expiro | 8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
Size

555KB
MD5

0a7488a74643a888ff7ed8af241f79f0
SHA1

3d92ac3c469821bdd0801ff641e1c69f63f22991
SHA256

8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268
SHA512

bc9b2a12b70752fc843644697c3eb82b94f247411599b28437ee43ebff8ec467d0be369a7438e824835378571de22300a9e802a3b35160336ad89de3986bf666
SSDEEP

12288:T7RRaMMMMM2MMMMM/H0jZrctbNgED36KATHFNpsOFgaPJn29BPP0Ih/2YDi:T7RRaMMMMM2MMMMM/HK5sbNgED36KArf

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 2 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2824-2-0x0000000001000000-0x00000000011B0000-memory.dmp	family_expiro1
behavioral1/memory/2884-54-0x0000000010000000-0x00000000101AF000-memory.dmp	family_expiro1

Executes dropped EXE 59 IoCs

pid	Process
2884	mscorsvw.exe
476	Process not Found
2592	mscorsvw.exe
576	mscorsvw.exe
964	mscorsvw.exe
2680	elevation_service.exe
3000	IEEtwCollector.exe
2452	mscorsvw.exe
1644	mscorsvw.exe
784	mscorsvw.exe
264	mscorsvw.exe
1840	mscorsvw.exe
1956	mscorsvw.exe
2324	mscorsvw.exe
1216	mscorsvw.exe
1708	mscorsvw.exe
288	mscorsvw.exe
888	mscorsvw.exe
2212	mscorsvw.exe
2956	mscorsvw.exe
2628	mscorsvw.exe
2660	mscorsvw.exe
332	mscorsvw.exe
2592	mscorsvw.exe
2860	mscorsvw.exe
3004	mscorsvw.exe
1088	mscorsvw.exe
1040	mscorsvw.exe
2264	mscorsvw.exe
2028	mscorsvw.exe
1592	mscorsvw.exe
2096	mscorsvw.exe
1920	mscorsvw.exe
304	mscorsvw.exe
1716	mscorsvw.exe
1520	mscorsvw.exe
620	mscorsvw.exe
2468	mscorsvw.exe
1412	mscorsvw.exe
2356	mscorsvw.exe
2596	mscorsvw.exe
1012	mscorsvw.exe
468	mscorsvw.exe
2548	mscorsvw.exe
1912	mscorsvw.exe
1888	mscorsvw.exe
1680	mscorsvw.exe
1708	mscorsvw.exe
2868	mscorsvw.exe
2912	mscorsvw.exe
1844	mscorsvw.exe
2588	mscorsvw.exe
448	mscorsvw.exe
2820	mscorsvw.exe
2964	mscorsvw.exe
932	mscorsvw.exe
2524	mscorsvw.exe
2592	mscorsvw.exe
2960	mscorsvw.exe

