Overview

overview

10

Static

static

3

94f8381d59...4N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 16:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe

  • Size

    643KB

  • MD5

    512487411fc46cb1df352576c326c1b0

  • SHA1

    4f8ebee58fe1a34e44f14d3d5b82c115b62a31eb

  • SHA256

    94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4

  • SHA512

    32125555f8bc434f79c40d824fb4a451358fc2f0e838f73a658215ed8d4f978d8939e8e4ccab94e49aecf3a1900beb5a248c8d4bc882fe56fd4993ba55970028

  • SSDEEP

    12288:oj32cnr9X6oq8UtOhVUAS/5M74xSkEoedy9cHN5H1dCTD+:A2cnr9X7ZhKASBuPkEoUEINF7

Score
10/10
expirobackdoordiscoveryevasiontrojan

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 3 IoCs
    backdoor
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe
    "C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:4580
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:876
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:3140
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:4568
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3272
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:384
    • C:\Windows\servicing\TrustedInstaller.exe
      C:\Windows\servicing\TrustedInstaller.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:3964

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      1.9MB

      MD5

      0899d45608178abb43f723c86c85a519

      SHA1

      318c3fd2b6a5b2abe0e632e51229008494bd8863

      SHA256

      eb31caf4f45853d7999e5e5431798de2c927f74861f60a44a96bf139aa98d1f6

      SHA512

      aecbfa016164133f22dd396cbe7ee9cf81dc611d39e709131b32a74f1928aa4be3619379bd9b4f866c1d057e24a15459270ba11600d34470d127518f16e16ef6

      Download Submit

    • C:\Program Files\7-Zip\7z.exe
      Filesize

      940KB

      MD5

      868b76d2cbfd2332df8a0158cbc9f123

      SHA1

      a40f2d699337bc5c8ce5023872baff00ee1893d3

      SHA256

      d547fae1138b7b3bd01c9f677dd110eeedb634e68a79649829734242eccb753c

      SHA512

      6724b2e0cb4f421115c834806f5e50f5c867c9be0d378551dc5a1e5db368e89a892595a535d60a3a24a6cf76cf44ccbee9efc7645bf629e910993e090639b4c8

      Download Submit

    • C:\Program Files\7-Zip\7zFM.exe
      Filesize

      1.3MB

      MD5

      c0f010b3f381a14f2c316a5724943cd8

      SHA1

      84d9528cdf27d7e267e5fdfc80728e0655292047

      SHA256

      888de1c8a842c97152a0b0c5a3b12bf57670d5b1ae96d6953dba3499e2d9efc1

      SHA512

      b4fe8f3cd1bfddf992d0226a9a374ac76025944fc73f94ba5f6ff7f157f5897a7546a836c375c84aa7d0540483385aa67cc4a538b31e913075ba2294df2c1a16

      Download Submit

    • C:\Program Files\7-Zip\7zG.exe
      Filesize

      1.1MB

      MD5

      3a9fe3e1112863065b45e2f225d6ad11

      SHA1

      71e6ee2355a16bc7a8471c8d6423311f3e093e70

      SHA256

      27ae3ce2233c7c7075df30f1b6f2d1e78bc893980bdca4a445b13bd86a22f31c

      SHA512

      35b7019784bd23ac518fc9d569ef80c1a2099d393ab1b866a919f6abf777853acba795b39224ee47c129995f9939ee067f0c337bc955c24723129cfa7ac9fcb0

      Download Submit

    • C:\Program Files\7-Zip\Uninstall.exe
      Filesize

      410KB

      MD5

      a716c16f691dff1c67850d0f98c0ea84

      SHA1

      a46927a3a3b023cc28e6e104a8b904708010b6d8

      SHA256

      7ee9e4efd9caed865ec36a8696fb16ff3bdc1ea7587ab001a59af96b09f0b0d0

      SHA512

      351a401189e255164c9daed8cd20c344c32c18ecb205d7c61c4adf225140b5e55dcfaa96ea36fc3d9716253a17b4b58c7b4db4a33cc7f20cdeb3e0bfe450a994

