expiro | b42e2e1b731cca1c71a42ac0f2db617f7697668d87a29b71895f7700c24d1743

Analysis

max time kernel
136s
max time network
125s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Size

828KB
MD5

00d0ecabb7335657bea410a4b836655a
SHA1

64fa1f27143e13c07a123840d7e43a4a3ed225eb
SHA256

3983beae2740353b08753a433beec30565e33b61fc4cd182df699070ef5723be
SHA512

ee14339bd9bfd09ad24da3dce32711b90e137f0ffc0e9e383b8cfd268b792721c150fd2d7040fcf4c6b2fe76771d997a51e4be644eb69a674dfbf36b0e871267
SSDEEP

24576:jObQYeKlnLiOzk3J8XszmzVTGRF3LKB2qO9pRpCBP:ybxtIFAn40k95C

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 32 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2708-36-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/2824-52-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/2756-51-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/2484-45-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/2708-60-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/2884-66-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/1600-65-0x0000000001E30000-0x0000000001FF3000-memory.dmp	family_expiro1
behavioral1/memory/2536-77-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/2484-76-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/2756-78-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/776-98-0x0000000010000000-0x00000000101BF000-memory.dmp	family_expiro1
behavioral1/memory/2884-109-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/776-130-0x0000000010000000-0x00000000101BF000-memory.dmp	family_expiro1
behavioral1/memory/2536-185-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/2256-186-0x0000000000400000-0x00000000005C8000-memory.dmp	family_expiro1
behavioral1/memory/1096-197-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/912-210-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/2020-279-0x0000000001D30000-0x0000000001EF3000-memory.dmp	family_expiro1
behavioral1/memory/2832-280-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/912-289-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/2180-301-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/2832-303-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/2180-324-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/1924-334-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/2188-336-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/1924-365-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/868-376-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/872-386-0x0000000001E40000-0x0000000002003000-memory.dmp	family_expiro1
behavioral1/memory/2960-387-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/868-389-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/2960-412-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1
behavioral1/memory/3068-425-0x0000000001000000-0x00000000011C3000-memory.dmp	family_expiro1

Executes dropped EXE 38 IoCs

pid	Process
2824	47BA.tmp
2708	4818.tmp
2484	48C3.tmp
2536	48E2.tmp
2756	4A0B.tmp
2884	5541.tmp
776	mscorsvw.exe
476	Process not Found
1924	mscorsvw.exe
2256	mscorsvw.exe
288	mscorsvw.exe
1096	824A.tmp
784	elevation_service.exe
1984	IEEtwCollector.exe
912	AB3D.tmp
2580	mscorsvw.exe
2832	B645.tmp
2180	D2D9.tmp
2188	DD73.tmp
1336	mscorsvw.exe
1924	FA08.tmp
868	20D9.tmp
2960	2250.tmp
3068	479B.tmp
2156	4846.tmp
2204	6E9B.tmp
800	6FE3.tmp
860	7C61.tmp
920	9702.tmp
2272	A3BE.tmp
2152	BD85.tmp
2852	CAED.tmp
2612	E495.tmp
2868	F2D7.tmp
2100	C9E.tmp
2108	1A06.tmp
1444	3488.tmp
2452	4192.tmp

Loads dropped DLL 64 IoCs

pid	Process
2452	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2452	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2948	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2948	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2684	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2684	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2832	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2832	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2088	WerFault.exe
2088	WerFault.exe
2088	WerFault.exe
2088	WerFault.exe
1600	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
1600	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
476	Process not Found
476	Process not Found
2088	WerFault.exe
1732	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
1732	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
476	Process not Found
476	Process not Found
484	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
484	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2020	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2020	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
1448	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
1448	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
620	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
620	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
1932	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
1932	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
1788	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
1788	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
872	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
872	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2864	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2864	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2672	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2672	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2164	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2164	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2292	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2292	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2248	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2248	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
1104	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
1104	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
276	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
276	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2332	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2332	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
1988	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
1988	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
1788	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
1788	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2724	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2724	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2864	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
2864	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
1968	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
1968	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
1668	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1163522206-1469769407-485553996-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1163522206-1469769407-485553996-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	4818.tmp

