expiro | 7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0d

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
Size

653KB
MD5

ab3fc4dce62e61a1b0c3c246e1a40a60
SHA1

5b2f7ef1cee65fc898e58392937a7683b9f35420
SHA256

7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0d
SHA512

b6dfb0c4e6dce823050f9d66d39a1287bdfbf97beefe828893fb8d889bdf861e510dce9301e5963eed8dac8250715680d729e686b485ace0748dc1508a2ebb5d
SSDEEP

12288:JTYkuB+NC7dTWJ3s0gKhdQw66zqHR7L3jwAS+QWE3PfQy75alnnEX7nuoK6HQDXc:JsB+Nytop966zqR7jUAFQWeXQy70yTP5

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 41 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2948-2-0x0000000001000000-0x00000000011DA000-memory.dmp	family_expiro1
behavioral1/memory/2840-29-0x0000000010000000-0x000000001026A000-memory.dmp	family_expiro1
behavioral1/memory/920-93-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1132-106-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1132-151-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1132-164-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1376-170-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/936-171-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/884-201-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1376-206-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/884-209-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2716-212-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/892-213-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2716-216-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2596-215-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2596-218-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/796-220-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2828-221-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/796-223-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2528-225-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/3064-226-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2528-228-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1620-230-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1708-231-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1620-233-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1740-236-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2192-235-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2192-239-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2116-240-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2380-242-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2116-243-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2380-245-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/2340-248-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1856-250-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1952-252-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1852-253-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1952-255-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1328-256-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1980-258-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1328-259-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1
behavioral1/memory/1980-271-0x0000000000400000-0x0000000000673000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 33 IoCs

pid	Process
2840	mscorsvw.exe
472	Process not Found
2820	mscorsvw.exe
920	mscorsvw.exe
2140	mscorsvw.exe
704	elevation_service.exe
2600	infocard.exe
1132	mscorsvw.exe
2388	IEEtwCollector.exe
936	mscorsvw.exe
1376	mscorsvw.exe
884	mscorsvw.exe
892	mscorsvw.exe
2716	mscorsvw.exe
2596	mscorsvw.exe
2828	mscorsvw.exe
796	mscorsvw.exe
3064	mscorsvw.exe
2528	mscorsvw.exe
1708	mscorsvw.exe
1620	mscorsvw.exe
1740	mscorsvw.exe
2192	mscorsvw.exe
2116	mscorsvw.exe
2380	mscorsvw.exe
2340	mscorsvw.exe
1856	mscorsvw.exe
1852	mscorsvw.exe
1952	mscorsvw.exe
1328	mscorsvw.exe
1980	mscorsvw.exe
376	mscorsvw.exe
3000	mscorsvw.exe

Loads dropped DLL 9 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
472	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-1846800975-3917212583-2893086201-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-1846800975-3917212583-2893086201-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\P:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\H:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\Y:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\R:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\S:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\K:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\L:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\N:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\U:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\Q:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\V:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\W:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\E:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\O:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\I:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\M:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\T:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\X:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\Z:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\G:	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\lsass.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\system32\locator.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\windows\system32\qffkfemc.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\windows\SysWOW64\hodanimn.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\windows\system32\ifjqpheq.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	mscorsvw.exe
File created	\??\c:\windows\system32\hkmlaknl.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\windows\system32\iqahhbdd.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\windows\system32\ahqgcqai.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\windows\SysWOW64\ipafhdih.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\system32\vds.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File created	\??\c:\windows\system32\peabkknh.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\windows\system32\dfbghbeg.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\windows\SysWOW64\lahghbkc.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File created	\??\c:\windows\system32\pedaqfon.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\windows\SysWOW64\nfcaqpdj.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\windows\system32\ihcloaed.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\windows\system32\mofeoogl.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\windows\system32\wbem\gajjdnjc.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe

Drops file in Program Files directory 51 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bafefhom.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe
File created	C:\Program Files\Internet Explorer\dlcoqhni.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Program Files\7-Zip\fijffced.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pnpndocj.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\hiinnjcf.tmp	mscorsvw.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\gkbpadmi.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\odfmocgm.tmp	mscorsvw.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\cgcganec.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Program Files\7-Zip\pnhochhl.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Program Files\DVD Maker\jkkbiphh.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\program files (x86)\microsoft office\office14\kkbloeap.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\program files\windows media player\paaqelef.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\jaemdheq.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\enmgfdcm.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\program files (x86)\microsoft office\office14\jflapgdi.tmp	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Program Files\7-Zip\dnmejccm.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ejlkpjei.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\geakanpm.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\himilfdg.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Program Files\7-Zip\mnclgkoo.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ghpbhbif.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\kcndgmlj.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe

