Malware Analysis Report

2025-04-13 23:46

Sample ID 250103-tntevsslay
Target 94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe
SHA256 94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4
Tags
expiro backdoor discovery evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4

Threat Level: Known bad

The file 94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe was found to be: Known bad.

Malicious Activity Summary

expiro backdoor discovery evasion trojan

Expiro family

Expiro, m0yv

Expiro payload

Disables taskbar notifications via registry modification

Executes dropped EXE

Windows security modification

Enumerates connected drives

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

System policy modification

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-03 16:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-03 16:12

Reported

2025-01-03 16:14

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe"

Signatures

Expiro family

expiro

Expiro, m0yv

backdoor expiro

Expiro payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables taskbar notifications via registry modification

evasion

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3350944739-639801879-157714471-1000 C:\Windows\System32\alg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3350944739-639801879-157714471-1000\EnableNotifications = "0" C:\Windows\System32\alg.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\system32\bmckdeif.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created \??\c:\windows\system32\lmfpcpip.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created \??\c:\windows\system32\wbem\dfdehieb.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\vds.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\SysWOW64\dalgppif.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created \??\c:\windows\system32\pbjcnhdl.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created \??\c:\windows\system32\diagsvcs\bpghploo.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created \??\c:\windows\system32\oflpobog.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\syswow64\perfhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\SysWOW64\spectrum.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\SysWOW64\Agentservice.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\Appvclient.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\SysWOW64\mbidbdol.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\SysWOW64\tieringengineservice.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\wbengine.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\tieringengineservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\vssvc.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\dkqjegmh.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\Appvclient.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\SysWOW64\msiexec.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\SysWOW64\sgrmbroker.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\SysWOW64\openssh\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created \??\c:\windows\system32\enainjqm.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\SysWOW64\alg.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created \??\c:\windows\SysWOW64\dgkdemjn.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\SysWOW64\wbengine.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\spectrum.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\SysWOW64\jenffnif.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\alg.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\sgrmbroker.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\sensordataservice.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\SysWOW64\lmmeclpi.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\Agentservice.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created \??\c:\windows\system32\naonehlo.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\SysWOW64\Appvclient.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\SysWOW64\locator.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\system32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created \??\c:\windows\system32\elgolehb.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created \??\c:\windows\system32\ekclaago.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created \??\c:\program files (x86)\mozilla maintenance service\kgaimono.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created C:\Program Files\Google\Chrome\Application\elidehmc.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created C:\Program Files\dotnet\ddnfppgh.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\kgiajnjn.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created C:\Program Files\Internet Explorer\kjkookie.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created C:\Program Files\Internet Explorer\hfoijjjp.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\ngkmldah.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\program files\google\chrome\Application\123.0.6312.123\jifmaeqa.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created \??\c:\program files\common files\microsoft shared\source engine\pbbmgjaf.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created C:\Program Files\Internet Explorer\dendjgfp.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\7-Zip\nccafaqk.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\lhbjhkab.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\servicing\lijqqbed.tmp C:\Windows\System32\alg.exe N/A
File created C:\Windows\Logs\CBS\CBS.log C:\Windows\servicing\TrustedInstaller.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\servicing\TrustedInstaller.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\servicing\trustedinstaller.exe C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File created \??\c:\windows\servicing\loiihnom.tmp C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
File opened for modification \??\c:\windows\servicing\trustedinstaller.exe C:\Windows\System32\alg.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\alg.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\System32\alg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Windows\System32\alg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe

"C:\Users\Admin\AppData\Local\Temp\94f8381d594aba6c3e437775705df6eba8a728403b8063a58b7da54b7ebd00e4N.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4580-0-0x00000000004C0000-0x0000000000555000-memory.dmp

memory/4580-2-0x0000000000400000-0x0000000000555000-memory.dmp

C:\Users\Admin\AppData\Local\nmfakinm\iflldjig.tmp

MD5 e3cb8fdc49852c516e74ac6475e85106
SHA1 d2eafe536a468bee359c3a191db88eaf7ebd0ae4
SHA256 7ea15563c8cc8ab22480e2b7c46c960eef9236149014bf2a2532c9bb67f400c1
SHA512 62058b2530008e4ea7a5f70735de522c33c7b8b56c90d645506f06a62d27d4495eae0077e9560055f8e87f6b68255c31eb1d57c713fca55675b6685af5b5956d