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
      Filesize

      672KB

      MD5

      cb0fe36228527198e36b4b782ba8084c

      SHA1

      09161be787eecdde9dbb76007d93690171017f09

      SHA256

      168e4640c3c351b500cbd7fd24e8c80996fffbd47502990061edd0cb11abdea2

      SHA512

      081bfcadeaca250fe349224a8b4612af354fba6f179021b08b6888e6eecf6fa12b552ff3453cd2d1633f338d8f85301a610628a4c6fa20fcafa91f5daf0a8897

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
      Filesize

      4.5MB

      MD5

      99eb66e03089b111808d3db5b8e9f511

      SHA1

      7800044cdc3578b2280897d980f38b2320cf1245

      SHA256

      ab830085aa05abe72fc55b1ec47aedfb6558b52a43ae23cf85d7b031b01edd0a

      SHA512

      be26caa749c693e17da5c1538ed7d3991a7b356d90669fb7538b9f7c8949f9b22fa7ff0e938ba61db0140049c43c34e46f324f1e3600cae3a549093d81800318

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
      Filesize

      742KB

      MD5

      80eda8ca44f0923c7c0924498b08a995

      SHA1

      98e9923b199b60f32e5a34cd6d9eecfb25e9bf7d

      SHA256

      97acdbd362d5b2985ab78c6288834b5c18512a64b6f1115bdd1f7da787a4470b

      SHA512

      2f5621e107a796a74628b58f37b2fe1b57cdfdfa0538b3e46fe728322a6e32779fbe33fadff41cfdbf2d1b3048df81f65bd635524fab4e5f33d9e0f8322aba28

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
      Filesize

      23.8MB

      MD5

      cf092bcb999332d0e69f892ceac6e27c

      SHA1

      5d023316ac8050addfef3aa79f49326df3d0ff62

      SHA256

      ea65d34e7473f0a9caab4077f44b97bd275de2a8e0ef1f2bb7485efc8dc8ebc2

      SHA512

      f61076582aa10a88552a68d4027fae5f83ea29f96aabbf5c6b22184471b3b628bcad1f17875b3f8fd4fb5eb18f448404c82a14dfd32ecf624c9c4b5e67dbfaf3

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
      Filesize

      2.5MB

      MD5

      667eaa07cf1266183ad99cce0ee21de8

      SHA1

      c23c1560ad59fd4959ae03be79b70dd79de8bc97

      SHA256

      a22f25eaa6bb8d580c1d26f28a092c53ad7e633e929361a7f8ab1758c95167c4

      SHA512

      8c15c090a34ac9a4e39cf270b650116347b5dc4a787564f2fd373bcf6a791185138285c8b2abe7476fbd45b29cebec787f1adac35decc93d761d22d353cfcaea

      Download Submit

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      Filesize

      2.0MB

      MD5

      44ee88f1bd126d56a44e7a8c15d3d0d0

      SHA1

      64459c34ed1ae10806a3849b5049882e749562c3

      SHA256

      fb02deb374cd0261e201ea679a9ef69d23ae6f9ca91b964b5938b67068e52558

      SHA512

      892bd9d33f9c496a53a0b63d10379181fa406275808db35137ddb8d951cdbeaec1f5bbba004f6f70868a6b4d982e1bc9bc661bf9b970690d117cc38e05e64973

      Download Submit

    • C:\Users\Admin\AppData\Local\nmfakinm\iflldjig.tmp
      Filesize

      629KB

      MD5

      e3cb8fdc49852c516e74ac6475e85106

      SHA1

      d2eafe536a468bee359c3a191db88eaf7ebd0ae4

      SHA256

      7ea15563c8cc8ab22480e2b7c46c960eef9236149014bf2a2532c9bb67f400c1

      SHA512

      62058b2530008e4ea7a5f70735de522c33c7b8b56c90d645506f06a62d27d4495eae0077e9560055f8e87f6b68255c31eb1d57c713fca55675b6685af5b5956d