Drops file in Windows directory 45 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\ifdggoek.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\caqkgjoj.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\nnfnbgbi.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\windows\ehome\nkjdnckh.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\windows\ehome\ckmpppgk.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mfelcnlf.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\jbekpdam.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\windows\servicing\nkkphcii.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\appophma.tmp	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2948	7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
Token: SeShutdownPrivilege	920	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	920	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	920	mscorsvw.exe
Token: SeShutdownPrivilege	920	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	920	mscorsvw.exe
Token: SeShutdownPrivilege	920	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe
Token: SeShutdownPrivilege	920	mscorsvw.exe
Token: SeShutdownPrivilege	2140	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 1132	920	mscorsvw.exe	36
PID 920 wrote to memory of 1132	920	mscorsvw.exe	36
PID 920 wrote to memory of 1132	920	mscorsvw.exe	36
PID 920 wrote to memory of 1132	920	mscorsvw.exe	36
PID 2600 wrote to memory of 1688	2600	infocard.exe	37
PID 2600 wrote to memory of 1688	2600	infocard.exe	37
PID 2600 wrote to memory of 1688	2600	infocard.exe	37
PID 920 wrote to memory of 936	920	mscorsvw.exe	39
PID 920 wrote to memory of 936	920	mscorsvw.exe	39
PID 920 wrote to memory of 936	920	mscorsvw.exe	39
PID 920 wrote to memory of 936	920	mscorsvw.exe	39
PID 920 wrote to memory of 1376	920	mscorsvw.exe	40
PID 920 wrote to memory of 1376	920	mscorsvw.exe	40
PID 920 wrote to memory of 1376	920	mscorsvw.exe	40
PID 920 wrote to memory of 1376	920	mscorsvw.exe	40
PID 920 wrote to memory of 884	920	mscorsvw.exe	41
PID 920 wrote to memory of 884	920	mscorsvw.exe	41
PID 920 wrote to memory of 884	920	mscorsvw.exe	41
PID 920 wrote to memory of 884	920	mscorsvw.exe	41
PID 920 wrote to memory of 892	920	mscorsvw.exe	42
PID 920 wrote to memory of 892	920	mscorsvw.exe	42
PID 920 wrote to memory of 892	920	mscorsvw.exe	42
PID 920 wrote to memory of 892	920	mscorsvw.exe	42
PID 920 wrote to memory of 2716	920	mscorsvw.exe	44
PID 920 wrote to memory of 2716	920	mscorsvw.exe	44
PID 920 wrote to memory of 2716	920	mscorsvw.exe	44
PID 920 wrote to memory of 2716	920	mscorsvw.exe	44
PID 920 wrote to memory of 2596	920	mscorsvw.exe	45
PID 920 wrote to memory of 2596	920	mscorsvw.exe	45
PID 920 wrote to memory of 2596	920	mscorsvw.exe	45
PID 920 wrote to memory of 2596	920	mscorsvw.exe	45
PID 920 wrote to memory of 2828	920	mscorsvw.exe	46
PID 920 wrote to memory of 2828	920	mscorsvw.exe	46
PID 920 wrote to memory of 2828	920	mscorsvw.exe	46
PID 920 wrote to memory of 2828	920	mscorsvw.exe	46
PID 920 wrote to memory of 796	920	mscorsvw.exe	47
PID 920 wrote to memory of 796	920	mscorsvw.exe	47
PID 920 wrote to memory of 796	920	mscorsvw.exe	47
PID 920 wrote to memory of 796	920	mscorsvw.exe	47
PID 920 wrote to memory of 3064	920	mscorsvw.exe	48
PID 920 wrote to memory of 3064	920	mscorsvw.exe	48
PID 920 wrote to memory of 3064	920	mscorsvw.exe	48
PID 920 wrote to memory of 3064	920	mscorsvw.exe	48
PID 920 wrote to memory of 2528	920	mscorsvw.exe	49
PID 920 wrote to memory of 2528	920	mscorsvw.exe	49
PID 920 wrote to memory of 2528	920	mscorsvw.exe	49
PID 920 wrote to memory of 2528	920	mscorsvw.exe	49
PID 920 wrote to memory of 1708	920	mscorsvw.exe	50
PID 920 wrote to memory of 1708	920	mscorsvw.exe	50
PID 920 wrote to memory of 1708	920	mscorsvw.exe	50
PID 920 wrote to memory of 1708	920	mscorsvw.exe	50
PID 920 wrote to memory of 1620	920	mscorsvw.exe	51
PID 920 wrote to memory of 1620	920	mscorsvw.exe	51
PID 920 wrote to memory of 1620	920	mscorsvw.exe	51
PID 920 wrote to memory of 1620	920	mscorsvw.exe	51
PID 920 wrote to memory of 1740	920	mscorsvw.exe	52
PID 920 wrote to memory of 1740	920	mscorsvw.exe	52
PID 920 wrote to memory of 1740	920	mscorsvw.exe	52
PID 920 wrote to memory of 1740	920	mscorsvw.exe	52
PID 920 wrote to memory of 2192	920	mscorsvw.exe	53
PID 920 wrote to memory of 2192	920	mscorsvw.exe	53
PID 920 wrote to memory of 2192	920	mscorsvw.exe	53
PID 920 wrote to memory of 2192	920	mscorsvw.exe	53
PID 920 wrote to memory of 2116	920	mscorsvw.exe	54

