expiro | 01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
Size

5.1MB
MD5

696f5496cbc6c66b66c764d18371556d
SHA1

00450fce8165b3b8b68c448ddf5f2a5ffdc3a5d6
SHA256

01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2
SHA512

829552ae22c5426b4c565518bbeecd1bc46748c02123d212d7b08e89f92c00bd097508d8c0e6573e05a1c76e00e136b5d3ada2c4a72bdcdec8274d5b50afb71b
SSDEEP

98304:36ot44wGJGswP5FDe81lr9kY/mnlsdor1XwU/Ohz2WvJgd7x47tj:36otLwGwP55pr9kCmlwe1Xf/Ohz2+Kch

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 9 IoCs

backdoor

resource	yara_rule
behavioral1/memory/3548-0-0x0000000000925000-0x00000000009BA000-memory.dmp	family_expiro1
behavioral1/memory/3548-1-0x0000000000400000-0x00000000009BA000-memory.dmp	family_expiro1
behavioral1/memory/4324-2-0x0000000000400000-0x00000000009BA000-memory.dmp	family_expiro1
behavioral1/memory/4324-3-0x0000000000400000-0x00000000009BA000-memory.dmp	family_expiro1
behavioral1/memory/3548-6-0x0000000000400000-0x00000000009BA000-memory.dmp	family_expiro1
behavioral1/memory/3548-5-0x0000000000925000-0x00000000009BA000-memory.dmp	family_expiro1
behavioral1/memory/4324-9-0x0000000000400000-0x00000000009BA000-memory.dmp	family_expiro1
behavioral1/memory/4324-11-0x0000000000400000-0x00000000009BA000-memory.dmp	family_expiro1
behavioral1/memory/4324-12-0x0000000000400000-0x00000000009BA000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 6 IoCs

pid	Process
2916	alg.exe
3028	DiagnosticsHub.StandardCollector.Service.exe
2096	fxssvc.exe
548	elevation_service.exe
3540	elevation_service.exe
3240	TrustedInstaller.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\G:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\R:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\T:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\X:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\U:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\H:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\K:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\Q:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\I:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\J:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\S:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\N:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\W:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\E:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\M:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\V:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\L:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\O:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\P:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\Z:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened (read-only)	\??\Y:	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\locator.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\iddhhfal.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\fokemani.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\SysWOW64\kopdjehe.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\vds.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\diagsvcs\dbclhbpi.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\fpilncno.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\ojlcgofe.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\apbijjcb.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File created	\??\c:\windows\SysWOW64\nphlpjoe.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File created	\??\c:\windows\system32\nlmcehlk.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\embakcgn.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\openssh\ehcaadca.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\agnehnan.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\peblejoe.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\hmejdmbe.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File created	\??\c:\windows\SysWOW64\idangkqn.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\hniiphmg.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\SysWOW64\onkogmog.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\oamblhjk.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\palikagd.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Internet Explorer\hfoijjjp.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\7-Zip\lncjookl.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Internet Explorer\dendjgfp.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\program files\windows media player\hnfciccl.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\bmfjjjgn.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Internet Explorer\kjkookie.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lbhckibj.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\fkkgcmon.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\dotnet\ddnfppgh.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\ppfjkbjg.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\iilmmhmc.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ifpcoece.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File created	\??\c:\windows\servicing\afiegief.tmp	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File created	\??\c:\windows\servicing\oalcgqda.tmp	alg.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3548	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
3548	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
3548	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
3548	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe
2916	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4324	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
Token: SeAuditPrivilege	2096	fxssvc.exe
Token: SeTakeOwnershipPrivilege	2916	alg.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 4324	3548	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe	82
PID 3548 wrote to memory of 4324	3548	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe	82
PID 3548 wrote to memory of 4324	3548	01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe	82

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
"C:\Users\Admin\AppData\Local\Temp\01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Users\Admin\AppData\Local\Temp\01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe
  C:\Users\Admin\AppData\Local\Temp\01f666e43e9c3fe6523c6a84ca5e723e611dccb5c6f20a9fdd7130d0fc5f46c2.exe --crash-handler --database=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\129.0.6651.0\Crashpad --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=129.0.6651.0 --attachment=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\updater.log --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x8206cc,0x8206d8,0x8206e4
  2⤵
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4324