C:\Windows\System32\alg.exe

MD5 b54b2f76a5e599250042ad833d0cbbb4
SHA1 6190941935ea864ee5ea0e28b30ac78aea52c5f7
SHA256 81de6276215212e68567c58524dd2c5e809202010a7b88741924c88bd1c95cc8
SHA512 04d41d7677c0c36f07a241e441b6b3ba6d2c6c7686f2cd7449fd5fa0b0106fca817968d0408233b4ccb9ed6e512ef356bf0828953783704a0adbfe4430663e4e

memory/876-22-0x000000014000D000-0x000000014001B000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 23ee7a1837529a8fe8774c823d021e1b
SHA1 c109c9a27d77ba997056af672da1e465d96d2f1d
SHA256 be53da760acdb1cdf1a2ca135ba40631e188677186a9cb8c6812c95d8bafcddd
SHA512 c6322d78b3c60a39fb43fb329f847dce151646da430a96daa60de89172df5b15ba9ce9c8fe89940022a46312982a4024b3b3df11f08d5ec6816d0536406ccd07

memory/3140-39-0x0000000140000000-0x0000000140136000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 e49d3ea1fa9636c4757af9a899184295
SHA1 ba0eb29978bb349519d2e4947730cc5d09bdb5c8
SHA256 133aaa83c5c032917dbb0699d841579b26a420fed168c1681e0be70a5e8d9b87
SHA512 cd00ad5f4edfacd18c080778d90c91af049f03aef31ec72c1ec605bc05f1aabc39cbc45c2511d912efc43ce08686b2121cfcde91d6879e671b94bfc08c749be9

memory/2808-46-0x0000000140000000-0x00000001401C2000-memory.dmp

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

MD5 44ee88f1bd126d56a44e7a8c15d3d0d0
SHA1 64459c34ed1ae10806a3849b5049882e749562c3
SHA256 fb02deb374cd0261e201ea679a9ef69d23ae6f9ca91b964b5938b67068e52558
SHA512 892bd9d33f9c496a53a0b63d10379181fa406275808db35137ddb8d951cdbeaec1f5bbba004f6f70868a6b4d982e1bc9bc661bf9b970690d117cc38e05e64973

memory/2808-53-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/4580-54-0x00000000004C0000-0x0000000000555000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 0899d45608178abb43f723c86c85a519
SHA1 318c3fd2b6a5b2abe0e632e51229008494bd8863
SHA256 eb31caf4f45853d7999e5e5431798de2c927f74861f60a44a96bf139aa98d1f6
SHA512 aecbfa016164133f22dd396cbe7ee9cf81dc611d39e709131b32a74f1928aa4be3619379bd9b4f866c1d057e24a15459270ba11600d34470d127518f16e16ef6

memory/876-66-0x0000000140000000-0x0000000140137000-memory.dmp

\??\c:\windows\system32\Appvclient.exe

MD5 1399897a18b95c33c28f42e039331cf7
SHA1 6861e1fa1abc04416c4348cee38aed098f28d752
SHA256 1777d73134358badd0292df0b350ba1caad883791e859c03ba56cccfe465d260
SHA512 66f631ca3798a4380f168ba3a44cbc08741adbf81a01c7126fb1b12eaa045fe5469a4fde9b91fc2179255134738549b6dd0c9bf7b425731c6453b24f5b58626d

memory/876-68-0x000000014000D000-0x000000014001B000-memory.dmp

memory/3140-80-0x0000000140000000-0x0000000140136000-memory.dmp

\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

MD5 4814b14c92530d781af36dae7c375f99
SHA1 832393baec6e8285fbc57bd99234473eb42f5437
SHA256 5fc1d90c53afdc77ae7c7c272215b0324c877de3964ff271c218f691adc6b6ef
SHA512 890cdb567ff1fc9f40d29a39ebb6097ab3cad375ba6fb408d1fe9bf5a58f86975c4599806568602093d6648d0bba454a7338f85de6cd3c1a979a6d3f1801eeaa