Loads dropped DLL 42 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2324	mscorsvw.exe
2324	mscorsvw.exe
1708	mscorsvw.exe
1708	mscorsvw.exe
888	mscorsvw.exe
888	mscorsvw.exe
2956	mscorsvw.exe
2956	mscorsvw.exe
2660	mscorsvw.exe
2660	mscorsvw.exe
2592	mscorsvw.exe
2592	mscorsvw.exe
3004	mscorsvw.exe
3004	mscorsvw.exe
1040	mscorsvw.exe
1040	mscorsvw.exe
2028	mscorsvw.exe
2028	mscorsvw.exe
2096	mscorsvw.exe
2096	mscorsvw.exe
304	mscorsvw.exe
304	mscorsvw.exe
1520	mscorsvw.exe
1520	mscorsvw.exe
2468	mscorsvw.exe
2468	mscorsvw.exe
2356	mscorsvw.exe
2356	mscorsvw.exe
1012	mscorsvw.exe
1012	mscorsvw.exe
2548	mscorsvw.exe
2548	mscorsvw.exe
2912	mscorsvw.exe
2912	mscorsvw.exe
1844	mscorsvw.exe
1844	mscorsvw.exe
448	mscorsvw.exe
448	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4177215427-74451935-3209572229-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4177215427-74451935-3209572229-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\G:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\V:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\K:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\Q:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\U:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\Z:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\E:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\M:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\J:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\P:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\X:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\L:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\N:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\R:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\Y:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\H:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\S:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\T:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\W:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened (read-only)	\??\I:	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\alg.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	\??\c:\windows\system32\ieetwcollector.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	\??\c:\windows\system32\msdtc.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\vds.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	\??\c:\windows\system32\msiexec.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File created	\??\c:\windows\system32\fxssvc.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	\??\c:\windows\system32\wbem\wmiApsrv.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	\??\c:\windows\system32\snmptrap.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	\??\c:\windows\system32\alg.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\locator.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	\??\c:\windows\system32\ui0detect.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	\??\c:\windows\system32\vds.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File created	\??\c:\windows\system32\vssvc.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	\??\c:\windows\system32\wbengine.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Program Files\Internet Explorer\ieinstal.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File created	C:\Program Files\7-Zip\7z.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Program Files\7-Zip\7zG.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Program Files\Internet Explorer\ielowutil.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1AA2.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP2655.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE91.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	\??\c:\windows\ehome\ehsched.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1390.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
964	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe
964	mscorsvw.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2824	8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe
Token: SeShutdownPrivilege	964	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 2452	964	mscorsvw.exe	37
PID 964 wrote to memory of 2452	964	mscorsvw.exe	37
PID 964 wrote to memory of 2452	964	mscorsvw.exe	37
PID 964 wrote to memory of 1644	964	mscorsvw.exe	38
PID 964 wrote to memory of 1644	964	mscorsvw.exe	38
PID 964 wrote to memory of 1644	964	mscorsvw.exe	38
PID 964 wrote to memory of 784	964	mscorsvw.exe	40
PID 964 wrote to memory of 784	964	mscorsvw.exe	40
PID 964 wrote to memory of 784	964	mscorsvw.exe	40
PID 964 wrote to memory of 264	964	mscorsvw.exe	41
PID 964 wrote to memory of 264	964	mscorsvw.exe	41
PID 964 wrote to memory of 264	964	mscorsvw.exe	41
PID 964 wrote to memory of 1840	964	mscorsvw.exe	42
PID 964 wrote to memory of 1840	964	mscorsvw.exe	42
PID 964 wrote to memory of 1840	964	mscorsvw.exe	42
PID 964 wrote to memory of 1956	964	mscorsvw.exe	43
PID 964 wrote to memory of 1956	964	mscorsvw.exe	43
PID 964 wrote to memory of 1956	964	mscorsvw.exe	43
PID 964 wrote to memory of 2324	964	mscorsvw.exe	44
PID 964 wrote to memory of 2324	964	mscorsvw.exe	44
PID 964 wrote to memory of 2324	964	mscorsvw.exe	44
PID 964 wrote to memory of 1216	964	mscorsvw.exe	45
PID 964 wrote to memory of 1216	964	mscorsvw.exe	45
PID 964 wrote to memory of 1216	964	mscorsvw.exe	45
PID 964 wrote to memory of 1708	964	mscorsvw.exe	46
PID 964 wrote to memory of 1708	964	mscorsvw.exe	46
PID 964 wrote to memory of 1708	964	mscorsvw.exe	46
PID 964 wrote to memory of 288	964	mscorsvw.exe	47
PID 964 wrote to memory of 288	964	mscorsvw.exe	47
PID 964 wrote to memory of 288	964	mscorsvw.exe	47
PID 964 wrote to memory of 888	964	mscorsvw.exe	48
PID 964 wrote to memory of 888	964	mscorsvw.exe	48
PID 964 wrote to memory of 888	964	mscorsvw.exe	48
PID 964 wrote to memory of 2212	964	mscorsvw.exe	49
PID 964 wrote to memory of 2212	964	mscorsvw.exe	49
PID 964 wrote to memory of 2212	964	mscorsvw.exe	49
PID 964 wrote to memory of 2956	964	mscorsvw.exe	50
PID 964 wrote to memory of 2956	964	mscorsvw.exe	50
PID 964 wrote to memory of 2956	964	mscorsvw.exe	50
PID 964 wrote to memory of 2628	964	mscorsvw.exe	51
PID 964 wrote to memory of 2628	964	mscorsvw.exe	51
PID 964 wrote to memory of 2628	964	mscorsvw.exe	51
PID 964 wrote to memory of 2660	964	mscorsvw.exe	52
PID 964 wrote to memory of 2660	964	mscorsvw.exe	52
PID 964 wrote to memory of 2660	964	mscorsvw.exe	52
PID 964 wrote to memory of 332	964	mscorsvw.exe	53
PID 964 wrote to memory of 332	964	mscorsvw.exe	53
PID 964 wrote to memory of 332	964	mscorsvw.exe	53
PID 964 wrote to memory of 2592	964	mscorsvw.exe	54
PID 964 wrote to memory of 2592	964	mscorsvw.exe	54
PID 964 wrote to memory of 2592	964	mscorsvw.exe	54
PID 964 wrote to memory of 2860	964	mscorsvw.exe	55
PID 964 wrote to memory of 2860	964	mscorsvw.exe	55
PID 964 wrote to memory of 2860	964	mscorsvw.exe	55
PID 964 wrote to memory of 3004	964	mscorsvw.exe	56
PID 964 wrote to memory of 3004	964	mscorsvw.exe	56
PID 964 wrote to memory of 3004	964	mscorsvw.exe	56
PID 964 wrote to memory of 1088	964	mscorsvw.exe	57
PID 964 wrote to memory of 1088	964	mscorsvw.exe	57
PID 964 wrote to memory of 1088	964	mscorsvw.exe	57
PID 964 wrote to memory of 1040	964	mscorsvw.exe	58
PID 964 wrote to memory of 1040	964	mscorsvw.exe	58
PID 964 wrote to memory of 1040	964	mscorsvw.exe	58
PID 964 wrote to memory of 2264	964	mscorsvw.exe	59