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\E:	4818.tmp
File opened (read-only)	\??\N:	4818.tmp
File opened (read-only)	\??\U:	4818.tmp
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\J:	4818.tmp
File opened (read-only)	\??\T:	4818.tmp
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\K:	4818.tmp
File opened (read-only)	\??\P:	4818.tmp
File opened (read-only)	\??\R:	4818.tmp
File opened (read-only)	\??\V:	4818.tmp
File opened (read-only)	\??\Y:	4818.tmp
File opened (read-only)	\??\Z:	4818.tmp
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\L:	4818.tmp
File opened (read-only)	\??\O:	4818.tmp
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\M:	4818.tmp
File opened (read-only)	\??\Q:	4818.tmp
File opened (read-only)	\??\S:	4818.tmp
File opened (read-only)	\??\X:	4818.tmp
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\G:	4818.tmp
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\H:	4818.tmp
File opened (read-only)	\??\I:	4818.tmp
File opened (read-only)	\??\W:	4818.tmp

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\locator.exe	4818.tmp
File opened for modification	\??\c:\windows\system32\ui0detect.exe	4818.tmp
File opened for modification	\??\c:\windows\system32\vssvc.exe	4818.tmp
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	4818.tmp
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	4818.tmp
File opened for modification	\??\c:\windows\system32\dllhost.exe	4818.tmp
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	4818.tmp
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	4818.tmp
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File created	\??\c:\windows\system32\wbengine.vir	4818.tmp
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	4818.tmp
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	4818.tmp
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	4818.tmp
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	4818.tmp
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File created	\??\c:\windows\system32\fxssvc.vir	4818.tmp
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	4818.tmp
File created	\??\c:\windows\system32\ieetwcollector.vir	4818.tmp
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	4818.tmp
File created	\??\c:\windows\SysWOW64\svchost.vir	4818.tmp
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	4818.tmp
File opened for modification	\??\c:\windows\system32\lsass.exe	4818.tmp
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	4818.tmp
File created	\??\c:\windows\system32\msdtc.vir	4818.tmp
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File created	\??\c:\windows\system32\snmptrap.vir	4818.tmp
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	4818.tmp
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	4818.tmp
File created	\??\c:\windows\system32\wbem\wmiApsrv.vir	4818.tmp
File opened for modification	\??\c:\windows\system32\searchindexer.exe	4818.tmp
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	4818.tmp
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	4818.tmp
File created	\??\c:\windows\system32\ui0detect.vir	4818.tmp
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	4818.tmp
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	4818.tmp
File created	\??\c:\windows\SysWOW64\dllhost.vir	4818.tmp
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	4818.tmp
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	4818.tmp
File created	\??\c:\windows\system32\vds.vir	4818.tmp
File created	\??\c:\windows\system32\vssvc.vir	4818.tmp
File opened for modification	\??\c:\windows\system32\alg.exe	4818.tmp
File created	\??\c:\windows\system32\alg.vir	4818.tmp
File created	\??\c:\windows\system32\msiexec.vir	4818.tmp
File opened for modification	\??\c:\windows\system32\wbengine.exe	4818.tmp
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	4818.tmp
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	4818.tmp
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	4818.tmp
File opened for modification	\??\c:\windows\system32\svchost.exe	4818.tmp
File opened for modification	\??\c:\windows\system32\vds.exe	4818.tmp
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	4818.tmp
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	4818.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	4818.tmp
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	4818.tmp
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	4818.tmp
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	4818.tmp
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.vir	4818.tmp
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	4818.tmp
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	4818.tmp
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	4818.tmp
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	4818.tmp
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	4818.tmp
File created	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.vir	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	4818.tmp
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	4818.tmp
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	4818.tmp
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	4818.tmp
File created	C:\Program Files\7-Zip\7zFM.vir	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	4818.tmp
File created	C:\Program Files\Internet Explorer\iexplore.vir	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	4818.tmp
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	4818.tmp
File opened for modification	C:\Program Files\7-Zip\7zG.exe	4818.tmp
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.vir	4818.tmp
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.vir	4818.tmp
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	4818.tmp
File opened for modification	C:\Program Files\7-Zip\7z.exe	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	4818.tmp
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	4818.tmp
File created	C:\Program Files\Internet Explorer\ielowutil.vir	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	4818.tmp
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	4818.tmp
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	4818.tmp
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.vir	4818.tmp
File created	C:\Program Files\7-Zip\7zG.vir	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	4818.tmp
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	4818.tmp
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	4818.tmp
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	4818.tmp
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	4818.tmp
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	4818.tmp
File created	C:\Program Files\DVD Maker\DVDMaker.vir	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	4818.tmp
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.vir	4818.tmp
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	4818.tmp

