expiro | 01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
Size

5.1MB
MD5

696f5496cbc6c66b66c764d18371556d
SHA1

00450fce8165b3b8b68c448ddf5f2a5ffdc3a5d6
SHA256

01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2
SHA512

829552ae22c5426b4c565518bbeecd1bc46748c02123d212d7b08e89f92c00bd097508d8c0e6573e05a1c76e00e136b5d3ada2c4a72bdcdec8274d5b50afb71b
SSDEEP

98304:36ot44wGJGswP5FDe81lr9kY/mnlsdor1XwU/Ohz2WvJgd7x47tj:36otLwGwP55pr9kCmlwe1Xf/Ohz2+Kch

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 9 IoCs

backdoor

resource	yara_rule
behavioral1/memory/1856-0-0x0000000000925000-0x00000000009BA000-memory.dmp	family_expiro1
behavioral1/memory/1856-1-0x0000000000400000-0x00000000009BA000-memory.dmp	family_expiro1
behavioral1/memory/2808-2-0x0000000000400000-0x00000000009BA000-memory.dmp	family_expiro1
behavioral1/memory/2808-4-0x0000000000400000-0x00000000009BA000-memory.dmp	family_expiro1
behavioral1/memory/1856-6-0x0000000000400000-0x00000000009BA000-memory.dmp	family_expiro1
behavioral1/memory/1856-5-0x0000000000925000-0x00000000009BA000-memory.dmp	family_expiro1
behavioral1/memory/2808-9-0x0000000000400000-0x00000000009BA000-memory.dmp	family_expiro1
behavioral1/memory/2808-11-0x0000000000400000-0x00000000009BA000-memory.dmp	family_expiro1
behavioral1/memory/2808-12-0x0000000000400000-0x00000000009BA000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 6 IoCs

pid	Process
1424	alg.exe
1432	DiagnosticsHub.StandardCollector.Service.exe
4968	fxssvc.exe
3740	elevation_service.exe
1316	elevation_service.exe
2732	TrustedInstaller.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4050598569-1597076380-177084960-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4050598569-1597076380-177084960-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\P:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\W:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\M:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\K:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\U:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\Z:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\E:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\O:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\X:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\R:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\S:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\V:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\J:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\L:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\Y:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\H:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\N:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\Q:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\G:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\T:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\E:	alg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\SysWOW64\kfhheojo.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\cgqbjhbe.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\dpnjeeda.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\niccekpf.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\nakdglcd.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\gbjokake.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\ljhhebab.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\openssh\caabaalc.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\wbem\mnqjnibd.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File created	\??\c:\windows\system32\perceptionsimulation\pneddcip.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\vds.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\leaonabo.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\SysWOW64\fpacbgng.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\locator.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\fkofcfbi.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File created	\??\c:\windows\system32\glndklgh.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\alg.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\SysWOW64\kggmkonf.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\ecaookej.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\SysWOW64\gmgigoml.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\ikfjiifn.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\kjfgocdi.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\lncjookl.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\7-Zip\gkooamha.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\infnaaal.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\dpabdemk.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\oeihpnbc.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\dotnet\ddnfppgh.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\program files\windows media player\imloidqh.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\iadcpego.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\epiaqlip.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\7-Zip\nccafaqk.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\servicing\hceeghei.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1856	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
1856	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
1856	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
1856	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe
1424	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2808	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
Token: SeAuditPrivilege	4968	fxssvc.exe
Token: SeTakeOwnershipPrivilege	1424	alg.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2808	1856	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe	82
PID 1856 wrote to memory of 2808	1856	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe	82
PID 1856 wrote to memory of 2808	1856	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe	82

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
"C:\Users\Admin\AppData\Local\Temp\01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
  C:\Users\Admin\AppData\Local\Temp\01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe --crash-handler --database=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\129.0.6651.0\Crashpad --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=129.0.6651.0 --attachment=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\updater.log --initial-client-data=0x284,0x288,0x28c,0x1ec,0x290,0x8206cc,0x8206d8,0x8206e4
  2⤵
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1424

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:392

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1316

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
8496e266ab2ec1c2e448abf77a90eafb