C:\Users\Admin\AppData\Local\Temp\8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe
"C:\Users\Admin\AppData\Local\Temp\8a137c78930750ea81be840136ad60de250a408f040acf204f95ddad1bd1c268N.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2884

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 178 -InterruptEvent 164 -NGENProcess 168 -Pipe 174 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 238 -NGENProcess 244 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 160 -InterruptEvent 1e0 -NGENProcess 188 -Pipe 154 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 260 -NGENProcess 234 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 188 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 234 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent f8 -NGENProcess 188 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent f8 -InterruptEvent 274 -NGENProcess 160 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 260 -NGENProcess 278 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 284 -NGENProcess 188 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 188 -NGENProcess 27c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 188 -InterruptEvent 28c -NGENProcess 278 -Pipe f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 278 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 294 -NGENProcess 27c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 28c -NGENProcess 27c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 29c -NGENProcess 284 -Pipe 188 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a4 -NGENProcess 27c -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 27c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2ac -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 294 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2356
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2ec -NGENProcess 2c4 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 300 -NGENProcess 270 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2cc -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 308 -NGENProcess 2c4 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 270 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 270 -NGENProcess 304 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 304 -NGENProcess 2f0 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 318 -NGENProcess 310 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 310 -NGENProcess 270 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 320 -NGENProcess 2f0 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 308 -NGENProcess 31c -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2ec -NGENProcess 324 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 32c -NGENProcess 2f0 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 31c -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2960

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
636KB

MD5
7940dc74ca1f0722f5484f3a534c8a8a

SHA1
3081a257c60518ddc047fa15c5ec5ef970a0b1d8

SHA256
3741b4a6bd0926f3830c2d2de1ce3e8e6409e29dca30b739a3c5304d5d05246f

SHA512
4c70b930979cc72b93dc0fbf8de2442fa2ceb6f58dbe17e81892be8958a915acbfd7e59f1b42d2f51e0664221cf46ddca57f0b5ee59dcbcb615142b5a008f676

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.5MB

MD5
1e8c97e3083b68169d3a515cff6e5111

SHA1
b1aaf898eeb5af9b297aa108339626fc3000e060

SHA256
d6288c31cd9c4d6e64b0e27d9db0a9d722b1c1ea9ca1025c5ebdd44554a5ed09

SHA512
be86b2760e1d91ad555e79b2e53f4a0a97c6afde0130c1bba736fc4c23b337a85056b0b6a60f29b22cff7479abf390dee283ab1c5174ef58ba5839a8289b864d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.vir

Filesize
4.8MB

MD5
d3450c7c35a2694031802172c6ead437

SHA1
418d216541f01e0955565d09b28d57bb5fa18ec7

SHA256
2d8d50864556197a5dc854cdbce4554f94cd221674261cb29e571a062d40d77a

SHA512
48f3b3b1140ee46f83f0df842cb0eb45f9e06855a66134a08c41e6e12f07e6061edd102a9212d8da416f422e722037d5b356da6f1e64097e1779afe2ba86858d