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2916

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1864

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3540

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
5c103ba8e7dc5a188b4257be7a97c8cb

SHA1
9ac23335d49bcf2f41ed2974f5139c4e80be720d

SHA256
3d28ab451234be1d3f6032cbf0a464791ae7671998c7c40b65b6201b88c0f132

SHA512
8fd0b8f6dc30163733ed7bd95d597a3acdeb9d0ab2597355c681442155701775d60474a0a4b7e5dac99eb5aa3c81d8322a2cc68b9787d76a9949581a6971b3e9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
1329e553c2d72e7f1f2acf8df9bf0446

SHA1
6e94db5373abb334fddfbdd1d8c5f13598a913c3

SHA256
ff3e6086c3f5df4dbe0834d19550331aaa42d662875aa8b01a9cc6a200fa28ba

SHA512
f2f2ee691e56f59a20e7ad638e237c7f5c2ef00e69eebb946377a39f6078c3ec65315e9d2436f4fd54b7cce039852b9d3e2a9f6f91b22c337126085aa30ff818

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
f406843cd0cb7ce5b9dfa76429772673

SHA1
d1c10af7a5d2fdf3301d351e470c84ba2d22d30c

SHA256
e7c22acf3735a5be451d1ed9620888b63b69a359097668943f1cfc8254c10cbc

SHA512
debbf01b93b3e8021435c89c28a027ab4d9dac274141612082f40eace1efdf2d71f8d5c71647e101da6a6632f235d8117b50e443fc421c653739fa5b36cc7a70

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
e62842f5c7d7339c72e2a0bcef2c6887

SHA1
c91ef4d83cee93b7b21acb9ae41509bc08bbd46a

SHA256
65974cb52bd15069901fa339ee7984b03e8949a0b82f920f4bea414156b0da6d

SHA512
3c3c64e8421ace242ec27ba755492557fe5010cdcd184cd262a3ee57cdb297c998599ff3835a1fc957f12cef2b0f10b08f66989967a15d0b7bf2af4715580895

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
722ac9934e191e2a5cdb97d86d7fcdac

SHA1
5617fe0b0d50cc8cbdb8683fd66e2e39cfe5f670

SHA256
0ad1c44d447fe48b9497270b810ba256334977cacc6f992531bdaa1b0db38478

SHA512
c643ceefec3a7a7b8609d4fa6f9c5a980a68916c3833b0bab1f21b03a0d24bd90f740d5f1ced3f9e79aed2bb9d94a3329d7c77f4cb92c21def8380c28faebecd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
c76e2f0f15fe3557088f74447752759c

SHA1
72465bd587900ad7fd0551302a1276086e88e00a

SHA256
fbb9c3a95ed3d99a84a305a49d9db89a40bc6bf9ca4bee4eace057b779ee78b7

SHA512
820f322bd40491e88e5dceb9bb5cbe9fc0599121627d43e50a8c9e8dd1bc57220de9a22f03a640451beb1aca4a4fa286d3f40abc03dbfaba17abc7b49c4758e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
470353231752f163785d7a01ca26a77c

SHA1
18e41b25974fd8766ce3f610887303e2ddec1d5e

SHA256
5b7c6beeb999b2a16029b2d593b0a320fdcd725b0ba0513439ebb45b82266031

SHA512
589524c62a118e7ba1a83a50b66472d386197122a268a587bf7d726a2efad5ba608c434172cca281cb94ea572b6c1bbf51170391a01397ef53303be7a8e4979e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
742KB

MD5
2399111503e7bbfaed9f45af9a30b610

SHA1
280be7ea41bb7c94799795a7d86346279d885caa

SHA256
85b6d289af220f72ca58e7a74d5eab692d76b11e14bb4305d755d774941b318a

SHA512
b97e1abf88281c410d73bf519d14c876ed317f90e5bbe29aeac7b23263c698f5b925cc7d6a0c407945be10d6d806f610170ea9476c92c5cda720c3b426b21aed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
dffeeb7118e8c2b41bd650be2b1ae853