SHA1
75b737d7469eb888a5a69f1f92af4075693e7da4

SHA256
4a7320d704ea54ea367447b12185d1383bd6bcd93c85fbb44211bab5de8ff5dd

SHA512
78847b90c7fa2736c6875040d6695cb7a2189ab840f7db6d27cb9e51ee854479f3f7bed27d59a45a0b24aa3f490134f2ee89dc1ed8240527a1198fe5f8d46279

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
1329e553c2d72e7f1f2acf8df9bf0446

SHA1
6e94db5373abb334fddfbdd1d8c5f13598a913c3

SHA256
ff3e6086c3f5df4dbe0834d19550331aaa42d662875aa8b01a9cc6a200fa28ba

SHA512
f2f2ee691e56f59a20e7ad638e237c7f5c2ef00e69eebb946377a39f6078c3ec65315e9d2436f4fd54b7cce039852b9d3e2a9f6f91b22c337126085aa30ff818

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
f406843cd0cb7ce5b9dfa76429772673

SHA1
d1c10af7a5d2fdf3301d351e470c84ba2d22d30c

SHA256
e7c22acf3735a5be451d1ed9620888b63b69a359097668943f1cfc8254c10cbc

SHA512
debbf01b93b3e8021435c89c28a027ab4d9dac274141612082f40eace1efdf2d71f8d5c71647e101da6a6632f235d8117b50e443fc421c653739fa5b36cc7a70

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
e62842f5c7d7339c72e2a0bcef2c6887

SHA1
c91ef4d83cee93b7b21acb9ae41509bc08bbd46a

SHA256
65974cb52bd15069901fa339ee7984b03e8949a0b82f920f4bea414156b0da6d

SHA512
3c3c64e8421ace242ec27ba755492557fe5010cdcd184cd262a3ee57cdb297c998599ff3835a1fc957f12cef2b0f10b08f66989967a15d0b7bf2af4715580895

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
722ac9934e191e2a5cdb97d86d7fcdac

SHA1
5617fe0b0d50cc8cbdb8683fd66e2e39cfe5f670

SHA256
0ad1c44d447fe48b9497270b810ba256334977cacc6f992531bdaa1b0db38478

SHA512
c643ceefec3a7a7b8609d4fa6f9c5a980a68916c3833b0bab1f21b03a0d24bd90f740d5f1ced3f9e79aed2bb9d94a3329d7c77f4cb92c21def8380c28faebecd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
c76e2f0f15fe3557088f74447752759c

SHA1
72465bd587900ad7fd0551302a1276086e88e00a

SHA256
fbb9c3a95ed3d99a84a305a49d9db89a40bc6bf9ca4bee4eace057b779ee78b7

SHA512
820f322bd40491e88e5dceb9bb5cbe9fc0599121627d43e50a8c9e8dd1bc57220de9a22f03a640451beb1aca4a4fa286d3f40abc03dbfaba17abc7b49c4758e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
470353231752f163785d7a01ca26a77c

SHA1
18e41b25974fd8766ce3f610887303e2ddec1d5e

SHA256
5b7c6beeb999b2a16029b2d593b0a320fdcd725b0ba0513439ebb45b82266031

SHA512
589524c62a118e7ba1a83a50b66472d386197122a268a587bf7d726a2efad5ba608c434172cca281cb94ea572b6c1bbf51170391a01397ef53303be7a8e4979e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
742KB

MD5
2399111503e7bbfaed9f45af9a30b610

SHA1
280be7ea41bb7c94799795a7d86346279d885caa

SHA256
85b6d289af220f72ca58e7a74d5eab692d76b11e14bb4305d755d774941b318a

SHA512
b97e1abf88281c410d73bf519d14c876ed317f90e5bbe29aeac7b23263c698f5b925cc7d6a0c407945be10d6d806f610170ea9476c92c5cda720c3b426b21aed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
dffeeb7118e8c2b41bd650be2b1ae853

SHA1
aea0cd1688260c30da35e02e4dba88660cc43faa

SHA256
c59dfdcf5bb655ac721583bbeafe59dfbbbaaa2965481466c0d3db8cc0be3985

SHA512
1b3ce66d26fea3e010e54ac5adf939e54429c59b269a95184b44461e71c1d7713a092f07924ba73f7bc9914ae3ba16f5355a8014be29aee3ece27445274dedcb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
ddf85cde08f62565a381b2ba97a8b79f