Drops file in Windows directory 41 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	4818.tmp
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	4818.tmp
File created	\??\c:\windows\servicing\trustedinstaller.vir	4818.tmp
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	4818.tmp
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.vir	4818.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	4818.tmp
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	4818.tmp
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.vir	4818.tmp
File opened for modification	\??\c:\windows\ehome\ehsched.exe	4818.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	4818.tmp
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.vir	4818.tmp
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	4818.tmp
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	4818.tmp
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	4818.tmp
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	4818.tmp
File created	\??\c:\windows\ehome\ehsched.vir	4818.tmp
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	4818.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2088	2536	WerFault.exe	51

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5541.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6E9B.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAED.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AB3D.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A3BE.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4818.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C9E.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9702.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1A06.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3488.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B645.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4846.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BD85.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E495.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4A0B.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2250.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F2D7.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	824A.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D2D9.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	479B.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7C61.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48E2.tmp

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe
288	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2708	4818.tmp
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe
Token: SeShutdownPrivilege	288	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2912	2452	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	30
PID 2452 wrote to memory of 2912	2452	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	30
PID 2452 wrote to memory of 2912	2452	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	30
PID 2452 wrote to memory of 2912	2452	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	30
PID 2452 wrote to memory of 2860	2452	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	32
PID 2452 wrote to memory of 2860	2452	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	32
PID 2452 wrote to memory of 2860	2452	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	32
PID 2452 wrote to memory of 2860	2452	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	32
PID 2860 wrote to memory of 2140	2860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	33
PID 2860 wrote to memory of 2140	2860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	33
PID 2860 wrote to memory of 2140	2860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	33
PID 2860 wrote to memory of 2140	2860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	33
PID 2860 wrote to memory of 2948	2860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	34
PID 2860 wrote to memory of 2948	2860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	34
PID 2860 wrote to memory of 2948	2860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	34
PID 2860 wrote to memory of 2948	2860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	34
PID 2948 wrote to memory of 2924	2948	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	36
PID 2948 wrote to memory of 2924	2948	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	36
PID 2948 wrote to memory of 2924	2948	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	36
PID 2948 wrote to memory of 2924	2948	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	36
PID 2948 wrote to memory of 2684	2948	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	38
PID 2948 wrote to memory of 2684	2948	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	38
PID 2948 wrote to memory of 2684	2948	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	38
PID 2948 wrote to memory of 2684	2948	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	38
PID 2684 wrote to memory of 2796	2684	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	39
PID 2684 wrote to memory of 2796	2684	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	39
PID 2684 wrote to memory of 2796	2684	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	39
PID 2684 wrote to memory of 2796	2684	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	39
PID 2452 wrote to memory of 2824	2452	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	41
PID 2452 wrote to memory of 2824	2452	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	41
PID 2452 wrote to memory of 2824	2452	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	41
PID 2452 wrote to memory of 2824	2452	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	41
PID 2684 wrote to memory of 2832	2684	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	73
PID 2684 wrote to memory of 2832	2684	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	73
PID 2684 wrote to memory of 2832	2684	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	73
PID 2684 wrote to memory of 2832	2684	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	73
PID 2832 wrote to memory of 2736	2832	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	43
PID 2832 wrote to memory of 2736	2832	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	43
PID 2832 wrote to memory of 2736	2832	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	43
PID 2832 wrote to memory of 2736	2832	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	43
PID 2832 wrote to memory of 1600	2832	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	45
PID 2832 wrote to memory of 1600	2832	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	45
PID 2832 wrote to memory of 1600	2832	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	45
PID 2832 wrote to memory of 1600	2832	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	45
PID 1600 wrote to memory of 1548	1600	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	46
PID 1600 wrote to memory of 1548	1600	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	46
PID 1600 wrote to memory of 1548	1600	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	46
PID 1600 wrote to memory of 1548	1600	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	46
PID 2860 wrote to memory of 2708	2860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	49
PID 2860 wrote to memory of 2708	2860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	49
PID 2860 wrote to memory of 2708	2860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	49
PID 2860 wrote to memory of 2708	2860	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	49
PID 2948 wrote to memory of 2484	2948	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	50
PID 2948 wrote to memory of 2484	2948	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	50