SHA1
aea0cd1688260c30da35e02e4dba88660cc43faa

SHA256
c59dfdcf5bb655ac721583bbeafe59dfbbbaaa2965481466c0d3db8cc0be3985

SHA512
1b3ce66d26fea3e010e54ac5adf939e54429c59b269a95184b44461e71c1d7713a092f07924ba73f7bc9914ae3ba16f5355a8014be29aee3ece27445274dedcb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
ddf85cde08f62565a381b2ba97a8b79f

SHA1
c964e0c4e254f615fe61a4317db11ac1c6f36e8d

SHA256
88d4bcd1bd280e624a1d1feb05b0243299e281e1e68cd6484f39dee185ce8300

SHA512
9736b732658f429f5c2a159257dcb2ebb1eaa3495a0b6e8d5fad43b174d3ce996d09cf60ea5d8862900691fccef1edd1d36658cb5fe8ec38a64ccb7aca7452fe

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
5d869a26eff0e5a525c504d300433b6e

SHA1
1e7c95dc6de448e56f3ecb20cc4f0ae2177c0ec6

SHA256
82bc60bd7c76ff334e722a43858d10336c59d850896e43628e0c26e9f0c6beaa

SHA512
de4658e5ffe0ce8c741ee1e78783b7870a551d482e191628f5bfb4c245043268f9d77c7c0543bc116398240bbaa3a745c60340c585916b9705a22c312ff0cf73

Download Submit
C:\Users\Admin\AppData\Local\Google\GoogleUpdater\updater.log

Filesize
1KB

MD5
443437fe7ccfcbf52905baa4b5eb6a6d

SHA1
d9ca8d72d77265475b684277286cc237c42a2e4a

SHA256
82c5ebad62a3fb569992f4cb380ea1a5ecef65ea18c5a011195af8d758f34515

SHA512
9e298a38b99a8bf546fbc7fa779cf3cc1513e562408439313eab117c4185d5bfe94369d2ecb9f66f7eb08f8c1e84b99809fac0335f10a6af1d479d7a9055f728

Download Submit
C:\Users\Admin\AppData\Local\mfmqldlc\akdblbgm.tmp

Filesize
629KB

MD5
361b4213ed61d2f4087e774ea5598c28

SHA1
cd0faa354a5f33e518c494a196f16a7ef1be88b9

SHA256
c4fae09c4a1c3426524697ccfa0a22e6307b68dc9f8755133fe3135f0dd2903e

SHA512
af68ff8e367b03ad9d1b4db47b1890ec2635e6e353aaa5fa9c8e4204bedbf44e850feea7dc6abf72e018adf4c67401855cfdf57e6da270fb8a3e581f780d5019

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
822KB

MD5
978cb497736f885e2a1497a14644da65

SHA1
ff4e69593178ab735d186133432929928bf67d70

SHA256
cc51300b6115a342dbdd7aeee79711d887b022750d31442954f1899f42fa9bd1

SHA512
89d74cdbf4035e25b097359389a2be871855b724a2d073f6d0dddcc2a1764d78a38794704d192ae344fbff8e5736e942f86f695b53c2e66218ca9b0e428c409d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
491KB

MD5
b1bd8f73034939b2ddd8af5057aba0a2

SHA1
802be49b890265e16c8566a47a6e6e402c27b615

SHA256
e5a1663afaa08405844cf245af34c2dc3331aaa37d368e2e315e89970b715d69

SHA512
b588609805fdac07879d12f55b01eefac653f89e38c6782cc9ca07ddf09876a2f2bbad65ebdf63df7f801964c696ae3c2c86400db913b1a3b29d398a5431c7c2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
55222426c5e0389bf403f93c750bf3fc

SHA1
947af138846b3776b23dc254937136cb070829e5

SHA256
633cfe8cac6aa35ae4c04c04c9a9e0b09c95959cabbaec23f0dedf2d1a8a0b64

SHA512
b928ccb0c169e4615e9477c505e598390163f258fa98c82436d9fbfc21dc2f901744916b18d8fea049ece3bb33b1ab754153872b326c6bf425804973ceefa4e4