\??\c:\windows\system32\msdtc.exe

MD5 55ee2984c1474469d7a6b4f9088b739a
SHA1 2ef93e302726034aff03c8db9110faa7cb9734b1
SHA256 cd0ac36340a70859a26110f8addf26c0fd09ee319abbafa2f4ca9a4a1ad09bcc
SHA512 b9b3063ff8e393ebc9786810f2013f68589414efd2380e67ac743526bc28f0860508992a5834de01d6b420d8e100dab1294e6cefe46661adb757108415019239

\??\c:\windows\system32\msiexec.exe

MD5 bae04349e6aad207c99aec4c12f3f27d
SHA1 16e0eca1c0231b147d24c6b59655af78531c0707
SHA256 e92d0182a0c525936976115e58ea345393965c0c45e373c2d0d989034030e123
SHA512 145be6039ffc35b24802f6b2c77a013cb3fda1998b27c45470d993d45b2ff10a6734548e799846343e99899188137ea79ca31289d3542abda5b5dc9546d71bc8

\??\c:\program files\common files\microsoft shared\source engine\ose.exe

MD5 00aaaed27dbb1321d5e93d771e4f53b1
SHA1 1f7aca3f74e09b9a572fabb7dda688d202f11100
SHA256 f3aebb2dcaaf73a1eebf149852dd88261537b82ef2b38fdc940af286e034018e
SHA512 870964e75d205b6b061a95d8a85e15f04772bb0b33a10fa25bd18cf402922119965e60fc4a21220072a159a5ac56fd0d135374b9ad3383e6ccce3db56ac3e30a

\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe

MD5 e21a6640478681de2d02e9329225b713
SHA1 973d1ae3f1a3fc63cb0b850e2a235b618d914a3d
SHA256 dd4daa4f019c9250344637e7f67679451a2418b141576f5c3b7a6a4841b69b96
SHA512 80d0697d56e43a0eb3e5e76dfe57bd38c820f0c7a35880df2342212f3e56357289fadfe8127632cf75143a6daaed98b5267639b27a253303d2b6695afa63ceb0

\??\c:\windows\syswow64\perfhost.exe

MD5 0c8e27dfe4848ddb4f645416e127c2ee
SHA1 c23e86e44a005551a355cf2020ac4245bef4a55e
SHA256 2d2a05e056a9431ebd64f1344cc86d7b6e79d366f4af406be1025ca1b8b1a8bd
SHA512 e57802ba181d706c98108b9acb73f35f35ffd3ac3ba9cad2514afa4b84d5cccdf208e49d38b3c532892f300f2f43b7f7d15f0c16bc0866df87f16d6ef6abaf45

\??\c:\windows\system32\locator.exe

MD5 8a29f7f965fde65648a46605a3e627c4
SHA1 1aa7de02b620b16a7359365c23c96598b8616393
SHA256 facee1cfc62aa76b70fe27686e6000655046c7bfafaa322614fe82f5d2989bf3
SHA512 2298cd1a9d61c354dcd0797969a65cb14ede1698c5fdb659d8764e077feaed8d25b8cc27b05c53dc9a6844915344f074b2b47999b18b41808ad87a6faf425c7b

\??\c:\windows\system32\sensordataservice.exe

MD5 e081c409256892649814330fe4e56c4f
SHA1 34a5629e84c46b9132bbac363414182be7783bb8
SHA256 780f6b21f09be7bf1d37a8ce48eac162a57096482c3669f01b1f06be59b0881b
SHA512 f499f68ed5faef3459b0763929dba5c4cc9d602244305e35546bc8f24f978f513f1c1f8e320178135e6960b65e4bf675ad10a9c84b7a5f92083d5f88943d6064