PID 2948 wrote to memory of 2484	2948	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	50
PID 2948 wrote to memory of 2484	2948	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	50
PID 2684 wrote to memory of 2536	2684	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	51
PID 2684 wrote to memory of 2536	2684	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	51
PID 2684 wrote to memory of 2536	2684	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	51
PID 2684 wrote to memory of 2536	2684	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	51
PID 2832 wrote to memory of 2756	2832	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	52
PID 2832 wrote to memory of 2756	2832	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	52
PID 2832 wrote to memory of 2756	2832	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	52
PID 2832 wrote to memory of 2756	2832	3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe	52

C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
"C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2912
- C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
  "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2140
- - C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
    "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
      "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        5⤵
        
        PID:2796
    - - C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
      - C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        7⤵
        Loads dropped DLL
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        9⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        9⤵
        Loads dropped DLL
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        10⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        11⤵
        Loads dropped DLL
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        13⤵
        Loads dropped DLL
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        16⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        17⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        19⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        19⤵
        Loads dropped DLL
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        20⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        20⤵
        Loads dropped DLL
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        21⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        23⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        23⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        24⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        25⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        25⤵
        Loads dropped DLL
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        27⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        29⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        31⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        32⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        32⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        33⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3983BEAE2740353B08753A433BEEC30565E33B61FC4CD182DF699070EF5723BE.exe"
        33⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
        34⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\8E1C.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\8E1C.tmp"
        33⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\6FB4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6FB4.tmp"
        32⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\60A7.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\60A7.tmp"
        31⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\4192.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4192.tmp"
        30⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\3488.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\3488.tmp"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\1A06.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\1A06.tmp"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\C9E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\C9E.tmp"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\F2D7.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\F2D7.tmp"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\E495.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\E495.tmp"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\CAED.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\CAED.tmp"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\BD85.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\BD85.tmp"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\A3BE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\A3BE.tmp"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\9702.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\9702.tmp"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\7C61.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\7C61.tmp"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\6FE3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6FE3.tmp"
        19⤵
        Executes dropped EXE
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\6E9B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\6E9B.tmp"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\4846.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4846.tmp"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\479B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\479B.tmp"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\2250.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\2250.tmp"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\20D9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\20D9.tmp"
        14⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\FA08.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\FA08.tmp"
        13⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\DD73.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\DD73.tmp"
        12⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\D2D9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\D2D9.tmp"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\B645.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\B645.tmp"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\AB3D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\AB3D.tmp"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\824A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\824A.tmp"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\5541.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\5541.tmp"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2884
      - C:\Users\Admin\AppData\Local\Temp\4A0B.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\4A0B.tmp"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2756
    - - C:\Users\Admin\AppData\Local\Temp\48E2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\48E2.tmp"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2536
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 68
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\48C3.tmp
      "C:\Users\Admin\AppData\Local\Temp\48C3.tmp"
      4⤵
      Executes dropped EXE
      PID:2484
- - C:\Users\Admin\AppData\Local\Temp\4818.tmp
    "C:\Users\Admin\AppData\Local\Temp\4818.tmp"
    3⤵
    - Executes dropped EXE
    - Drops Chrome extension
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- C:\Users\Admin\AppData\Local\Temp\47BA.tmp
  "C:\Users\Admin\AppData\Local\Temp\47BA.tmp"
  2⤵
  - Executes dropped EXE
  PID:2824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:776