SHA1
c964e0c4e254f615fe61a4317db11ac1c6f36e8d

SHA256
88d4bcd1bd280e624a1d1feb05b0243299e281e1e68cd6484f39dee185ce8300

SHA512
9736b732658f429f5c2a159257dcb2ebb1eaa3495a0b6e8d5fad43b174d3ce996d09cf60ea5d8862900691fccef1edd1d36658cb5fe8ec38a64ccb7aca7452fe

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
8cbb3b5831c875c34bba55a9a5b2a151

SHA1
2387c036fb57089d7526bef96bc63b9f63d4d266

SHA256
1622fbf2959087f6c29888b1cfd9dccd025e92d9e60788b8c664455f69761f47

SHA512
67369127c8d9c1e50c95948f3dcd8d3ac7270bbdd230904a2c65a25a984196baac1dd8547331f06f5b8a3d995840fd84d52f89fd13714ebd854c8b37f9329e48

Download Submit
C:\Users\Admin\AppData\Local\Google\GoogleUpdater\updater.log

Filesize
1KB

MD5
1ec3b3f688960e1e9eab358a948cbc83

SHA1
56eba86ea60e77d18ea556ef6834338e882a3c15

SHA256
f133e80aa229ee70490c8663e7ec64593164e69fadf907f37b0b8a7426f70923

SHA512
1e3144449463861791adb5e6b791eada17fd72bce5a6d1afb5a3547eb2c28a754075c82de9298c59a355e6e712898adb872174519e97e0b6c7f4507ea0f97ab8

Download Submit
C:\Users\Admin\AppData\Local\eadqbrij\aabniqnm.tmp

Filesize
629KB

MD5
9e8a112731271b6a0910c9b82b1b530a

SHA1
e8bb02d9c98aab32cb75560efa5b11d70b2ae808

SHA256
ea6e9f4eae2a39df365d5c002eb0880b448d4361904396aaf3d79724d9d9aa0f

SHA512
44f6f37d49a273b7e276cd428a1af40c07706f90cbecff0bb4162ecbb4b189d5a3f5e06663be2dfccc10da8194e84ac3da3b90435968896ada5d5484454d4808

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
822KB

MD5
672c928ed5b5d20060e396ab6e2a0c5a

SHA1
e5e74b9e7b0f5f38504c09dd7f5a699c2293c754

SHA256
f4bd1df14192450ec0bbb6738836a868d2ae2f2d77ad160aa36fed44fe9cfa1a

SHA512
ab4b2638fb2a5f1b0145cfb9e6275bf6772ecf2bf16b6d5500f3b2313fc29f5a69de623b713c192f27342c9cf0d9967cb36ca8bf841c6df4251070cc29296bd3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
491KB

MD5
77aa05a57cfe09e211fcc090eb23ba87

SHA1
2a0b4f673ee314bbd824f89cdd378c1f612378bc

SHA256
83bc0de8aba8bd96593a278d091af92d4e217ad7bb074a740adadb06d0dab499

SHA512
715ebc7ccf0821b604e37542224a040e7f85ba7a29e523495c9fcfdd94cdba58e86e066ffef8bd1f7b4efcb967d9d7625008a5f8a6d17e598be0f2346ce0b4e3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
1568fdc068e73945794075c5fab59eeb

SHA1
b43e61308f3014d8090082e15d8293cce9d33461

SHA256
dd6b03dd3fdc36f7cccb667f4690407f6055b18866de1d1f09630384892e3146

SHA512
9cf8ad85969e1976b424c7dee2bb1cbaf921a126345e49f1db866913da7ee02d83c5e156a907f8ee18a11794d5d3cf9ee32feb8ec28112ccfd9b8edf7051f9a5