\??\c:\windows\system32\sgrmbroker.exe

MD5 1f3dfa23d11e4d918de609ab0cf7f9c4
SHA1 2d0d3e5310d0dbf66dfc3bd7928d48bb2ba624cb
SHA256 839181b41168cac95937397ac45a2c730fd9a9a1b7fc3acc1159f3853f36c18c
SHA512 7f1237d9aa53083add0edbd82dc13b80467aae7f355d2a067902d2f97374507a637a8d863b74881b8382d5a28a86b453cd4c62c8b702e8d485b437923e5543ce

\??\c:\windows\system32\snmptrap.exe

MD5 ecdf904311ef15ae7358b7592660e9a8
SHA1 6f51ec0886c75b9262d6d23c55b4310eae8a924a
SHA256 5c2a6b2d87672999560e1a1afe538dd0b4766b212fac0699fe897026b3b05549
SHA512 c2e76952d1d1f8d9af4cbf93dcfa4de267a12fffcca6bef748a8e377c8a9ef62cd9104f1cf05b8a85fa461450ea60d64c6ea2f4821e32280a4df24dc011930d3

\??\c:\windows\system32\spectrum.exe

MD5 c806fc88b8caf13f2021add272d24bcb
SHA1 473d7c6421355230091f7c41043644214d254c4c
SHA256 9c3933a56be7edccd50e682a098249c2e32895a70ed690ac2d2a320eb8bbec5b
SHA512 9e5bd67936bf85b2656acbf8e9c963f8de37b822d3d1d4374be14e66db5598249d08e45f563e602ea779a16dae676945ae66723a16b6217e17a26ae97f4442a3

\??\c:\windows\system32\openssh\ssh-agent.exe

MD5 165da414644ed9e01224b676cfc36bca
SHA1 ef896d54a341939fdf68435a35183edba6bccc6a
SHA256 731178656e8d22d3e26a0282a68b3d39fcc31e36279b937b035ce3093ab9c468
SHA512 68ef04d079c0fba96f3e8823181b27351f6d2694740e628bba270fa21571d51f52623182241e8bb932ff07cfcecc8338d11b5743c6be6f883e748f7946f6f185

\??\c:\windows\system32\tieringengineservice.exe

MD5 65d01a2b34f0c80c724412f82f0760ed
SHA1 225df6c8d1f8a1817b57d07563d01068c5863038
SHA256 053efc4c57f69fb1e00325da47a4946bc405839921414885834f84b0b86b91c4
SHA512 9b30aa56b27ffb3d8fe9bd0788e27a1af911094e4cb0bbcd5f6f9142736ada6491c9c41ff744880ada68c614cb64cf88b1b19da428da439f7ad72cb18dee6d9e

\??\c:\windows\system32\Agentservice.exe

MD5 ae89ca1cabb7c5eb57424a7bdb0af8ad
SHA1 7e658ccfabaf45cb33f36553f66f620aae08c9bf
SHA256 a3e43f6431920328311cdb293486ad43c85e9d66e113aa22ced38a6a722144a8
SHA512 6b7c7b9fbf01b55bbaddedaec03902cc63c2ad497c9bebb203bd4bc88e3bf0f6b8f6a69fb142d4f5fbf3d292cd28d9776da94c5c10ed738754f4a866b8a09117

\??\c:\windows\system32\vds.exe

MD5 1f7b63b8269504b2732d30bb6fa4964b
SHA1 d3b35860b563a8952868ba2530f5b0f93bab3de3
SHA256 d088d8596add9341ee16e6f50607b198c819425f4d9bfd79e0caeef04cfe3b19
SHA512 a1ef67dbad5a92d5783c083fb3f275723ffae24e58acd4cdc74f7b5947b29d43e0953f5ba8fe59a4f1b7628500da6cac5760cc50da811d88ebadd4ff48cad748