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2256

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 188 -NGENProcess 198 -Pipe 1a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 1fc -NGENProcess 234 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1336

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:784

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.vir

Filesize
4.8MB

MD5
bb5862d1128ceeaf88f4f5b0b94f7ce6

SHA1
936fc40512c3477e6fcbe34673c0ea05070c9e7c

SHA256
c3f68eaf4d446e28bb973b545f12ae171d3502f0222446a574e198a185dd6859

SHA512
7c4d4dcbdfcf8776cdd6f313cbdd047344e92e4df1ecf2bc9f16b74c8bac004b92a4ff250f07743a9ab4b59e4269b239c8ea8caceb922ae66d4cd41a8160f1f1

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
adbeb72f6b5903fc811e90eff14e06ea

SHA1
21f070174d242ad85cd99b48e9e8b1441edb880d

SHA256
382719df85c99346c7e4b591725d0ac2bc50f47f3abfa83d0f1437deb79cf41f

SHA512
0a03ec07fb28a864a06a60985236398b15b3424855230765869e2a3e81f324f5fbdee1c071a4ef3005275cc11e992ea009021244b87eabbbf06892e24fdc9c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\delself.bat

Filesize
292B

MD5
5355b8dd454c0e87b8f8fa5064e00063

SHA1
6bd0a181744f230616ad4f38f2bf87e20889ae09

SHA256
ade807c3a2357be7b98bbb047f7c9cbbb6ccc43e6bcad336746beffdb9527b88

SHA512
bd3f1571690cf05bd835495151a906cd7ea21ecdc7093366d51fcb4e4b8887f250faec995e46ebea6ae55aa447842f5f3a0f9e5577f51737e54d30fdf4805550

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
3d72776238ca7827cd49526194a926de

SHA1
ddafd4486f7977da8d80e1314a80218d0871e08f

SHA256
673ebe0a784503ea117d2da161328a00cd9263bf0e69bcd2e4581ec2a6decb14

SHA512
be35d3a598b4a51d6f82db4a8eca8e992867a1b539aaff2775cf3d95999b4fcb27300ea59bdd9588640ad8b125597a5497a412977d39811d9dbc8c50148c03e9

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
619KB

MD5
d37ecd24dc4c741fccd6ee000cd36f5c

SHA1
ad5a45895877540cee694933d23c70929e320416

SHA256
243e815aba90abd5393107c9356ac064fdb501911f125bd3261393c2a115b825

SHA512
9b40d95d2c6c897afe3c2fce3f31a0a4267a37e8aa7b61b05f2fefec4055c449c6fec2d86460d1cb30b083846a4d4428432f9d069a1c348a7ae80af361f19301

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
c554a689a6e749e1f42a318d3b9ad4fd

SHA1
6718eca6fdb4eea7ffc71f2adc8c9c774457d159

SHA256
927bb45b290e716569ce2e62f9842816f375eb33ca3f3473845d2906a6bb79df

SHA512
1ddf1d220d6cf5395835fb53c359e6b39c7e1c319e0484f12bf8cf261e7efb8c2af7b9ff8494332f2f97a7e4b92d03b36ef5b529b92ff069cd97cbffc554bf1d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
650KB