Download Submit
C:\Windows\System32\alg.exe

Filesize
493KB

MD5
202ece4e6c0267a95c7fdab788270acb

SHA1
50d337fd18496b9314e24e3ff80aed5a7a738adb

SHA256
adad3c1422b23dfa873aa8c245a08f6ea027dd85b60715610e99be704407c1c3

SHA512
65642efb5f768861941b7b6d83b72937f410906f6ae97be2d55abd1267ad9e1fed5a2918179e7aa4db8f64dfb4fa9ecc70f7532ac8b633613e7e89a0ea2ce40b

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
621KB

MD5
ebbb004e8a9b9efaf5ecd6d31ca0bcdf

SHA1
2feb49dbb785a40c58a689471cd56bc5951b7e6b

SHA256
e92f9b7c5fc46273f42c2e9a3c9b4f4bd277e4edf1f707eaa5ef17763c73943d

SHA512
2da7a9eaefbfee54f1aa98577b6ef563e3b6a3d9db5f26c7cb6ce8b5c96cefb3d150ad308daf9397a885c03d5f36687a889bf73cfbd51057f0f7714fa5a49528

Download Submit
\??\c:\program files\common files\microsoft shared\source engine\ose.exe

Filesize
637KB

MD5
7f7b41560d12c966ab6879c634eb9bee

SHA1
589d9c8cfc5d82ee6e87513282100515227f47e8

SHA256
d27417f1b1473f6866605532a187733e71285c9bffa129baf7da599bccd948ce

SHA512
09abb8c59d4366d785107dcad9ad0c049887d2aad925735e257ec453d2549fd1a9b75409d797dbb16c55910be488802a1a16c133df89f3100d65422e2604863e

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
4d0c39e9a80b364177ff6764c974a139

SHA1
6f08b0e8332c92bd77a3aa7936d7994c11cc906c

SHA256
a940386a6ef08240c547a538f371884bd28dd654fd307bf101201081bdb5a35c

SHA512
6508d825b2f3f2eb975e5a4cb1d4d16f5d027be3f3b8024a7dfdd0d292975799971f69ec49b008697a59f6ac2f2457911415c135baa2195ec09387ce38a1e8a4

Download Submit
\??\c:\windows\system32\locator.exe

Filesize
410KB

MD5
d8abd84667ef7328e3c9f2be85bb5779

SHA1
d11523448105c5944947b866f34846f8ab42ec79

SHA256
3707cc20d3c5e3b74b1f7580a314ac4b994f38972f6a6337c475eba75f0d2fdd

SHA512
6710cac57128f676c728d067728332efa11ffa70bd9ed288ba746db22f4011064c7049227edb150bf2150355a2a405ad9d78a924363b3c7366c27d08f9b41434

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
544KB

MD5
2c709e0b4e9f9e5008672966da4a35c5

SHA1
a5e670ac07ac0839f962ef9f68b14092f888b3f4

SHA256
d2015ddf321a8e168f93b7b0cf76067ccb4af8465aa13d7fbfd2aa93047309cc

SHA512
be645fe5a6ed365f708dbbaf4532b316486b9aa6f11e538e6f26dfd7e97db57f68cbbd70dadaeb7fe2927bf69c836314a871bb9666c7d13998b2d45a3a8d30d1

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
467KB

MD5
30b7ba4819eee5fe138f342af8e9316a

SHA1
c8e31bd4f9c86a06605f112c106f5084dc7dd89e

SHA256
55450ef9ed43766fc0e0a753b505a95ca5b5c8a3aabde1625ceff3725b640da9

SHA512
1773c4a4150a8eeed56cfed770483b652b6ff73cb9f2244c2738fc18e115e6735b397741891606fe7b57d21f7b14eb7f4c4e92b661d26948d64f5fa813df1507

Download Submit
\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe

Filesize
503KB

MD5
b3ca1dd4f65f1b0d6953a6d0cb320807

SHA1
8cebc7d96626b14c12f812e3e30374547c2791e7

SHA256
afa5e1b1b2d3560c5d91e91d80ad7cfbcd911a7373ff8fdb94d2f3de9746b95d

SHA512
d0ea0f51cb3c73c8f9bdc0a68cac17524056d1dd1b4c1ec8d57b6e928fa2e0d219f52c6c1d2b89ed02f6323eecd2b8cb0b88ab698d2fbaa483be14fc0341d909

