expiro | 7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/01/2025, 01:18 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Size

772KB
MD5

68029b2bf01d687a4661d4b61a2f0740
SHA1

b9431ba2ae320295935f70a68764c387a9450411
SHA256

7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6
SHA512

1c7f5ab2bad06d24f2b49a8c6b34f60954aabd9abfc2d879c6b1eda7614c4f044bbb6262f015f2ed421e4966b06bf9c693ca854ba17146e7c33830984ea689c0
SSDEEP

24576:mVzwix9dfixVZ1L61ePrXxW4T0tfEEL0uX:eDNfixU12TxcxEEY

Score

10^/10

expiro backdoor credential_access discovery spyware stealer

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 3 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2736-5-0x0000000000400000-0x0000000000688000-memory.dmp	family_expiro1
behavioral1/memory/2680-54-0x0000000010000000-0x0000000010267000-memory.dmp	family_expiro1
behavioral1/memory/2252-159-0x0000000000400000-0x000000000066F000-memory.dmp	family_expiro1

Executes dropped EXE 9 IoCs

pid	Process
2680	mscorsvw.exe
472	Process not Found
532	mscorsvw.exe
2252	mscorsvw.exe
2016	mscorsvw.exe
2840	elevation_service.exe
1052	mscorsvw.exe
1160	mscorsvw.exe
1372	mscorsvw.exe

Loads dropped DLL 3 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\Q:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\R:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\T:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\U:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\V:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\E:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\I:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\L:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\M:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\N:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\S:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\W:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\Y:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\G:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\Z:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\P:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\K:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\O:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\X:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\J:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe

Drops file in System32 directory 49 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\vds.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\glkhpicm.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\pfhcgofj.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\locator.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\ikbhogjm.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\njcgplll.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\adoogini.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\SysWOW64\mhpcjfpk.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\SysWOW64\plfiqnoc.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\ghcmaoll.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\ocphnana.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\ojjjemmk.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\SysWOW64\gphmiqdf.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\wbem\inleninb.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\nmobpfcp.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\alg.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\ffgqclbd.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\SysWOW64\dkpngnkc.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\bhkebcfe.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\jiianoje.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Internet Explorer\aglddoil.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Internet Explorer\oijkbfoh.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\hpbanfjo.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\cgakfigd.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\emdpmifb.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dgilkpmn.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\onakajab.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Google\Chrome\Application\bhlnifll.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\idddgalc.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\7-Zip\nklemblo.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\feqkbkgm.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Internet Explorer\onnmbqjl.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\qfemblig.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\fnldmfii.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\program files\windows media player\lcnpdooh.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\eqiodbdg.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\gnciljmn.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe

Drops file in Windows directory 39 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\kioipbap.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	\??\c:\windows\ehome\jpbocgmg.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\ccefpicn.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\kjlojhoh.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\pihcijom.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\kjpkacon.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\ehome\gdnhaeep.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\servicing\eadjkdoj.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2736	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2736	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	2016	mscorsvw.exe
Token: SeShutdownPrivilege	1160	mscorsvw.exe
Token: SeShutdownPrivilege	1160	mscorsvw.exe
Token: SeShutdownPrivilege	1160	mscorsvw.exe
Token: SeShutdownPrivilege	1160	mscorsvw.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2736	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1052	2016	mscorsvw.exe	36
PID 2016 wrote to memory of 1052	2016	mscorsvw.exe	36
PID 2016 wrote to memory of 1052	2016	mscorsvw.exe	36
PID 1160 wrote to memory of 1372	1160	mscorsvw.exe	39
PID 1160 wrote to memory of 1372	1160	mscorsvw.exe	39
PID 1160 wrote to memory of 1372	1160	mscorsvw.exe	39

C:\Users\Admin\AppData\Local\Temp\7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
"C:\Users\Admin\AppData\Local\Temp\7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2680

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2252

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1052

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ncjookla.tmp

Filesize
718KB

MD5
bb37dc16c22399fc42a11f24fc098fd6

SHA1
9d21434e0c84d52e51913d38ba2f9b4fc55b9fa8

SHA256
466d69c86e14a0f1a1e01a5db7f42253f07e6e16ebc710d4607064fee89c58d2

SHA512
80b55f99708ceb38b5736ced0df3843da705bf55c6e9d8cbfba949817a48604ddef38914f138873a8943d3cdb8c8ac9a8230d3fd666c2d50c6283100d60f17dc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp

Filesize
4.9MB

MD5
6c1481e2ee8c617dae4bcdb818e0e5ab

SHA1
4cdc1ab33a387552b4fcd523b7cc9ae7f9ba016a

SHA256
e0d37b083fe1295eb7b142da850384101d6c84dbaca9103db0f31503eb695fae

SHA512
54d9975ab30b05db3b1a9152c3394635f0d99260f91aa2bbb77564c15f1530d0f1ac2b8e500aeee277510a9c34da8ceff7371666df5c6d5f0a50c6d8132f674b

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
ad7aa73f5bf592db95168183e914faf5

SHA1
b75b7513eca5e60848682653b9e38bdfc798f8d6

SHA256
3b18b2b1525af66976c1f7e87c930982c3e671e9d091cc93055398bf6affcc44

SHA512
01e4f8fb8e0885238ebf64d13385963d88a3ddc450f2a4a0f3bceed7072cb4b7a202921ae9c92c3b05a6128c23ec57f0af434b06736f1c18de966cdd8d3f37d7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
994113f8235c03736c03bdeb489b4a92

