80d42597928af762cfac650dc0f0

SHA256
6179d8233472b7d1a3186b62da835b11c9490244de71a661f3d7c39ac344b73d

SHA512
bbe2d7e58bc9e0cd84ef942f1a29d4cf705bdfe417951bb781819b2990f796b75dc22ab090b786dcd25c881d2c97d6782941ff141d05a1670721d319b2b5fde2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
698KB

MD5
46f4951470952119946c3f3ddfb7f1fc

SHA1
129db16fd1a838207d59570f9d5452d8dd9e97b2

SHA256
833e163634eed8ae46446c7d8d31260479f41d0da1b9a229dfb1bacc1b42f1c5

SHA512
2464cca83d85cd9244a142996ca7ec7b9504b307f6f89e0911a4d52a053a8099fcc9e4e439f28e9b82257560e96a92b9245656e13d469d3d9629657d342e829c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
645KB

MD5
dcd3c5c215f484f8ddc95d900fa68154

SHA1
5a183c0e943bb4d50e8e6a7d6643781b1ace5e9f

SHA256
50ccaf72966f73e84985f7823d4ea5d4ed19f99d8c39239e1ee635073953a461

SHA512
7dde724decb5bbee66bab155c5e60106e31a313a99115e5d5694cc70815fcfc2a11d1f13108585c42bbce48586b87bc1a5396197bade5c957fc13d26f8415ac9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
67e9c8d55c11b63a1905fe18f66f001c

SHA1
9ee300c2476b914236d93dc011ffd9b9a0039aed

SHA256
234f2487191b3405bffe0fa671e143cd80ba1f7c4eb3dd0112ccc9c7ec44983c

SHA512
a988c0522da09cf0b0b7e997bcd250a9015952be2c9f5148362f6c3da498af03c33fe311e09874ca5e97017f2945a495a2700071c711d078457a2fab37998070

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
676KB

MD5
90bda63ae5b784ff243f0c9d436ed1e0

SHA1
d8e5ef2454b21883fc71c1407789bcc6da636766

SHA256
99ffbde2c3d956048c607a75c94670488053cb5259a2e1d1c929e93fec949654

SHA512
dbe09b574a9eeb3c226d3f04db1743d491567995e26b39015c8a1d60cb99b7f77df46e3da177344f232625d1f32daa8c8d263d53fbc5bd90638c195d55ff0233

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
726KB

MD5
f7c5701dbf229fea54ba70ee6faaa801

SHA1
8a23a60336b8e9277c613cd30eb8e920a1b88342

SHA256
e27d4dc54e9c7cb1caba49cc6dee66a757e9a50ca64033f88eff789dfe2451ec

SHA512
f971db7c1a68fac4820d0fec5d921df8330c439f372f2a57dfe3231e0581be5ea84b5e7912deaa3afb41af07ac8e4175479a81307298e3953f9bc5c94b86194a

Download Submit
\??\c:\windows\SysWOW64\dllhost.exe

Filesize
594KB

MD5
fec71265ac6ec3f63367fd576c66db77

SHA1
b57d49aa43374b3f76eef8b4d87858e100d46045

SHA256
e9406999ff4edb608c3375c6c8e5c28dacb667f9c46a066ef55e224230fd388a

SHA512
d45a1258195fcc704b34a0a50a4c0f7ac8c61cea829bfbc5cef10edfb7592d75a46c0f4bea32956b6fc841940975b8e811532f6a2df4590ff18f7eb9335f85b2

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
607KB

MD5
0e1e6727902fa6e5dde59c2038b40ed5

SHA1
e44c2a997b269f24d7ddd33640e6e31ddffcadfc

SHA256
fe1a284ffdc0456a330c8eba36b0ebc970124074bfac08b64784da080875b770

SHA512
4718b6f52a945d225b393c6c3ecf3461bc9bc722034b3872463412a0956c700ea234d7cadc8e79e0f888f26c0bc6ff2eb907d8b86d55933a0dd23c1c10f12258

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
03864c16556a3a5a6f7b1dfd59c824cb

SHA1
90e77979703f1d48b4318ce7e4a5d2a9107defff

SHA256
6b424fc11dc47263e9685a0af6151b57b6157a4ee35a413d28e1718f4d1b1758

SHA512
b561028ff53d3c90a95649847ac3e6bbaaa73d484cb8ecb92ef49318f60413b7d8be4efc215012a135eea043a18ac8e724774270d62df52515dbde9b60eea589

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
711KB

MD5
db95a183a1a4ef06b8d77c3fe2ecc546

SHA1
5299572987d6bcd78ceeb4aa4ce378af091c9ff2

SHA256
9a955a60c8d1d5944641ec292400b5d79691c469e7a4fa1439ff53d882a17aff

SHA512
b4ae6a1d0c089f7140b0fdaff5071e2f8775c2f19a8a479109123501bd215e2dd3fbd289866780f923f3f0530f67c9e3f3d21792eb8dc545b01dd8be7b86cae7