      Download Submit

    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Filesize

      822KB

      MD5

      06dce96200b3779c28c7879b577f4002

      SHA1

      1cf5d6cfa2e0e908984eca02d4a0d61ca0f36755

      SHA256

      e1b843beb132bd1c78e1605d15be480a6bc980b67e32d440e9a82042ec29606e

      SHA512

      8bf4a6d93220bae4461685324bb2d73333b9b9bf267b051428218e7a908fbfd4cf107c77dabe059ace1ce67f8f9c5694433a6e960b0ba4004a874285d4b3edc2

      Download Submit

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      Filesize

      491KB

      MD5

      23ee7a1837529a8fe8774c823d021e1b

      SHA1

      c109c9a27d77ba997056af672da1e465d96d2f1d

      SHA256

      be53da760acdb1cdf1a2ca135ba40631e188677186a9cb8c6812c95d8bafcddd

      SHA512

      c6322d78b3c60a39fb43fb329f847dce151646da430a96daa60de89172df5b15ba9ce9c8fe89940022a46312982a4024b3b3df11f08d5ec6816d0536406ccd07

      Download Submit

    • C:\Windows\System32\FXSSVC.exe
      Filesize

      1.0MB

      MD5

      e49d3ea1fa9636c4757af9a899184295

      SHA1

      ba0eb29978bb349519d2e4947730cc5d09bdb5c8

      SHA256

      133aaa83c5c032917dbb0699d841579b26a420fed168c1681e0be70a5e8d9b87

      SHA512

      cd00ad5f4edfacd18c080778d90c91af049f03aef31ec72c1ec605bc05f1aabc39cbc45c2511d912efc43ce08686b2121cfcde91d6879e671b94bfc08c749be9

      Download Submit

    • C:\Windows\System32\alg.exe
      Filesize

      493KB

      MD5

      b54b2f76a5e599250042ad833d0cbbb4

      SHA1

      6190941935ea864ee5ea0e28b30ac78aea52c5f7

      SHA256

      81de6276215212e68567c58524dd2c5e809202010a7b88741924c88bd1c95cc8

      SHA512

      04d41d7677c0c36f07a241e441b6b3ba6d2c6c7686f2cd7449fd5fa0b0106fca817968d0408233b4ccb9ed6e512ef356bf0828953783704a0adbfe4430663e4e

      Download Submit

    • C:\Windows\servicing\TrustedInstaller.exe
      Filesize

      193KB

      MD5

      805418acd5280e97074bdadca4d95195

      SHA1

      a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

      SHA256

      73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

      SHA512

      630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

      Download Submit

    • \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe
      Filesize

      621KB

      MD5

      4814b14c92530d781af36dae7c375f99

      SHA1

      832393baec6e8285fbc57bd99234473eb42f5437

      SHA256

      5fc1d90c53afdc77ae7c7c272215b0324c877de3964ff271c218f691adc6b6ef

      SHA512

      890cdb567ff1fc9f40d29a39ebb6097ab3cad375ba6fb408d1fe9bf5a58f86975c4599806568602093d6648d0bba454a7338f85de6cd3c1a979a6d3f1801eeaa

      Download Submit

    • \??\c:\program files\common files\microsoft shared\source engine\ose.exe
      Filesize

      637KB

      MD5

      00aaaed27dbb1321d5e93d771e4f53b1

      SHA1

      1f7aca3f74e09b9a572fabb7dda688d202f11100

      SHA256

      f3aebb2dcaaf73a1eebf149852dd88261537b82ef2b38fdc940af286e034018e

      SHA512

      870964e75d205b6b061a95d8a85e15f04772bb0b33a10fa25bd18cf402922119965e60fc4a21220072a159a5ac56fd0d135374b9ad3383e6ccce3db56ac3e30a