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
"C:\Users\Admin\AppData\Local\Temp\7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2840

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 1a4 -NGENProcess 1b0 -Pipe 1b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 24c -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 268 -NGENProcess 24c -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1a4 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 248 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1b0 -NGENProcess 268 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1b0 -NGENProcess 248 -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 1d8 -NGENProcess 250 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 25c -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 278 -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1d8 -NGENProcess 27c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 268 -NGENProcess 264 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 284 -NGENProcess 278 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 224 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 268 -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 250 -NGENProcess 224 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 294 -NGENProcess 288 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 290 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 224 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 288 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 268 -NGENProcess 290 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2a4 -NGENProcess 27c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2ac -NGENProcess 288 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2140
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 19c -NGENProcess 1a0 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 214 -NGENProcess 21c -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3000

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:704

C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
"C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2600 -s 436
  2⤵
  - Loads dropped DLL
  PID:1688

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
73fe3b563aee07e18d5625999581e52a

SHA1
27f1fdf27a9cded4c0f66f9d6bc8918e98543c94

SHA256
45ccb4cbfb4d8b0c6f334077a2d999acfc16898dee8c449afad1b55a9aea3645

SHA512
3ef5f04d8aa8f9c295a5a730b68cefefb64aa7002e7f9ea073059f1c23509634fb2e71bc4d048517980156c28bdbbf1328bd4ddc0cec499331a98009eb1bd04e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe

Filesize
1.4MB

MD5
d2f0668bce78c43b279e3793aa36e152

SHA1
cc0971e5e451848ce05e31a125a3bf13d1992ed2

SHA256
67926b7015754b438cb7b5a415824969f75aba203d385503ec3564e6830e5651

SHA512
ebd08187008ebea5c695edcf26046019fd68c709129ed7b16e1189ece7f0ceb539aa9975b4b36689b1f013917c81cf62a738d49d24cd51a185f5d5bc5dbccc0b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
645KB

MD5
0ce33654632f0a32e9b3613c9fa5f513

SHA1
988b8d24292363515e2a2b6235848692d57b30cf

SHA256
aa17d89546083b16682e15eb867adb2d6c4f718b5c0852ba854ece007006568b

SHA512
9410ae23bd31a4398013eb99b5707ac0805dca33c78d90e2b1e2157d7e4d50c98737694919d6a1db3149100e6d1c6308b14f2d1a7ced30e0fbb349092ca95167

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
23808768bdf83db8d1abfcf60445165e

SHA1
85faa849ae67cd142a4961e8f06b02cdf50b5f48

SHA256
9ea8b4efb409439318e0de9a5f0ba104f3bb72d2357418d68844c37a72513bde

SHA512
48c9f431844b8d2d36a0be62121ea18de7cec0497e4d6c76a85380830d0cb1b3889f4aba003d3a5a3630ecb2f99011b81d20fdc360d31ec8ab331a3698895af5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
676KB

MD5
5b0efe8237c109e8ae0470eb4e0505ac

SHA1
ba559a0ca4c02d990138f0f460a8888dee594cb9

SHA256
08f8e56c872d19b7b5c8dc9d8152bc55594acc9df3a86bd0b1d949ce8c81309f

SHA512
8d08a5466cb952493297dc1a279749da0b35546b29533c182275a1d2dc6d34acc45b4945dc7b38ec9dd2777b81828db29b3d893bc7fc679763a6011df5b75948