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.2MB

MD5
5b569c3f5850b7134ed002e30d4d4ae1

SHA1
3e5fb6267d60106a079be55a1ce2c88d663bdeef

SHA256
ba0ebf3b67dd9962e6fb03377665693d448b4cdea041be4ab5f820fa3250bfc6

SHA512
0dd2c41a8e219abbbce8f994733a7e41542e5a44bec9199797c20e44614156b1b40bff75a47e4cd56e4dd9b6a1f1e6deb7d64d2cd454d01be3c9d4d89589c3de

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
063c250ef7d454be6a038d75b6d55061

SHA1
4aa9fd6c16453063265ae0d7ff3ba24fd5a33220

SHA256
29d25b86bd8f553ab51596df96c93d1cddf8af07d10bbdc2d61be2b3efacdb16

SHA512
e0498e01b1ff6b8e152528d6aeab719dfa7e1db5460d808bbd5e1e998b969b93b5cf855a2ad4487177c6ca33bc921dde7c0c860f319861587e9d3557c574bd9c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
606KB

MD5
86ae8dbc5d8b55ea0aad1440b82c7fac

SHA1
d2a1bf5b7055a6afcd799757f8a98b8f5a269e2d

SHA256
de9049bc0c8a14706f2e19cf56e9b13c15aada51b241d802cf1218adbbb24f12

SHA512
5744d99bb3746db0159cf76b1965e7d0cb7defa92cb10f2d6a5ef29020b4b1b2111d4b50a53273a906aacb3d188068c2632d145f29fa71ec1785ba300ae0a73d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
42cd1ad02bbe8b1c3364143c5b93e931

SHA1
cce5ee709cfcce2395bb9af4c079d33f1205587b

SHA256
a485bc7124694e3da59149e86364427405da160e36f98397313388aecc5e2182

SHA512
98e87d66f8ff915f5a75ed4d1fd55a63e444d5201540d96cb98221c1782c27580223185629f0be56bafbd449271f9ea1f00e77aaf846f7891fa81b7d2f2ec9ba

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
555KB

MD5
9bf6a23d12fe8723daf20cc432f3310d

SHA1
df26ac249a7e3c5ad4fafb621caed0450d5ff10c

SHA256
2098e7edacfbe53d7e8392df58c166d3df911947ba61d7e6605bdace286f9b96

SHA512
8ab71146fdeab45e1760211b2795e4cf8b07ab39ffff20393815955dc286a074041efa3fba59df71ad4dbdea18dff312216cdb27ed9ecf1f555cb4cdce3615cb

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
3b88406ce35a17cbfff5f363104d1a8a

SHA1
59f16e013f8a345506f207148de4e18ed179cf03

SHA256
c3be17051845a691991b3f3239840c3040e2cfd72576b1da59cf3295cdea1668

SHA512
daa81b04bcc2c0e0a1b6fb0f26bbf1e4a79baae4534dcece7782e4882e3c73cdc4add903e3b5834755c6d887ecc09d52e532cd622ae2946d20988ff0370e2c2a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
586KB

MD5
860379922d27bcd5d40b56ecc263bfe6

SHA1
133fba776c2479ca9c174c0ee7b3a1952fd6717c

SHA256
a2e79e43c180a20855d8c9c95c1936347dd319037c581f07d5dd545667e4633a

SHA512
e149115a64985730431634bcec31ea4729dbf6e43b3d208c8e404bd2d2a2f2e7c2527c356b9dc3c0132941e974529c031bc69b4e8e52dbadf1d1cc36c99c9994

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\8e6048d19d9eea8686cac1e23e829018\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
c83081b40ac527a28df7714d24b90765

SHA1
26aa93b67d1e103c03cdd3631b292f4ec202da7d

SHA256
c36eeb3b17e02d1417073277220ad8c0fced260ae683760f8eb6ac032c851b96

SHA512
d34309e79aa0d3de8fa9d79245dbddcff86c6842ba0a60e04cbc997b91c7f774543bfdcba430c21e1e13eab596415622be26f403f7f52c9be69247cfb1194730

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9074996bc28678b06fa17630de38d173\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
130dd500d68e75c17db6dd7eb3e84e30