      Download Submit

    • \??\c:\program files\windows media player\wmpnetwk.exe
      Filesize

      1.3MB

      MD5

      7bbb723bb08c809debffb06501bb3779

      SHA1

      c647a58c6e2f5a8f16a1b06a919e5710a32bfa2a

      SHA256

      d11ea922c1f655136684ed76e9dc5622de6a9666b2e38da2a89ea28a8248d292

      SHA512

      720130f13885fddcc99e2f7b2f31dd2fc8b3f6ffee8159714705f29414966fa02d9eb4cd9bb0342c9aaf57347900d81b4753acdb85b72e2e0a51106dd3fb55af

      Download Submit

    • \??\c:\windows\system32\Agentservice.exe
      Filesize

      1.6MB

      MD5

      ae89ca1cabb7c5eb57424a7bdb0af8ad

      SHA1

      7e658ccfabaf45cb33f36553f66f620aae08c9bf

      SHA256

      a3e43f6431920328311cdb293486ad43c85e9d66e113aa22ced38a6a722144a8

      SHA512

      6b7c7b9fbf01b55bbaddedaec03902cc63c2ad497c9bebb203bd4bc88e3bf0f6b8f6a69fb142d4f5fbf3d292cd28d9776da94c5c10ed738754f4a866b8a09117

      Download Submit

    • \??\c:\windows\system32\Appvclient.exe
      Filesize

      1.1MB

      MD5

      1399897a18b95c33c28f42e039331cf7

      SHA1

      6861e1fa1abc04416c4348cee38aed098f28d752

      SHA256

      1777d73134358badd0292df0b350ba1caad883791e859c03ba56cccfe465d260

      SHA512

      66f631ca3798a4380f168ba3a44cbc08741adbf81a01c7126fb1b12eaa045fe5469a4fde9b91fc2179255134738549b6dd0c9bf7b425731c6453b24f5b58626d

      Download Submit

    • \??\c:\windows\system32\locator.exe
      Filesize

      410KB

      MD5

      8a29f7f965fde65648a46605a3e627c4

      SHA1

      1aa7de02b620b16a7359365c23c96598b8616393

      SHA256

      facee1cfc62aa76b70fe27686e6000655046c7bfafaa322614fe82f5d2989bf3

      SHA512

      2298cd1a9d61c354dcd0797969a65cb14ede1698c5fdb659d8764e077feaed8d25b8cc27b05c53dc9a6844915344f074b2b47999b18b41808ad87a6faf425c7b

      Download Submit

    • \??\c:\windows\system32\msdtc.exe
      Filesize

      544KB

      MD5

      55ee2984c1474469d7a6b4f9088b739a

      SHA1

      2ef93e302726034aff03c8db9110faa7cb9734b1

      SHA256

      cd0ac36340a70859a26110f8addf26c0fd09ee319abbafa2f4ca9a4a1ad09bcc

      SHA512

      b9b3063ff8e393ebc9786810f2013f68589414efd2380e67ac743526bc28f0860508992a5834de01d6b420d8e100dab1294e6cefe46661adb757108415019239

      Download Submit

    • \??\c:\windows\system32\msiexec.exe
      Filesize

      467KB

      MD5

      bae04349e6aad207c99aec4c12f3f27d

      SHA1

      16e0eca1c0231b147d24c6b59655af78531c0707

      SHA256

      e92d0182a0c525936976115e58ea345393965c0c45e373c2d0d989034030e123

      SHA512

      145be6039ffc35b24802f6b2c77a013cb3fda1998b27c45470d993d45b2ff10a6734548e799846343e99899188137ea79ca31289d3542abda5b5dc9546d71bc8

      Download Submit

    • \??\c:\windows\system32\openssh\ssh-agent.exe
      Filesize

      772KB

      MD5

      165da414644ed9e01224b676cfc36bca

      SHA1

      ef896d54a341939fdf68435a35183edba6bccc6a

      SHA256

      731178656e8d22d3e26a0282a68b3d39fcc31e36279b937b035ce3093ab9c468

      SHA512

      68ef04d079c0fba96f3e8823181b27351f6d2694740e628bba270fa21571d51f52623182241e8bb932ff07cfcecc8338d11b5743c6be6f883e748f7946f6f185