Download Submit
\??\c:\windows\system32\sensordataservice.exe

Filesize
1.6MB

MD5
58044f1ff87bb6f8b6a81310cdf2754d

SHA1
52e5018429e5c5dc591af5802ad7385676ce02d4

SHA256
f86cabdf97e8ba6b678814494f53720dbfcda56cbb8a891b4060cfa64c781b9e

SHA512
1295357b77a962a041919bbb9cc1fa58c83dafe5259dfa0f7b1644508cb12c7143f2722d087c810f6bdb6cbab2ce07642ce48718f83cd9237c387e2c0745295e

Download Submit
\??\c:\windows\system32\sgrmbroker.exe

Filesize
709KB

MD5
3080cef2fd2bbd887bfa9610bd027325

SHA1
d80110d2af269bcb21b57adedf24a3baa6747251

SHA256
9070ddc47df56732830e8413f665831957448a87e50ecc85eccc3af1f610eb8a

SHA512
76b5cc658d057139f724233440b1978180517a3b6b3913f0e1c23370c7569df8337c067af1fda7ad2bf3f67a26f4ffab5126f0a4791daffe5b5c660d79caa131

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
416KB

MD5
2b63dbf191579bc06d205e0c869de716

SHA1
aded75252f014f212f94ca826f978ccd8937532c

SHA256
299c4d8fc46e087eeca798693852dafa76d448057a65c6a5d625644b4c85f5c7

SHA512
f584ebdd13a3d8c066e13483733276469e7e755f8eca18747c9760ecde6982287a732f2abbeb0f57c7562ac54ea6ecfea0e834b91e58c79ee43315fb125d27c7

Download Submit
\??\c:\windows\system32\spectrum.exe

Filesize
1.2MB

MD5
edc31daadab441ce6e2fb53246855f62

SHA1
9fb2acb0ab6f3433ca6ef568895c1d1800a1c8ce

SHA256
e40e37d2b77c715a35faeda29ce2d554b21cf449e37b14eec8c2b09cfe2c749c

SHA512
922df7e0a1072eaa3dabb6219d647b8d1407524783c65e92a8b20c00cec21e318c4737075f0ff7772492b137b62f0171d3b9c3385ed6a7a5b3b7d4b762e2a069

Download Submit
\??\c:\windows\syswow64\perfhost.exe

Filesize
420KB

MD5
a9726b4cdf7ce46cefcd51f8e04ac3ee

SHA1
d48b092c11ab936566a77f51a28daeaff397ae8f

SHA256
38c09952bc2f5c708a06d982ce76eec47226c60262c9c166af80c53ebe8ceea5

SHA512
b43571fa89b698d9c06c3faf1fd63da295c85b08291381a6228fe19ba5988e71c237b03e876360fd25ffeffec61b873b96da667e6011055dbd465ddb5771c5f0

Download Submit
memory/1424-32-0x000000014000D000-0x000000014001B000-memory.dmp

Filesize
56KB

Download
memory/1424-69-0x000000014000D000-0x000000014001B000-memory.dmp

Filesize
56KB

Download
memory/1424-68-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1432-82-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1432-49-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1856-6-0x0000000000400000-0x00000000009BA000-memory.dmp

Filesize
5.7MB

Download
memory/1856-5-0x0000000000925000-0x00000000009BA000-memory.dmp

Filesize
596KB

Download
memory/1856-0-0x0000000000925000-0x00000000009BA000-memory.dmp

Filesize
596KB

Download
memory/1856-1-0x0000000000400000-0x00000000009BA000-memory.dmp

Filesize
5.7MB

Download
memory/2808-12-0x0000000000400000-0x00000000009BA000-memory.dmp

Filesize
5.7MB

Download
memory/2808-11-0x0000000000400000-0x00000000009BA000-memory.dmp

Filesize
5.7MB

Download
memory/2808-9-0x0000000000400000-0x00000000009BA000-memory.dmp

Filesize
5.7MB

Download
memory/2808-4-0x0000000000400000-0x00000000009BA000-memory.dmp

Filesize
5.7MB

Download
memory/2808-2-0x0000000000400000-0x00000000009BA000-memory.dmp

Filesize
5.7MB

Download