SHA1
4a63e42c12d308da7138026f463df9937bc1c405

SHA256
39041aaa1b11c15e9dae3814d00ba153a205460587b09a3da25f0fbdfc7c3780

SHA512
c68996d9c6895145fa1815c713e061fa708cb910f52b0dfb1fa22ad0dcb5401eff65accd87bb76ae2eedcce0b21c1dc47eac48bbe7a423bd3399b56d4522fa7c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\c5c11fcea0636519739a96ad037b7094\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
82878fe772863f18821c7dd440a7eb29

SHA1
ec59b8f9489e16005108ed5d96b2fe8b12668fa2

SHA256
0bc3a4d163d1714b3cdfd21d31da772d5cff92fd77e129ca334cf8cdb9b46372

SHA512
ed49670a578b4824d4e0823f9eb0e829141dd3080f423f18ad8a23a5fd4e4208c90efe365cd84ee090d86b0b593683d64df0c2ad9710edde0fe7ab49ae6a15ff

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fd9e6539d226ce712277327815c2fbf9\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
a5f438d1174d75dbe63a134dff78719e

SHA1
6643989f292bc36bb4944ae4ee2ec385106fb278

SHA256
54e4a6e4d1c7363cb37969ccafcc310ab7ce574e867c1799b99510e17e1c4adc

SHA512
5989629796b5ef599cebc680fb77088c9267aec6726b2088dd0f2e831844a34cc542ad7559f456b0b76c4fbe5ef1d0756d73cc5c1051cfa094309aedb81c7aa8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

Filesize
124KB

MD5
929653b5b019b4555b25d55e6bf9987b

SHA1
993844805819ee445ff8136ee38c1aee70de3180

SHA256
2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

SHA512
effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

Filesize
88KB

MD5
1f394b5ca6924de6d9dbfb0e90ea50ef

SHA1
4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

SHA256
9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

SHA512
e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
636KB

MD5
1d8f0fcdae33f2a89245535775ddcb83

SHA1
9764ed74e4a96f083278ff6dc646fe545ab55ffc

SHA256
e8a2d5fff7e527469e7a5f883e3f89402b46e37e5be06a2d9998bac1fbe5aeb7

SHA512
ba6295bd28d8b47cbce89836641f3243ffe1bf714edbadae1ca0f90357e4a471d434d9762118b6ddbd588dae9f637d941a6ee507564dd28b2444bf40cb14ce68

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.0MB

MD5
a3e3864825075c729f29617d75e431f4

SHA1
6da58a5c2744b66b9cad580f67a2cfafbe5f60e7

SHA256
be55b22fd9fd89ca853d7bd1d4a4f01ce016c5ded2a735638d6238838970a461

SHA512
e219b739744c3c69fe427aa321565b6cf293c87cf863ff2d270bfce154232c2d840c160ceeab9596ee94fec57446ab12d472afa3df04326ff3e6e407339e1527

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
711KB

MD5
fed84bcaab29d8e21f8e2ed1dd66698a

SHA1
baac500fe15e57a474754c9c68b991d598208e9f

SHA256
c93b57f468952e1fa97c822826f8f4f4c4a275f9c220c0e0fbc1658a11dc15e7

SHA512
74fd4caa296ebd68f53aa1a5cfb094ba3005f312f737181a18e678673ec4452237da0f376b08b724ef6b65f48bc77708f70307062f7ae890ed25be2e72341366

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
620KB

MD5
cb36b725b1768f54c5ba582bce96be0a

SHA1
5ce4b8f8b63394b340a1af903190f09cc3d0b029

SHA256
d8d6f767958380c8938924844d42d960a085235c1c4198c2451f73c5e2316004

SHA512
0f1c281e657cf200d5ea3aed7b0f8e4834b566032aae2f4f84d2b132e580d7270cb06d56ee2be4431c7b887a2faf3fd06784b95ef038fd9d10c7e9d1e751588c

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
532KB

MD5
bd1c5551f2eaf4faf27d277850e03a00

SHA1
4f9fb1da98c4413796118fa6c108999c9baf0304

SHA256
8cb1c4417189133e5c4a57c37385f91909b0488396658598c9db6117b297e461

SHA512
7f6c4d179d3dd198456ffc35df3d2f1ab1268c106826fb182e2231af57a5ae162f2fd276fdf52526b8845f883501a6578a0ab4702a708899550c5473d3eb4b6c