MD5
479bd0d816c18a6e9c3bfc2bdc90e084

SHA1
0f179babf07c0776c9c82aa5108723f33e7e0149

SHA256
1e5ce35cfa5066538d719e8a0e632b5956ac93e390e4e7d19b251953f5d62aeb

SHA512
3fcbcbe6b29626c8a0d9653e76fe36ea8c8ce53d914ee2d18378f8c0e80deb18501b7ad81e9180b2a2c9f3aa1e878ee0cf731745b4253b387b2d17a6a3a432af

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
700KB

MD5
eaf1f94d10ac9facdda1a1e6c1f3128a

SHA1
ce5e46fbfd19e00a73f3bb66a15521384dfc3b8e

SHA256
32b6f6d9aa08e17e32be5f76e4b080dc42d7d40fdb9b11675a511ce4f1602ed7

SHA512
86b000b9a57d483e6785713d5a14dd61a7c85a909279ddcb57e497ccedc31724d7d254280098debcb4536822931b6a890fe5b55d37214b9444da61e237af9ae5

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
775KB

MD5
7030726d22329b3eb124857a38b38550

SHA1
09a34b9427c61698edb5a9d24383381fcddbc2a7

SHA256
7bb0c87fe4ed4209a60d8cf93cfa011a52d513ffad6666d0aec26bb678dc3155

SHA512
c05b53c1969654a770b1ca7b480c6c316a12b5f527e2f0400e4c965080e789676eca6bf4d898118b5c7c6e8676afd8fa149696b9a84725be804f735c6672bde2

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
684KB

MD5
e2f8bcc821346214548c231fe4148815

SHA1
b4004c9b151436c2d07ba84a4205d57752608164

SHA256
30ed20d56511ca71cf955b333759a311d2cf2ee6a097ce6975dcfb4775a4fb9d

SHA512
421c9685a9e0efb1eb127211702fd98cdfe2f56d1a0ba1cf9d3d81b03baa84adf687cf718fe8129ddf8a7f8f06a1bc91ee856d9912197a6049329d86130514c3

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
596KB

MD5
912166a54e0799fccb416e6158f93004

SHA1
5131710d85a0a16f0ccd73393f47e4e8644aa8f7

SHA256
3ac30462853d49948407fac773be16a3098bc234ddaffc946273fbc492db6dcd

SHA512
0ab1fbd594bcc19511030eef98a7ecd3f4457715f02aa8305fda6910fdf8a9e435e8901b04743672d7ea8607a1fecdefc70a88d48cf02240d3c19332ef12b33f

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
637KB

MD5
de8c082df1ab4a3a4e9702df31975b47

SHA1
b88f3ea01ac6a808f5ee91ea7c4d2928b35a7e71

SHA256
0d4b1b0b6b11a21cb89875c74b2834eef1ea460fa1c3068b43441e1569cc1df5

SHA512
47fa37f9f4226dd6f145673651b7c8c3656c0a03cecd7b89afdd70c04d4f1d9affad1df6bf85b0b68fd850b2546fde1ab778e48a3504c61e9a1af7295834854b

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
d975548122533dc1722ef05514dd610b

SHA1
72c234bf2be60c08167dae785099c72de66e86e1

SHA256
2aa112aa061da650161679b332410c34d82ae05dd5c701c57d4e9c9bb3813ad8

SHA512
ed8631a312569c0a346df896790424077f3609307d7d19f2aad755cba8467280bc00e7b79e059e1ab55f7955811175aaca01fea3e18b5f99f2d4088b6f552e8b

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
ec48bcff350849035b74bd423c193ddf