      Download Submit

    • \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe
      Filesize

      503KB

      MD5

      e21a6640478681de2d02e9329225b713

      SHA1

      973d1ae3f1a3fc63cb0b850e2a235b618d914a3d

      SHA256

      dd4daa4f019c9250344637e7f67679451a2418b141576f5c3b7a6a4841b69b96

      SHA512

      80d0697d56e43a0eb3e5e76dfe57bd38c820f0c7a35880df2342212f3e56357289fadfe8127632cf75143a6daaed98b5267639b27a253303d2b6695afa63ceb0

      Download Submit

    • \??\c:\windows\system32\searchindexer.exe
      Filesize

      1.3MB

      MD5

      ed69db9cf17bfc244dd802c3db307691

      SHA1

      8a0beb727caa9a167416a0a8cd1d72e1cc5f6c20

      SHA256

      b25472f1fdaf85c582e15929102a2eefcc3d4fd091a386c002f81d0600756e4a

      SHA512

      632c5eeb5aedbd5f3166a2a5d5bab2ce93aa7333bfccc125f4771a91915c4e1bcc7eefa92e9dbf2674e3bae6f703f73594801f8835a8bec06b2ac54d78120ee6

      Download Submit

    • \??\c:\windows\system32\sensordataservice.exe
      Filesize

      1.6MB

      MD5

      e081c409256892649814330fe4e56c4f

      SHA1

      34a5629e84c46b9132bbac363414182be7783bb8

      SHA256

      780f6b21f09be7bf1d37a8ce48eac162a57096482c3669f01b1f06be59b0881b

      SHA512

      f499f68ed5faef3459b0763929dba5c4cc9d602244305e35546bc8f24f978f513f1c1f8e320178135e6960b65e4bf675ad10a9c84b7a5f92083d5f88943d6064

      Download Submit

    • \??\c:\windows\system32\sgrmbroker.exe
      Filesize

      709KB

      MD5

      1f3dfa23d11e4d918de609ab0cf7f9c4

      SHA1

      2d0d3e5310d0dbf66dfc3bd7928d48bb2ba624cb

      SHA256

      839181b41168cac95937397ac45a2c730fd9a9a1b7fc3acc1159f3853f36c18c

      SHA512

      7f1237d9aa53083add0edbd82dc13b80467aae7f355d2a067902d2f97374507a637a8d863b74881b8382d5a28a86b453cd4c62c8b702e8d485b437923e5543ce

      Download Submit

    • \??\c:\windows\system32\snmptrap.exe
      Filesize

      416KB

      MD5

      ecdf904311ef15ae7358b7592660e9a8

      SHA1

      6f51ec0886c75b9262d6d23c55b4310eae8a924a

      SHA256

      5c2a6b2d87672999560e1a1afe538dd0b4766b212fac0699fe897026b3b05549

      SHA512

      c2e76952d1d1f8d9af4cbf93dcfa4de267a12fffcca6bef748a8e377c8a9ef62cd9104f1cf05b8a85fa461450ea60d64c6ea2f4821e32280a4df24dc011930d3

      Download Submit

    • \??\c:\windows\system32\spectrum.exe
      Filesize

      1.2MB

      MD5

      c806fc88b8caf13f2021add272d24bcb

      SHA1

      473d7c6421355230091f7c41043644214d254c4c

      SHA256

      9c3933a56be7edccd50e682a098249c2e32895a70ed690ac2d2a320eb8bbec5b

      SHA512

      9e5bd67936bf85b2656acbf8e9c963f8de37b822d3d1d4374be14e66db5598249d08e45f563e602ea779a16dae676945ae66723a16b6217e17a26ae97f4442a3

      Download Submit

    • \??\c:\windows\system32\tieringengineservice.exe
      Filesize

      717KB

      MD5

      65d01a2b34f0c80c724412f82f0760ed

      SHA1

      225df6c8d1f8a1817b57d07563d01068c5863038

      SHA256

      053efc4c57f69fb1e00325da47a4946bc405839921414885834f84b0b86b91c4

      SHA512

      9b30aa56b27ffb3d8fe9bd0788e27a1af911094e4cb0bbcd5f6f9142736ada6491c9c41ff744880ada68c614cb64cf88b1b19da428da439f7ad72cb18dee6d9e