Download Submit
C:\Windows\System32\alg.exe

Filesize
493KB

MD5
3a9a56976e28b584036b75e321501d1f

SHA1
1f466a045510ee2e1d08774fedb1ec60a76f59d6

SHA256
1f25eddcef84a21446e5ff5f1de63a9e375ea383acdc3fb2eba3ad50f1156c98

SHA512
f91d00c269e912d4b5f2984720bb11134dd86e9761e2adb9b58b519623b9f6e7d905870cbf645e0a724857c0573599da97146e1d2bf945394f26003a1ebf4f3c

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
621KB

MD5
88b493e45a4390419e290a1dd319b045

SHA1
81e63fcb6acea658bd3d5a7922fea7392eaa74df

SHA256
385dfb9d25d8ff5327b1281eb49d5fe3f64c9a451fb61fb84e300f7922fc02b5

SHA512
171bd5e252dfb6632683fdbfc9c14bddd7daa0677690617753884f8767ecb590a77fd0ed16a6d32fff2076b4423090f647b692fcf939e22156fd066154eb0e55

Download Submit
\??\c:\program files\common files\microsoft shared\source engine\ose.exe

Filesize
637KB

MD5
a6b9d4c5b0b5864399782fa736717a3c

SHA1
be0ec20e70829a0bcd64331adf9c51075fe56498

SHA256
a03ed8c314958710ae42e871a578b5e01910cea3af88e84515d704ca434575d3

SHA512
a4ba1630e1d51899dd8edc819066ba9f7d6fae8d25bbc6226d3aad9a810fc60bb8af86c7a09f3abfb0b795a121f1251d708adbf1a8de71f381b915db0b0d5121

Download Submit
\??\c:\windows\system32\Agentservice.exe

Filesize
1.6MB

MD5
42c9a3c2be745eca4d51042648347bd1

SHA1
8c556c8f00631716a7adb6fcfe78e4c6c2bd8efb

SHA256
647d29929d11416986d40989a61be9df54112e34a53db45c92071d25dc9c931b

SHA512
5f882945bbe0246bb5aca741e5726b5bdf6256ccc4c7e7ae048798f0062f2196f637812daf832bc8f3ba46811cc1e1143798387a4e342a3edaa04c2025870863

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
9dca7a6676ea0a6af0866b06be96f447

SHA1
3cb44980d80696052d493ee2b276e5eef82388a2

SHA256
f6f326091329a697d9bef49f6a468a53f922fc5252556928a122a49e363945dc

SHA512
f26f98bb44072b88b1bea34ad4c283e469744e74300ac7829d0db42cd456cd458b1f7261ee2c3cdc97ff3438bf24ef8f6eb7768c50522a8691e6dbbbacfa53bf

Download Submit
\??\c:\windows\system32\locator.exe

Filesize
410KB

MD5
1fe1084675d5858f71932c3f14cdbc4d

SHA1
f15fd4bcda1c13e5079f170bfa68f4e6fcf86012

SHA256
b5f9e4a34894875a6f44925dbed9920665e9a200c6fb475877c865bfc12d3971

SHA512
6ffe64dae42f686f1577b7363fd3e86c1d1fb979bb850b8023fda1b73875da4cbacb382bcd9349b2bb648de8c3fe4cae05db7158175ecb67cdfa7ced5dc8d5a0

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
544KB

MD5
1c5db4c7845364d8d4b93619a90e2b41

SHA1
fb283eb3d1df8532c277334d9e0a32bdaa7151e7

SHA256
aeaffb81359e776791fe8fcc608520ef84b9db5097dcc3ec4ff029df11dd02a6

SHA512
16aec2f0a3ae3a773948e6322bf667677f2fa6c486b65d5eb279d6f2c69cc0e5e06fd88258f549842cb702cbed29a7ca7f29660a71096e823e94103730e43e9e