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
573KB

MD5
16e71dd56f73c24a30cacc0a177c9207

SHA1
a7580e13812cd04e5838b369acabccad02196fe4

SHA256
c59149c6bf39022967b3c3ade8b5c9b47d7adf2f56dbe4459aeb3453740757b5

SHA512
00450ae43b70aec9420fe503031fe39bd6eb8f3f1ab49c113bac50a65b9c917f20abb269d558bca712b15743ee89e91a96dafbd7a57e8af3d727facdd49ea3c1

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.1MB

MD5
d8c72638148f6a585a9d874ea8a37293

SHA1
9b8c37438c5a36f108a75488b0921bfdc9192c5f

SHA256
42a87fd97eb8f1a6f2117cd6c73c4e5d9d8f5ca16e6dd1d725e2edb9d4d74c50

SHA512
3c1cd72223ef50a21dc3d5fc7e0d197440c51d5d7a40cfdec7b716eea8a545582f4ae21ba4a9d3dd7501aecfcbd53b87f9d1933f1a16b7410f4930ed4346affb

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
634KB

MD5
e5894ebc7f8fe784d6f3d6b87cdeb513

SHA1
b495c4203bce1d4deb119e1d65dcbaf1f7f42d29

SHA256
e662264091363df0609bba98b653e3856ebe6e61031bf62c9aa0dd0038f34245

SHA512
45bc75b8ae5956007ca7026a04ad7bf8ff167819aa9ad52b6e4eb4449bcdd7e2cae62a98f0240098c3fffcde50a4d3b1894f0a0f6a3395979e86b445708973dd

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
621KB

MD5
01173c76277b38caeadf8bcd68b42589

SHA1
e2376a2639ae3a337cc0abdb6275296d321d4065

SHA256
daa7ce557d0e52b2c92e89d1cf5844610a015ad0ea132cd000d525084cf4dbb9

SHA512
3b3b891ce22c71d1d45752de329f97b3f410006672f2d8aec1c921aaaa56ddeca31f71a93de1995cae782825db9802178f7af6b810b84fc9cfef8919f443198f

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
510KB

MD5
50e1040b93d0e86d78738528e9980577

SHA1
764682a44c5c20bb856dada8286a7a34b6a2565e

SHA256
2950c04cdac3ae13db60cb0028011fa6f82a38e2db0b303e6d9e7499c3c735fe

SHA512
9037592b63f1eaa1913f86dfbeb128942ac01880f4926b52503cdc4dfbcdd16b3a4221e79cf2a7963855eec8d9df7176709211f7453b6a2e64fb1b99c53a96a7

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
536KB

MD5
106de8bd9463db30c713a90184a66f8c

SHA1
f5c21f2c75c2635b7b6570a7d9fadb6c82eb373c

SHA256
b1963fcde88098cdbe6ac4279ef63f070fa29e79921da176fd80283f41cf3b23

SHA512
b7b22aedfcac8b2a5908c8382304ea76a0b628e8fadb9a2006df21f6e894e42ef95300725323702f336c38f9d6b95ffc9e6f207a7262d3f3d43187231923bc69

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1017KB

MD5
aba52131177243af96e8a0b7a644b7cf

SHA1
cd9e1d9eea5523c0e71fc8cac35d915f79faaeab

SHA256
563e3208445153714dd5e06e0dd5c4daf4254fea90ca9a3b7daf47722841065a

SHA512
428c49e7f1cb71071de6fdfc949f320419083faccd0d62773c5b3bbd5cb840bcca8e8f382ae4900393356a1a9bd402bdcb8c41f7ad59df925201ce2349e22040

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.0MB

MD5
587aace86e359efbe7c67422f7283cd5

SHA1
4af1acd5a643eba24d2f69bc796f270d952446eb

SHA256
0fef8409cbfcbddb1703001164b6e347b7c6713548e844b9ebfd6a65efe731ee

SHA512
092170a123ad4c055bd17cc82f088354ce16a3a24c4ca874e506b4389f14ccb22da64ba526f3674ff58187c63616adc77ebdda7d37d5f06963543124ce2fb0a3