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
726KB

MD5
8b6f8cd9e73761b90eb273ec6daa1e5b

SHA1
f1440c8e5f5828aaf9199794336c70df4f109baa

SHA256
cc2e610a23ad851d8fe357319c6c0f30ba2e628992611249b842028e0b1fefd7

SHA512
ec22b3a7b1e3fe41bc9c3623c0b993bbe7d3ce86eb643ace1febaa4c9f107893a032e0163befb65bd6e21d7ff4a736bd368024808122c5d3d9ae06c34f39389c

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
0cc80ed4305a089bc8c07354f7ca8c17

SHA1
5b39fc85f61c5ab8a08eb49f58e405ff0ecf732f

SHA256
cea5eb1d510b64f1cf9b8351b5d1840fa632d68937aa257fe31365e9ff11e8d7

SHA512
8ca2d1ba04b3bf71a0e37865be17408b11591d963a7afbb284b15c7910eef3d137685c8f346c5d3b5ea16c4cff6dbd2e2b4fe8bb3918b5df15035ea287ead965

Download Submit
\??\c:\windows\SysWOW64\dllhost.exe

Filesize
594KB

MD5
de2561a592f20cc9e59579e863c30615

SHA1
490a2da008e20e45fbea4ce1f9d1e85a8bf7a317

SHA256
92593d857e35ee8f418c2dd3b6cfd7acd60a200b452489286fad2c8433da3fab

SHA512
ab79ab5e5f4b80350ff770a95f0d7989b799a6c930892e235ff0e698b2b6aaa4aed836b6009ae0b03d4535d9377ecd764a073fed5037ac14ae2472e86dd073c4

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
607KB

MD5
0be163ccce4b19ee6ce9769d02ef368c

SHA1
04291f04bdf2e10487d8ecefb0b7f5c399400653

SHA256
cea97fd6e99126366c0634d3f1050e0ed2e782afcf2fd6c3f60c65010dfb41d3

SHA512
083009e42ef9965b961011604d9a3fbd6f6d90c928b5bdd213687bea0cbe329f7e222b08737cda9c639b90799f3d708335c107b69e3f4f4190e8897f7e0a8e14

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
653ef980cbbe0edf9dfe5e5575d131c5

SHA1
d24ff4e2978e06dd7a5eaac68fae3e6a25ff8b36

SHA256
de4f74be60b0c9db4dced990d4c0f73005f1b48efdd49a304bd4987458a72c54

SHA512
54372735616ddb2eebb14878f6032ecf556ac3146661631b8f84f4f6880be80d438d03f69ec93a5f1908955aecb8f914a34ba2f9b98da45809cfd5ef1f0f3907

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
711KB

MD5
fe53d71ab915598cd6c0a144596fecb8

SHA1
272dc6e2e6cca3650761804bdce8fef13f371244

SHA256
fc668b6ad913e8910f5d229a71bd2e6e12c3c54e4f6fd8756874bd2816dfd584

SHA512
fd0d58065607b614cf53c21f34203aad324ea9c7cad116e11c9eb07ad13a7608b84d3221255aef5afe6e628194bc2f1dae3052f558e3f2f503b54dcd7111e043

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
623KB

MD5
aec70ff98ef5d5b7a717cfdcbeb0d07a

SHA1
afc2078efbb77aed55456a5be6ac54b43bb82f37

SHA256
9538182ed55764c321ed92267ed82de347264d55d9a58ec0b9ee2e4bf7c91ce6

SHA512
d6607b53a5143be0354fa2bfec00c3c02a6e9277b4f63c143f56ecfa1996982d9d08dfbd261f4a3007d6066c807fc53c79c8dec5e7d5c707271ac50016a57622

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
664KB

MD5
edbbc77951f4181619d8de01f84a6acc

SHA1
a98b1c6c55f965aa5867b43a2f05ccbcb704dff2

SHA256
fe2fc2d3771a24ae2b372885418821f5f82ff0f49d03bfca44f723604efd0320

SHA512
81cc337cb6b0d6cad299ae691def71babbe8bcce304e3276f1a7ba56cdea4685fe65177376f41c566e39690c72fa573626d36f2564f88334041548eb71129902

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
e6b3c1591120304150d6174f0731cf8b

SHA1
455dc857146e6c4e462542127b75dea45c1e5597

SHA256
dedc1e17334e58d0608d98edc6a836273d43a6375b3e3def6dd1cb581e544ba1

SHA512
5d6e1693c4f98c80e67b1cc28f5db3be66fa168c8a55a430b6d287d171f83dfbd442d0cc66b1225100da14e1c8affdcbda0f1e11dc5c9da9356a78aaf9b54ce8