\??\c:\windows\system32\vssvc.exe

MD5 7f7a67c377451a8e834521e27ccc8f97
SHA1 9fc4381c0a42d86443e6144a94cfaf037dfe0c38
SHA256 89f9cb1a381be7f392174524241a9fbbb54a47a28354254c90d87fbbd59bee6f
SHA512 cce3a5a94cf8cc3bb2621503db53d8cc596e11bfde5e0f226888d0c494da84ccd22a7b6020080884d5f976cb4ac74b72a22313c0f4d6718e48d0c90ea7b6cce7

\??\c:\windows\system32\wbengine.exe

MD5 dc065aae1f1b73ff61a9db66d10063ae
SHA1 1dd53c047d651994498869ee1dd08858f0b34722
SHA256 f062fbc029f3f66bb0b9aa68e55b4648258787fba5f5252ce8bc4dc32d78c667
SHA512 db2877f30bce9a95bbed5cc60e0059243f1f7be9db82b44cf0152c8329f9692c93e2dc37ad453a100ee52080c2ec16209507284268c1fe765caa7d8e4faa5637

\??\c:\windows\system32\wbem\wmiApsrv.exe

MD5 97656ae58fecc4bde6ab034ef8d90312
SHA1 a2a5d8c9da508d214eb9fd16206f74680e1442cb
SHA256 350108b023e390aa6641f0b7d46fb1b0ff1d11513ee6213bf4a1656d1aafef41
SHA512 ce5835e23cbfe7a930ddf8f1c62ba3f6edb8b75df31cb76a87df48cc224bdaa0745f5dedf64547b57e66b420feb76fadeac9f24bf4ba1048687eb953ce53e265

\??\c:\program files\windows media player\wmpnetwk.exe

MD5 7bbb723bb08c809debffb06501bb3779
SHA1 c647a58c6e2f5a8f16a1b06a919e5710a32bfa2a
SHA256 d11ea922c1f655136684ed76e9dc5622de6a9666b2e38da2a89ea28a8248d292
SHA512 720130f13885fddcc99e2f7b2f31dd2fc8b3f6ffee8159714705f29414966fa02d9eb4cd9bb0342c9aaf57347900d81b4753acdb85b72e2e0a51106dd3fb55af

\??\c:\windows\system32\searchindexer.exe

MD5 ed69db9cf17bfc244dd802c3db307691
SHA1 8a0beb727caa9a167416a0a8cd1d72e1cc5f6c20
SHA256 b25472f1fdaf85c582e15929102a2eefcc3d4fd091a386c002f81d0600756e4a
SHA512 632c5eeb5aedbd5f3166a2a5d5bab2ce93aa7333bfccc125f4771a91915c4e1bcc7eefa92e9dbf2674e3bae6f703f73594801f8835a8bec06b2ac54d78120ee6

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

MD5 06dce96200b3779c28c7879b577f4002
SHA1 1cf5d6cfa2e0e908984eca02d4a0d61ca0f36755
SHA256 e1b843beb132bd1c78e1605d15be480a6bc980b67e32d440e9a82042ec29606e
SHA512 8bf4a6d93220bae4461685324bb2d73333b9b9bf267b051428218e7a908fbfd4cf107c77dabe059ace1ce67f8f9c5694433a6e960b0ba4004a874285d4b3edc2

C:\Windows\servicing\TrustedInstaller.exe

MD5 805418acd5280e97074bdadca4d95195
SHA1 a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6
SHA256 73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01
SHA512 630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

C:\Program Files\7-Zip\7z.exe

MD5 868b76d2cbfd2332df8a0158cbc9f123
SHA1 a40f2d699337bc5c8ce5023872baff00ee1893d3
SHA256 d547fae1138b7b3bd01c9f677dd110eeedb634e68a79649829734242eccb753c
SHA512 6724b2e0cb4f421115c834806f5e50f5c867c9be0d378551dc5a1e5db368e89a892595a535d60a3a24a6cf76cf44ccbee9efc7645bf629e910993e090639b4c8