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
623KB

MD5
bec62a89b4536457f1757dc6b0458430

SHA1
85ebc5b2003f0d2460ea968448efeca9d7b89d17

SHA256
795f23e46200934365c5b6d9cb12ba9c99ba1830c587b18a3e7aa10cd4aa5cb8

SHA512
dc5578e7aa87c3f96bb7d9bfb4a39333691ee6e757fac38afbfa320eac1b29622d7784ecfa174c75778c0daa81969520c82191a5fd44c4983664afbd1f169c86

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
664KB

MD5
3a1d93de5c6f056b80a6b0903cc4434a

SHA1
04fbef852eee21a11b486b8415fa445f32307c0e

SHA256
9106895a8f8e9ca2b335601c3f5d28d9f3933304515b42f39f564591664d6d0e

SHA512
b42d212fb1a9c55c33822a5083c307fc7b364d8b7de884efb6d19f40eccc05c8576e1f52a1c06c7a77d1edf98ab4bb4fa7b3a6f05052ed62003263fef014bbea

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
e86d1681fcce52ba3aee1b7017f785c1

SHA1
286ff29b289a268fcecbb0ad94a7efc93cf911e6

SHA256
c3b9b44b2e7ddf7f0ba0853d3ea524b725fb399fda84790f817fb784bdb0a9b2

SHA512
0218ba6c11775322aea71a4f6e694244bfe194dc20923b88b1fdafaa6679041d0092ab63f185f3a09da343d5aeee849e7596a44611ffa89647e939a8ca1f88a4

Download Submit
\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
801KB

MD5
e03896a65da3a64ead4e035ae8a4958f

SHA1
d50182725476b42489384204888eb26a530782bd

SHA256
f7f3b8a2a364c32b3207afca9726737f5f89879a374862df38a4a70ec77f346a

SHA512
1834854b2e585f0f7401780ace39f456370e5c2b65fbde6ce010188c696b662ea18e421250b142b7749de45890a58a6388fe8719e39fcba52fc83660ff511c5c

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
668KB

MD5
a022f4bd61df6dce8286e8450e23b34a

SHA1
9cb7d76cf6ca10a46ffa38d33662a654444c78d0

SHA256
6157aa3283262a8d0378edc452740dbcf9c41650943154a0d22be81b09deec0d

SHA512
b49bb8cf03dc942b192fe96c295605c2b013cdecb819b7409958f630ba633ad6b16aadbc3bc98ab4e92463d5179e7d6fe88a4a47630d1c50902ec41a6e1702d4

Download Submit
\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe

Filesize
1.4MB

MD5
9cdd2901786b7c16ceace14038c9b983

SHA1
7e500c8c74b84539de8dcb9045872eb44dead19f

SHA256
88ccf3f4aa4afd43fc916695553c2d5bf87af80820fd718b74832d79a5a961e8

SHA512
1c973af186e9bc30a3eae506d6413d03231fe853d62e969698982153ee5b81a16c987f5782587622d063ac4261bda99dc6283bdd95ce4b7e4beaaf0fdf2f55ef

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
694KB

MD5
72d3affc1c120732d9f948f119554cd2

SHA1
c679b0bca78d135705d4a49c05bb4d35b6e97b73

SHA256
1093f28e92106c73b4d2059f4bae54e684542725230bd77531ef17a934dfec59

SHA512
98a7bcb683f079dc7ad002ddffaf1a44f8c260b0234598375d94627fa5179ce8daadef27fba02ece7d29d863b95c60f9afbdac289082c9692cdbfdde370158f7

Download Submit
memory/776-153-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/776-147-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/872-175-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1056-127-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/1056-126-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/1232-99-0x0000000140000000-0x000000014042E000-memory.dmp

Filesize
4.2MB

Download
memory/1232-118-0x0000000140000000-0x000000014042E000-memory.dmp

Filesize
4.2MB

Download
memory/1600-174-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1600-185-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1600-187-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1780-63-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/1780-81-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/1844-172-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1844-156-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1920-227-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2096-123-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2096-101-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2176-129-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2176-132-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2268-157-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2268-131-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2268-154-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2532-222-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2600-1-0x000000000100A000-0x000000000100B000-memory.dmp

Filesize
4KB

Download
memory/2600-2-0x0000000001000000-0x00000000011DA000-memory.dmp

Filesize
1.9MB

Download
memory/2600-0-0x0000000001000000-0x00000000011DA000-memory.dmp

Filesize
1.9MB

Download
memory/2692-209-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2692-216-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2852-52-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/2852-51-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2852-74-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2892-210-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2892-186-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2908-38-0x0000000010000000-0x000000001029E000-memory.dmp

Filesize
2.6MB

Download
memory/2908-45-0x0000000010000000-0x000000001029E000-memory.dmp

Filesize
2.6MB

Download
memory/2908-37-0x0000000010000000-0x000000001029E000-memory.dmp

Filesize
2.6MB

Download
memory/2912-29-0x0000000010000000-0x000000001026A000-memory.dmp

Filesize
2.4MB

Download
memory/2912-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2912-21-0x0000000010000000-0x000000001026A000-memory.dmp

Filesize
2.4MB

Download
memory/3028-110-0x000000001B690000-0x000000001B71F000-memory.dmp

Filesize
572KB

Download