SHA1
e44d2bc66f1214dfe699caaa11b2f7fa30e43e9d

SHA256
501fb7a8308dc2e77b47f83b1fef6fb9fdb5db8c50c573a524fa5b4383b432e2

SHA512
eddb7f3b40780d005ff65329f37f996459c35f56275aeb481319691112a4be9e3d1c21fcc95a082e71743613464b9d25d270733488760094aedc1299d7ad07d6

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
758KB

MD5
a4a594a9a92cea4447ac56fa60328989

SHA1
bf91bf913f976021bcd5ab48187779d65b6d47cb

SHA256
2d2148528917d3267c3a1790eeafaa5665f0c8ecbd70a295070e1b9d147edac7

SHA512
a3604fe90f1e2942e49b172775efe9c11e9db18fc3b8bd2a88fca2b1f36d0818307675789de10cf01cd44073fb1077cf9a8db1ef6b3c6c57ed743d9ea43c0762

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.0MB

MD5
fd845a529512dfa1e3197cd58a77aba1

SHA1
947d6dc0e3257ef5bcf5b80bc2e21f23a016d254

SHA256
cb2b57446ce8291a83534dca10b7772a93284bdfd63c3e63acd88a53ddbab36a

SHA512
4f2f6f7061e2818ce8583a76a4bae0468c97cca24dde13cc23798c8fc5d07777af18dd6aac1dd4e50cc042f112c5fb52b14657e7465c71c6ea7898c467b6927e

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0d36c89a2e9292c7ef809119cf6dcc1f

SHA1
11423a0d11c640efa25f24d4e2cf78cc73798e75

SHA256
6d54715183acd53f6b03fd4918e280f69e576794950e3a72a5258045f3e4396f

SHA512
59e0a49b7c808febe51d60af1d483728d58e26504b5131cd6515bd2198918aae53b08776153574f57bcd55a21d7dc78a0a338accb5623fa98c861668029787ca

Download Submit
\Users\Admin\AppData\Local\Temp\47BA.tmp

Filesize
630KB

MD5
98a7bc652b56b926e5f7b10fd162159c

SHA1
e1185982d99bef65682abd517e69677f045ea90d

SHA256
b9947dbf4355ac95dc831cb7189b2020fa372febe68e9180b733f80a5b74ad8c

SHA512
76f46a17a602dfb3f8b54e8e633ade02c88b0f279dcbaa043b08b81f4f81f057cedcaf1a6b5eaf4dd423da5185da621507f5cc6a0ffdf13e9a95760f3270bce1

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
642KB

MD5
c41836c0b07a96ff781a2238b504dd5c

SHA1
4fa2f525cb28effa46839d48d32bf5cdf2659d33

SHA256
b8acebdfc2c980d4e5a993f94face68abb84b64b74c28e6743d78fae5e90a74c

SHA512
6c3f5ec93fe6020f98d5eacb74ac1c4944adf6ab0fa905d56fcddf3f2ad32168753c08976767a350a2c2a3e1187996236a9bfa04d7d3c3528641ca714b044033

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
670KB

MD5
81ea243c21a76d63f30813aefc3e8b32

SHA1
9150c1dde4dca7642295935358e3a8c98ecd3041

SHA256
8648d127ee02c5cb1951014ee1b39d7d2ff092ad390c858310910e664faec3a2

SHA512
945f38497ba41dd94f9d36543b709ec4d1efffa7ce3e9a28ae518c41f3aedd972039553fcaf5b8ad4e6ee71c7876bd56755e1c9f75ca03e1fb48b2a973c1d3ca

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
669KB

MD5
6171005e7235d4a5a3fd567ead388e16

SHA1
99c82a477b0791410c493db073be13c837ca5d8a

SHA256
cf9b0c3185ed511ed5ea9d293b0b2ca1d028fe6d8f455186ed766e1ee5bce968

SHA512
e7da915202080e83139179af0c598eb560bb046d6caa239e235861f81d30dbb60a1534126337f5c7e5d1d563089359964476466eb8f881d8ef833ed68a57faa2