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
467KB

MD5
fa719aaf9b008ac8376324e9f459e064

SHA1
8a581a3bc8be30f45d1ae941f082cfea8c2a5b2e

SHA256
19d90cd782cfdef12e2570818a3b846b1e267919ba4a62ab447e8dd91d1e1a78

SHA512
81de206897a1313772d5077e420ba2e509a7066cd1df1e4f10f4a833aa22d01702964ff99f4aff79d497f53e4d02d084ae4e8aa825769120e4f3e429a1f32b35

Download Submit
\??\c:\windows\system32\openssh\ssh-agent.exe

Filesize
772KB

MD5
91137e42d5840f30e3054165f4a7dc13

SHA1
7c3441c7a7e6feec409321182a17866d2975df2e

SHA256
1976f0ccd32f3711e8c592769341370affcd89801b0cbd005a84cb10dc9b234c

SHA512
5d0dc0896a24bce72c1dda280be25ed8e5bae409b48ee7159844b547e4e9d96ed82d6bec2a0517e1da2b963e0776635e227fda53a15b4e6bcce9cbe870ba1324

Download Submit
\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe

Filesize
503KB

MD5
3f0f674911feffa8e795c104f4525084

SHA1
187880da943135f987e482d3c7948e3b54435ee3

SHA256
a075e2c8c57dd4eefc73c85d950af293da541ca6410d44f8ad9521e232fa83d8

SHA512
44f7178677ed544b109e0c38e3b70c1af812f0f36c9b6a3a9ac9e0f738d88176d6ad8d2a36c574ec9e001312ef1e43f145fe60bc0d4d07e44012983365cfdec4

Download Submit
\??\c:\windows\system32\sensordataservice.exe

Filesize
1.6MB

MD5
14b036e8310acc5b6919f21e8aeac0d1

SHA1
d8ee86d6bce711ba9a1cd05c268acc26fdef9c0c

SHA256
8a8958f907a9d98ee654c2fc1181308d9fbe5d563d687233274c339669002cc1

SHA512
c5243ed217d9a22d3755c1302277aad236ad275bdd2e59ae9170acee12e78ac90876fbd79fe5919bb68a7674fa95fb6f665a5ac56d00c8bb7835bfb716236cac

Download Submit
\??\c:\windows\system32\sgrmbroker.exe

Filesize
709KB

MD5
73c3722e966b27969c3b506168d21bf9

SHA1
be5c2547626a87b8eb03a92f7290a276bc38d44d

SHA256
b70cd5c5487f8085bf6f70387ff0d8255ac22ad96febaa1f41ed8004c5804d93

SHA512
44e49228262ff69d56c6136c4410ad52fbd2dc111439c17b99ffc483bdd49be042abce5933016f99828d3fff7e6429a1ffec767b08878c16dfbb074bf3d8fae3

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
416KB

MD5
56574bae3a152f34e7b769a704a6a054

SHA1
6b4e2cbb35dd2d51c171462769d7151cbd97d3d7

SHA256
12dc0641f5aa69e183fd11881c7feac33c3015458b4260def819e687fc5c3a28

SHA512
8c4cede3bf3652a6a140df8419bf932a0070d93a6ea3eb09111523871947fea9bb338b7c5c173989e427bfc9eb8432c6a51883dad8aea238e4de0e6d1bde2d5f

Download Submit
\??\c:\windows\system32\spectrum.exe

Filesize
1.2MB

MD5
e2cdf3ddedaa87673b93996f584082f7

SHA1
2cd6b48a36b9f47d9a6ea036a4b61e5c49b0fc31

SHA256
6c5702aafb78f1456007b1893eba570bb62f791044b8ff2872131263d57d9c15

SHA512
d4be38c84a20db2c4f28f731030ae2f0ff982c2865daeeec77857e4e41f84930a76be91fcf6769b0dca41335beea8be22224ecaf840f667af5a21bc2fa6a7e4d

Download Submit
\??\c:\windows\system32\tieringengineservice.exe

Filesize
717KB

MD5
59b0d8797ea07691fd3b4e9f6e57bc37

SHA1
8348dcc41e629ab7deef35f9e6c0ca904a4630b3

SHA256
25e82012a166fa7db3094279a011a525a476402b89ce120ff384ce7e181400a3

SHA512
1a195582f58c264d6268e5c735b2e119f92ca02a7bf240ab1018ba764581d2d2df8e128be490a0825aa295694fa36bef416404f0ee67a099787ee380d0881819