      Download Submit

    • \??\c:\windows\system32\vds.exe
      Filesize

      1.1MB

      MD5

      1f7b63b8269504b2732d30bb6fa4964b

      SHA1

      d3b35860b563a8952868ba2530f5b0f93bab3de3

      SHA256

      d088d8596add9341ee16e6f50607b198c819425f4d9bfd79e0caeef04cfe3b19

      SHA512

      a1ef67dbad5a92d5783c083fb3f275723ffae24e58acd4cdc74f7b5947b29d43e0953f5ba8fe59a4f1b7628500da6cac5760cc50da811d88ebadd4ff48cad748

      Download Submit

    • \??\c:\windows\system32\vssvc.exe
      Filesize

      1.8MB

      MD5

      7f7a67c377451a8e834521e27ccc8f97

      SHA1

      9fc4381c0a42d86443e6144a94cfaf037dfe0c38

      SHA256

      89f9cb1a381be7f392174524241a9fbbb54a47a28354254c90d87fbbd59bee6f

      SHA512

      cce3a5a94cf8cc3bb2621503db53d8cc596e11bfde5e0f226888d0c494da84ccd22a7b6020080884d5f976cb4ac74b72a22313c0f4d6718e48d0c90ea7b6cce7

      Download Submit

    • \??\c:\windows\system32\wbem\wmiApsrv.exe
      Filesize

      604KB

      MD5

      97656ae58fecc4bde6ab034ef8d90312

      SHA1

      a2a5d8c9da508d214eb9fd16206f74680e1442cb

      SHA256

      350108b023e390aa6641f0b7d46fb1b0ff1d11513ee6213bf4a1656d1aafef41

      SHA512

      ce5835e23cbfe7a930ddf8f1c62ba3f6edb8b75df31cb76a87df48cc224bdaa0745f5dedf64547b57e66b420feb76fadeac9f24bf4ba1048687eb953ce53e265

      Download Submit

    • \??\c:\windows\system32\wbengine.exe
      Filesize

      1.9MB

      MD5

      dc065aae1f1b73ff61a9db66d10063ae

      SHA1

      1dd53c047d651994498869ee1dd08858f0b34722

      SHA256

      f062fbc029f3f66bb0b9aa68e55b4648258787fba5f5252ce8bc4dc32d78c667

      SHA512

      db2877f30bce9a95bbed5cc60e0059243f1f7be9db82b44cf0152c8329f9692c93e2dc37ad453a100ee52080c2ec16209507284268c1fe765caa7d8e4faa5637

      Download Submit

    • \??\c:\windows\syswow64\perfhost.exe
      Filesize

      420KB

      MD5

      0c8e27dfe4848ddb4f645416e127c2ee

      SHA1

      c23e86e44a005551a355cf2020ac4245bef4a55e

      SHA256

      2d2a05e056a9431ebd64f1344cc86d7b6e79d366f4af406be1025ca1b8b1a8bd

      SHA512

      e57802ba181d706c98108b9acb73f35f35ffd3ac3ba9cad2514afa4b84d5cccdf208e49d38b3c532892f300f2f43b7f7d15f0c16bc0866df87f16d6ef6abaf45

      Download Submit

    • memory/876-68-0x000000014000D000-0x000000014001B000-memory.dmp

      Filesize

      56KB

      Download

    • memory/876-66-0x0000000140000000-0x0000000140137000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/876-22-0x000000014000D000-0x000000014001B000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2808-53-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2808-46-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3140-80-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3140-39-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4580-0-0x00000000004C0000-0x0000000000555000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4580-54-0x00000000004C0000-0x0000000000555000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4580-2-0x0000000000400000-0x0000000000555000-memory.dmp

      Filesize

      1.3MB

      Download