Download Submit
memory/288-189-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/288-136-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/484-188-0x00000000002F0000-0x00000000003C0000-memory.dmp

Filesize
832KB

Download
memory/484-209-0x0000000001D80000-0x0000000001F43000-memory.dmp

Filesize
1.8MB

Download
memory/776-98-0x0000000010000000-0x00000000101BF000-memory.dmp

Filesize
1.7MB

Download
memory/776-130-0x0000000010000000-0x00000000101BF000-memory.dmp

Filesize
1.7MB

Download
memory/784-175-0x0000000140000000-0x0000000140382000-memory.dmp

Filesize
3.5MB

Download
memory/784-176-0x0000000140000000-0x0000000140382000-memory.dmp

Filesize
3.5MB

Download
memory/868-389-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/868-376-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/872-385-0x0000000001E40000-0x0000000002003000-memory.dmp

Filesize
1.8MB

Download
memory/872-386-0x0000000001E40000-0x0000000002003000-memory.dmp

Filesize
1.8MB

Download
memory/912-210-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/912-289-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1096-197-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1336-332-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1336-364-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1336-366-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1448-299-0x0000000001E70000-0x0000000002033000-memory.dmp

Filesize
1.8MB

Download
memory/1448-300-0x0000000001E70000-0x0000000002033000-memory.dmp

Filesize
1.8MB

Download
memory/1600-65-0x0000000001E30000-0x0000000001FF3000-memory.dmp

Filesize
1.8MB

Download
memory/1600-64-0x0000000001E30000-0x0000000001FF3000-memory.dmp

Filesize
1.8MB

Download
memory/1732-162-0x0000000001BF0000-0x0000000001DB3000-memory.dmp

Filesize
1.8MB

Download
memory/1732-163-0x0000000001BF0000-0x0000000001DB3000-memory.dmp

Filesize
1.8MB

Download
memory/1788-374-0x0000000001D80000-0x0000000001F43000-memory.dmp

Filesize
1.8MB

Download
memory/1788-375-0x0000000001D80000-0x0000000001F43000-memory.dmp

Filesize
1.8MB

Download
memory/1924-365-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1924-164-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/1924-110-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/1924-334-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/1932-333-0x0000000001E20000-0x0000000001FE3000-memory.dmp

Filesize
1.8MB

Download
memory/1984-346-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1984-212-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1984-184-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2020-279-0x0000000001D30000-0x0000000001EF3000-memory.dmp

Filesize
1.8MB

Download
memory/2020-278-0x0000000001D30000-0x0000000001EF3000-memory.dmp

Filesize
1.8MB

Download
memory/2180-324-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2180-301-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2188-311-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2188-336-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2256-186-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/2256-122-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/2452-22-0x0000000001CF0000-0x0000000001EB3000-memory.dmp

Filesize
1.8MB

Download
memory/2484-45-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2484-76-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2536-77-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2536-185-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2580-290-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2580-213-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2580-345-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2684-57-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2684-42-0x0000000001E70000-0x0000000002033000-memory.dmp

Filesize
1.8MB

Download
memory/2708-36-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2708-60-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2756-51-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2756-78-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2824-31-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2824-52-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2832-50-0x0000000001E20000-0x0000000001FE3000-memory.dmp

Filesize
1.8MB

Download
memory/2832-303-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2832-49-0x0000000001E20000-0x0000000001FE3000-memory.dmp

Filesize
1.8MB

Download
memory/2832-280-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2864-413-0x0000000001E10000-0x0000000001FD3000-memory.dmp

Filesize
1.8MB

Download
memory/2884-66-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2884-109-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2948-38-0x0000000001D80000-0x0000000001F43000-memory.dmp

Filesize
1.8MB

Download
memory/2960-387-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/2960-412-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download
memory/3068-425-0x0000000001000000-0x00000000011C3000-memory.dmp

Filesize
1.8MB

Download