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.2MB

MD5
2fa2729532caf9eb9ad9c385e755435a

SHA1
010da8fe32fd4095a47221e5e12b164ec7989ed3

SHA256
882a966e00851ebf4d861bd016e5dfb55a93bf8b15bb9a2c4717e7281f5a3569

SHA512
66c3451855e49b17cd639c10b193d512f79b5f2bde8e15c8173bfbc36bfdae1f35c46b1d0a51a7122b683ca02b3f181e8cdc5de72281ec09c80425b19c619006

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
668KB

MD5
ce4b6f9bb78d3ce8856798f0bdf62a53

SHA1
6a7a4277e66bbce77b47a061791445007f9d7db8

SHA256
af333779da1a3c7e78ad3015ff6077713526dd3299e72458cd6a90989a79a49f

SHA512
828d333dfd2919ae31abc8c112ddcc00d2e4d1f9312a36c15b5afe2ee3e7fe6368ba4082f7d27192d8c5c83f996d63c1efd1ccecddfb73988306d6bf357598fa

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
698KB

MD5
dc3c4a66ff6c40ffe339d22e4948408f

SHA1
40fc0063330f9e227693c5dd265d6d6422e23e1b

SHA256
e644919b9370e2760218b0f3339be3fbfffb57468bdc7b975bb450fe035f12c1

SHA512
13dd5ccdc87d9f362995c154f8b90824de6e8a5d60bd5a8b88d065c46fb4daec481e59169545aa2c556ed0afed4a1eadff60993e57ca0dbff66b7f53cf294375

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
694KB

MD5
b3d0cd051c9e850d080839599ca603b2

SHA1
2fcdd507c4834109c94ff29d09ef2d5489a07f3d

SHA256
b85028e681d26b376f0478fda89941375e1450b56e3d9189f29a9b5d6f438761

SHA512
f515ff7e6002713dc4398ba9830859b3572dc32f4421b53a1e1b21d5ac446f9210e81f92eab896069bf23278794c014533ec1fe02abab887d8fb0e2f8d2ca18f

Download Submit
memory/376-278-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/376-275-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/704-92-0x0000000140000000-0x000000014042E000-memory.dmp

Filesize
4.2MB

Download
memory/796-223-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/796-220-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/884-209-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/884-201-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/892-213-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/892-210-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/920-51-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/920-93-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/920-52-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/936-171-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/936-158-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1132-164-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1132-106-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1132-151-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1328-259-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1328-256-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1376-170-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1376-206-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1620-230-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1620-233-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1708-231-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1740-236-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1852-253-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1856-250-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1856-247-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1952-252-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1952-255-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1980-271-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/1980-258-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2116-243-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2116-240-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2140-105-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/2140-63-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/2192-235-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2192-239-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2192-237-0x00000000031F0000-0x00000000032AA000-memory.dmp

Filesize
744KB

Download
memory/2340-248-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2380-245-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2380-242-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2388-163-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/2388-288-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/2388-120-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/2528-225-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2528-228-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2596-218-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2596-215-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2600-103-0x00000000025B0000-0x000000000263F000-memory.dmp

Filesize
572KB

Download
memory/2716-212-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2716-216-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2820-38-0x0000000010000000-0x000000001029E000-memory.dmp

Filesize
2.6MB

Download
memory/2820-37-0x0000000010000000-0x000000001029E000-memory.dmp

Filesize
2.6MB

Download
memory/2820-45-0x0000000010000000-0x000000001029E000-memory.dmp

Filesize
2.6MB

Download
memory/2828-221-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download
memory/2840-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2840-29-0x0000000010000000-0x000000001026A000-memory.dmp

Filesize
2.4MB

Download
memory/2840-21-0x0000000010000000-0x000000001026A000-memory.dmp

Filesize
2.4MB

Download
memory/2948-0-0x0000000001000000-0x00000000011DA000-memory.dmp

Filesize
1.9MB

Download
memory/2948-2-0x0000000001000000-0x00000000011DA000-memory.dmp

Filesize
1.9MB

Download
memory/2948-1-0x000000000100A000-0x000000000100B000-memory.dmp

Filesize
4KB

Download
memory/3000-277-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/3000-279-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/3064-226-0x0000000000400000-0x0000000000673000-memory.dmp

Filesize
2.4MB

Download