C:\Program Files\7-Zip\7zFM.exe

MD5 c0f010b3f381a14f2c316a5724943cd8
SHA1 84d9528cdf27d7e267e5fdfc80728e0655292047
SHA256 888de1c8a842c97152a0b0c5a3b12bf57670d5b1ae96d6953dba3499e2d9efc1
SHA512 b4fe8f3cd1bfddf992d0226a9a374ac76025944fc73f94ba5f6ff7f157f5897a7546a836c375c84aa7d0540483385aa67cc4a538b31e913075ba2294df2c1a16

C:\Program Files\7-Zip\7zG.exe

MD5 3a9fe3e1112863065b45e2f225d6ad11
SHA1 71e6ee2355a16bc7a8471c8d6423311f3e093e70
SHA256 27ae3ce2233c7c7075df30f1b6f2d1e78bc893980bdca4a445b13bd86a22f31c
SHA512 35b7019784bd23ac518fc9d569ef80c1a2099d393ab1b866a919f6abf777853acba795b39224ee47c129995f9939ee067f0c337bc955c24723129cfa7ac9fcb0

C:\Program Files\7-Zip\Uninstall.exe

MD5 a716c16f691dff1c67850d0f98c0ea84
SHA1 a46927a3a3b023cc28e6e104a8b904708010b6d8
SHA256 7ee9e4efd9caed865ec36a8696fb16ff3bdc1ea7587ab001a59af96b09f0b0d0
SHA512 351a401189e255164c9daed8cd20c344c32c18ecb205d7c61c4adf225140b5e55dcfaa96ea36fc3d9716253a17b4b58c7b4db4a33cc7f20cdeb3e0bfe450a994

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 667eaa07cf1266183ad99cce0ee21de8
SHA1 c23c1560ad59fd4959ae03be79b70dd79de8bc97
SHA256 a22f25eaa6bb8d580c1d26f28a092c53ad7e633e929361a7f8ab1758c95167c4
SHA512 8c15c090a34ac9a4e39cf270b650116347b5dc4a787564f2fd373bcf6a791185138285c8b2abe7476fbd45b29cebec787f1adac35decc93d761d22d353cfcaea

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 cb0fe36228527198e36b4b782ba8084c
SHA1 09161be787eecdde9dbb76007d93690171017f09
SHA256 168e4640c3c351b500cbd7fd24e8c80996fffbd47502990061edd0cb11abdea2
SHA512 081bfcadeaca250fe349224a8b4612af354fba6f179021b08b6888e6eecf6fa12b552ff3453cd2d1633f338d8f85301a610628a4c6fa20fcafa91f5daf0a8897

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 99eb66e03089b111808d3db5b8e9f511
SHA1 7800044cdc3578b2280897d980f38b2320cf1245
SHA256 ab830085aa05abe72fc55b1ec47aedfb6558b52a43ae23cf85d7b031b01edd0a
SHA512 be26caa749c693e17da5c1538ed7d3991a7b356d90669fb7538b9f7c8949f9b22fa7ff0e938ba61db0140049c43c34e46f324f1e3600cae3a549093d81800318

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 80eda8ca44f0923c7c0924498b08a995
SHA1 98e9923b199b60f32e5a34cd6d9eecfb25e9bf7d
SHA256 97acdbd362d5b2985ab78c6288834b5c18512a64b6f1115bdd1f7da787a4470b
SHA512 2f5621e107a796a74628b58f37b2fe1b57cdfdfa0538b3e46fe728322a6e32779fbe33fadff41cfdbf2d1b3048df81f65bd635524fab4e5f33d9e0f8322aba28

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 cf092bcb999332d0e69f892ceac6e27c
SHA1 5d023316ac8050addfef3aa79f49326df3d0ff62
SHA256 ea65d34e7473f0a9caab4077f44b97bd275de2a8e0ef1f2bb7485efc8dc8ebc2
SHA512 f61076582aa10a88552a68d4027fae5f83ea29f96aabbf5c6b22184471b3b628bcad1f17875b3f8fd4fb5eb18f448404c82a14dfd32ecf624c9c4b5e67dbfaf3