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
694KB

MD5
470d00031acd85618eb1589408751ea3

SHA1
ce1ba6bc68fe505a8701edd10185162235840b6c

SHA256
9fdd46dc32f23ddec7baaaa8cacc829a9c22f7fb4ed5394cdc058fa308cbb483

SHA512
f1ccf9fa185dcf0011cdc2b1a395c392e70632785ec4a74abf97733ce84805e1f061893770c2cc614f25b86c30ceda521debb88d888ed101b36b76822b2d941e

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
1.9MB

MD5
c740b98129b26e71e147bae249e3d76d

SHA1
064ca68d9da71706599e45745a101ed5d0f2e70f

SHA256
2a75bb2b3673287e865cd0c8e13a36e4a29d61f707fcf9d8c861dea3e0f507ae

SHA512
9bff50d86963ad04123a51d1d0ea80a07792a0226d7e27015297c9d32372ba2ae9f8be1a6f8b04af6696db528052ead66ecd1b8e48ed6be663bdc31a955aee87

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
df0f754f346dbd37cdec4900a9d29f84

SHA1
f918bb45c4f25f25a830ca225a0c16151659b7b9

SHA256
b4faab6ec6cb1b179006e2ea30690976567981a4da4607a2fb61777cf7b47d5d

SHA512
beed2b911abf7a2840e2a179eeea3779614070a52985876d1dbbf20dfb2e7c9f422a8118801b1201413952dc70ca1e4afcedc696fdc7c2826b4df9b964a2a88c

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
578KB

MD5
c62f2fdb0ecd9d4aaf330538ecad45b2

SHA1
dcc094f3272cb25b3cdcde7873975dbf985917e9

SHA256
be8dd9995196cbfcb016f5bcfab63e00af2466ec5b0257aed79198c719c9f4c9

SHA512
a1003dd2dc2a611987c1be18e91e78bc0ed62215ff70e3d19203df100075e2ad4ec3fee293c1f2b6c276d2ba318fe7605559b1315ab703f01099d1ae2b4df287

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
605KB

MD5
7724ae143be2c9deea05d038f4ae8931

SHA1
2aef28a75dd75cb918d5912070cfcf04d653fa3c

SHA256
84cef96e391bb9d604475b6fec2495ceeac2804b57f40213272df05eba7e8e63

SHA512
b0855cdea5c10ad6c12c075e8f4689aa2ea59b50cd592c4ec56288ab860072600f481006f74ec6f1e389f43813025c76a5bdffdf78fa43ab420cac8a17ea6186

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP10E2.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1390.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP5FA.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP8B8.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBC4.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE91.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
memory/264-300-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/264-297-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/288-366-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/288-364-0x000000001C510000-0x000000001C520000-memory.dmp

Filesize
64KB

Download
memory/288-362-0x0000000003040000-0x000000000304C000-memory.dmp

Filesize
48KB

Download
memory/332-435-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/332-437-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/576-46-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/784-298-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/784-295-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/888-369-0x0000000000740000-0x000000000074C000-memory.dmp

Filesize
48KB

Download
memory/888-387-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/888-373-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/888-368-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/888-378-0x0000000003200000-0x000000000320C000-memory.dmp

Filesize
48KB

Download
memory/888-370-0x0000000000750000-0x000000000075E000-memory.dmp

Filesize
56KB

Download
memory/888-371-0x0000000000760000-0x0000000000776000-memory.dmp

Filesize
88KB

Download
memory/888-377-0x0000000003200000-0x000000000320C000-memory.dmp

Filesize
48KB

Download
memory/888-372-0x0000000000780000-0x00000000007C8000-memory.dmp

Filesize
288KB

Download
memory/964-58-0x0000000140001000-0x0000000140003000-memory.dmp

Filesize
8KB

Download
memory/964-151-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/964-57-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1040-466-0x0000000002F30000-0x0000000002F3A000-memory.dmp

Filesize
40KB

Download
memory/1088-463-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/1088-464-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1216-332-0x00000000008D0000-0x00000000008EA000-memory.dmp

Filesize
104KB

Download
memory/1216-335-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1216-329-0x00000000006A0000-0x00000000006B8000-memory.dmp

Filesize
96KB

Download
memory/1216-331-0x0000000000820000-0x000000000082E000-memory.dmp

Filesize
56KB

Download
memory/1216-333-0x00000000008F0000-0x000000000090E000-memory.dmp

Filesize
120KB

Download
memory/1644-171-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1644-173-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1708-361-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1708-338-0x0000000003040000-0x0000000003058000-memory.dmp