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.1MB

MD5
63e80eace5c60c86d3be23748c6e5a8a

SHA1
d60f86234aa446b75ef3f9e45dc9d59ac76d5efb

SHA256
6b70f28e8f1afea26943803a5c00d71cce0ca39167e6cf59a07172190e60571c

SHA512
b18e6c850a1b2be02ca58c5e7de46851e45429d84dae327f226ec0ca8c7ab2a5ef9bcbed7c65339f881064014960836d50d922c845541a6465d9878592e7b286

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
1.8MB

MD5
330e65e30a2856164fbee05b355e5823

SHA1
317ee09e0520614a803a422a6935522246735755

SHA256
ca906370ba8f157f558cc3d0f355c62e1fd8907614a8cc335b332c460505b39b

SHA512
8114567401c3a02be12d0e04275f9a6e444568d6b3aa6bc4c310a56bd189d238f50786c9d36af3788cbfd18b5b69a901e62bb3cb2e3bb292041bf1975eb10df9

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
604KB

MD5
e4f03365c0e7d63514e71e17afcc0a3d

SHA1
7fd5974489d7fe235f9b2ec51f1b36dce86a47b4

SHA256
f09c348b19604a85c97b20450271463667077686e66abf905fe055aa93ca16dc

SHA512
71858f7db002dbfb43237b875c3638e260eef795023513df41aa9a95e1619f2b301de6ac1188e84d182a9c90ebb57f79db53f349f852e8d69220f9594cb41f12

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
1.9MB

MD5
ee2ca57b31d04d96c852fda5aee60d81

SHA1
2c255e9b38a4553c544e6208c7f72c503497b2f9

SHA256
eb01119d2d3134f795da359fcbbfb12474e1fe9b327a3fa85ac15b907a186e60

SHA512
dd34514f9fc83d437d634c801a73edd184437cf505fc1dd899a6ffefa1782f906f80c04cd9f9e33d002f8f04c323c95844ff209cc0c20bc3d498b1a36618f52c

Download Submit
\??\c:\windows\syswow64\perfhost.exe

Filesize
420KB

MD5
df392da1a0702b2eef20592abf408244

SHA1
e24f610f816a2af342679b3a71369b95ca19e24f

SHA256
fdd49f282ab750099d5e320a7d0606b836d99ef94dca131db5a7c067e316bb3c

SHA512
d00aa56f333664959ce0d597bbfa45e8b8f823d0a7591bc0c885722ac81848ca33ed3b508a917a56506d7420f97ce866fca8ded9f25045ad089d7ce9ae6cc9a7

Download Submit
memory/2916-32-0x000000014000D000-0x000000014001B000-memory.dmp

Filesize
56KB

Download
memory/2916-68-0x000000014000D000-0x000000014001B000-memory.dmp

Filesize
56KB

Download
memory/2916-69-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3028-135-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3028-49-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3548-6-0x0000000000400000-0x00000000009BA000-memory.dmp

Filesize
5.7MB

Download
memory/3548-5-0x0000000000925000-0x00000000009BA000-memory.dmp

Filesize
596KB

Download
memory/3548-0-0x0000000000925000-0x00000000009BA000-memory.dmp

Filesize
596KB

Download
memory/3548-1-0x0000000000400000-0x00000000009BA000-memory.dmp

Filesize
5.7MB

Download
memory/4324-12-0x0000000000400000-0x00000000009BA000-memory.dmp

Filesize
5.7MB

Download
memory/4324-11-0x0000000000400000-0x00000000009BA000-memory.dmp

Filesize
5.7MB

Download
memory/4324-9-0x0000000000400000-0x00000000009BA000-memory.dmp

Filesize
5.7MB

Download
memory/4324-3-0x0000000000400000-0x00000000009BA000-memory.dmp

Filesize
5.7MB

Download
memory/4324-2-0x0000000000400000-0x00000000009BA000-memory.dmp

Filesize
5.7MB

Download