SHA1
d845c791cf09dd43885dd46c77edce9f3266848f

SHA256
eb21c35806e27173f3fad6b390800cf42cb6ae4b47d8bcf1442889cc0a5bee48

SHA512
90bad7f093c04f178342e2d8e8a88acc61dde2b265715f0eed0d92339359b198271eda741041c0b1d60995b3a1c1cbb166385464adca04178963241bf20b378e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
728B

MD5
84b5050d7fa779ce22fd805e02f97231

SHA1
a289ef7932b96834c1a275810359cceb41c0859c

SHA256
7e84d6e449f33a0d40b06f8e63acf5d561edc130a7ef49ecbcd544e81113825c

SHA512
b575affd2c62234760a34547722f772662caa1291c9a72b71ee2e750f96ad9d72d63226065ec893a728701dd21a93ac7080cbbbfe68dad1f524f577b31e7eddb

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
641KB

MD5
bc42e23530442afc6698b2857ee2dd97

SHA1
4a42cc0d3b26c2bcbb947fbee77a2ae2b431aded

SHA256
2a844fc82611c339ff56cf009c6877679f121c457aaad2639c5388d56aed90b3

SHA512
d4d77773d71368cd6abbf29a85789fd79baa96e46a54daf1219bfb9c2226ffaaf388dc35c12ab60b92b2bb08a705f5b568061ce05a282154d6200b042858d908

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
3a592e44332e86cfa5c90a7b4fe54aad

SHA1
8d872d648ca5fe2202eeb467f3b3b78ead6e5fc0

SHA256
d7d8f2a2d0add3e70f9a6803706b6c1af81ec494c58a32f3daa46baff63454e7

SHA512
4ede94e7f8b9aef59ea7a82b5975b651b4598e6a583f0d38dafd8e6115c44918312915f4ff8f9354ce879a52af877036f8dd057afb545d0907b892c89da82ec3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
668KB

MD5
e0f34708bf3896cd28391d38f4a95d4d

SHA1
3d1ba67d16efa8d42f23e00907e7f661302b9a39

SHA256
22341ea7075f4ba2f8bd19af4b8b03329c580317160807377d49380d0f65c449

SHA512
52d81ef3dbbfad23b677bf54d078987fe30e887063378a170afb693fbd8b0fe66cdf661e08c6804fdff4f29c4ce9c35f438026f07fc2039ed087aec172f5fb50

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.2MB

MD5
894b4782c87fb2571343f9d5892ef5d5

SHA1
50f6120fcc5ce7f4e093525d8dcee5575053a19a

SHA256
a551ba4521fa838d00fa17f41f16b6d235547ce30ec81c97131b1674781b73b6

SHA512
d21d6d46e2de3c7459983193ecbde50fa7a453907006f72c1dd84dc1e941b92c0e79f7dbd54dd5d2eae811d0e5642e281b2a178e7d649e5940bd4220a480718b

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
664KB

MD5
4ce7f9425049adbe2ad19a175faaf78b

SHA1
9a9cf7d1955e8a85592b6a5eb69f5940b667e9ed

SHA256
2f04378d89ff48562504eb87729bc6f4db2dc0070fb07be87ba7f7a95eb7b607

SHA512
78e814922bce7314987a491d4516c37b2167e7d68767ed3e7a5364b10453717367595659d5237f8744bb7181ddefc6cf661321801faf3f252fab522d09a25cbb

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
07cc7746ca9d704d56ffe1f60c834f75

SHA1
e651aab881da1460dbce5b4393ae610934ea6a30

SHA256
aa7493996395af2c7ecc0179ae1e04b68aac3e83597e95c6f527a379721dbb46

SHA512
5d029389e15639f0ebc6a1a8b8d0196bab36fd60027110a9f33f0b42d60981afb774e9be3c7bf5dc43331e991eaffdddf663628da55441a6d136d51035f6d920

Download Submit
memory/532-36-0x0000000010000000-0x000000001029B000-memory.dmp

Filesize
2.6MB

Download
memory/532-78-0x0000000010000000-0x000000001029B000-memory.dmp

Filesize
2.6MB

Download
memory/1052-166-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1052-164-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1160-340-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2016-60-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2016-163-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2016-165-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2252-159-0x0000000000400000-0x000000000066F000-memory.dmp

Filesize
2.4MB

Download
memory/2252-46-0x0000000000400000-0x000000000066F000-memory.dmp

Filesize
2.4MB

Download
memory/2680-54-0x0000000010000000-0x0000000010267000-memory.dmp

Filesize
2.4MB

Download
memory/2680-23-0x0000000010000000-0x0000000010267000-memory.dmp

Filesize
2.4MB

Download
memory/2736-1-0x0000000000F30000-0x00000000011B8000-memory.dmp

Filesize
2.5MB

Download
memory/2736-5-0x0000000000400000-0x0000000000688000-memory.dmp

Filesize
2.5MB

Download
memory/2736-4-0x00000000065E0000-0x00000000065E2000-memory.dmp

Filesize
8KB

Download
memory/2736-0-0x0000000000400000-0x0000000000688000-memory.dmp

Filesize
2.5MB

Download
memory/2840-88-0x0000000140000000-0x000000014042B000-memory.dmp

Filesize
4.2MB

Download
memory/2840-167-0x0000000140000000-0x000000014042B000-memory.dmp

Filesize
4.2MB

Download