Filesize
96KB

Download
memory/1708-339-0x00000000030B0000-0x00000000030BC000-memory.dmp

Filesize
48KB

Download
memory/1708-351-0x000000001D1C0000-0x000000001D1D8000-memory.dmp

Filesize
96KB

Download
memory/1708-352-0x000000001D1C0000-0x000000001D1D8000-memory.dmp

Filesize
96KB

Download
memory/1708-340-0x000000001C490000-0x000000001C49E000-memory.dmp

Filesize
56KB

Download
memory/1708-344-0x000000001CA00000-0x000000001CA1E000-memory.dmp

Filesize
120KB

Download
memory/1708-341-0x000000001C4A0000-0x000000001C4B6000-memory.dmp

Filesize
88KB

Download
memory/1708-342-0x000000001C4C0000-0x000000001C508000-memory.dmp

Filesize
288KB

Download
memory/1708-336-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1708-343-0x000000001C510000-0x000000001C52A000-memory.dmp

Filesize
104KB

Download
memory/1840-301-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1840-303-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1956-304-0x00000000007A0000-0x00000000007AE000-memory.dmp

Filesize
56KB

Download
memory/1956-306-0x000000001C470000-0x000000001C4B8000-memory.dmp

Filesize
288KB

Download
memory/1956-305-0x000000001C450000-0x000000001C45C000-memory.dmp

Filesize
48KB

Download
memory/1956-309-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1956-307-0x000000001C4C0000-0x000000001C4D6000-memory.dmp

Filesize
88KB

Download
memory/2212-389-0x0000000003270000-0x0000000003284000-memory.dmp

Filesize
80KB

Download
memory/2212-388-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/2212-392-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2324-311-0x0000000000820000-0x000000000082E000-memory.dmp

Filesize
56KB

Download
memory/2324-314-0x000000001C4C0000-0x000000001C4D6000-memory.dmp

Filesize
88KB

Download
memory/2324-313-0x0000000003110000-0x0000000003158000-memory.dmp

Filesize
288KB

Download
memory/2324-312-0x0000000003100000-0x000000000310C000-memory.dmp

Filesize
48KB

Download
memory/2324-319-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/2324-318-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/2324-328-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2452-150-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2452-172-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2592-451-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2592-35-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/2592-42-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/2592-63-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/2592-443-0x0000000003170000-0x000000000317E000-memory.dmp

Filesize
56KB

Download
memory/2592-439-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/2628-411-0x00000000007B0000-0x00000000007CA000-memory.dmp

Filesize
104KB

Download
memory/2628-412-0x00000000007D0000-0x00000000007E6000-memory.dmp

Filesize
88KB

Download
memory/2628-414-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2660-430-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2660-417-0x0000000002F50000-0x0000000002F66000-memory.dmp

Filesize
88KB

Download
memory/2660-422-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/2660-416-0x0000000002F30000-0x0000000002F4A000-memory.dmp

Filesize
104KB

Download
memory/2660-421-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/2680-161-0x0000000140000000-0x0000000140377000-memory.dmp

Filesize
3.5MB

Download
memory/2680-82-0x0000000140000000-0x0000000140377000-memory.dmp

Filesize
3.5MB

Download
memory/2824-0-0x0000000001000000-0x00000000011B0000-memory.dmp

Filesize
1.7MB

Download
memory/2824-1-0x0000000001002000-0x0000000001003000-memory.dmp

Filesize
4KB

Download
memory/2824-2-0x0000000001000000-0x00000000011B0000-memory.dmp

Filesize
1.7MB

Download
memory/2860-452-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2884-21-0x0000000010000000-0x00000000101AF000-memory.dmp

Filesize
1.7MB

Download
memory/2884-54-0x0000000010000000-0x00000000101AF000-memory.dmp

Filesize
1.7MB

Download
memory/2884-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2956-395-0x00000000030C0000-0x00000000030CC000-memory.dmp

Filesize
48KB

Download
memory/2956-410-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2956-391-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2956-401-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/2956-394-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2956-396-0x000000001C550000-0x000000001C564000-memory.dmp

Filesize
80KB

Download
memory/2956-400-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/3000-170-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/3000-89-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/3000-220-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/3004-462-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download