expiro | 704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0ca

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
Size

614KB
MD5

a71bdbb53e08a14b8cf924f160c0b720
SHA1

ee167d53e621bc5dd8a15dee2ed293c065411599
SHA256

704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0ca
SHA512

771f84fe9d7e1becb5f58cfde15e0764a3029055b543cd0cf51e63d40bb400fa94d8f7bb1166c4000d70331b9f45b27c52332a3b987af1dc4bddcf38b888496c
SSDEEP

12288:eUzRRaMMMMM2MMMMMsNsKmnO/IYBD7F5t5WSfvQjPWkx3cPzeRly6ZWfC14q5Dcw:eUzRRaMMMMM2MMMMMsygfRF5tTfvQjPF

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 3 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2648-0-0x0000000001000000-0x00000000011CE000-memory.dmp	family_expiro1
behavioral1/memory/2648-2-0x0000000001000000-0x00000000011CE000-memory.dmp	family_expiro1
behavioral1/memory/2784-53-0x0000000010000000-0x00000000101CD000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 52 IoCs

pid	Process
2784	mscorsvw.exe
476	Process not Found
2652	mscorsvw.exe
1708	mscorsvw.exe
1332	mscorsvw.exe
2116	elevation_service.exe
2916	IEEtwCollector.exe
2868	maintenanceservice.exe
832	mscorsvw.exe
2276	mscorsvw.exe
540	mscorsvw.exe
1752	mscorsvw.exe
2252	mscorsvw.exe
1696	mscorsvw.exe
1936	mscorsvw.exe
2228	mscorsvw.exe
2428	mscorsvw.exe
936	mscorsvw.exe
1576	mscorsvw.exe
888	mscorsvw.exe
2224	mscorsvw.exe
2536	mscorsvw.exe
1480	mscorsvw.exe
2652	mscorsvw.exe
2328	mscorsvw.exe
2064	mscorsvw.exe
376	mscorsvw.exe
2816	mscorsvw.exe
2504	mscorsvw.exe
2376	mscorsvw.exe
2512	mscorsvw.exe
2312	mscorsvw.exe
1268	mscorsvw.exe
1344	mscorsvw.exe
920	mscorsvw.exe
2124	mscorsvw.exe
2824	mscorsvw.exe
2708	mscorsvw.exe
408	mscorsvw.exe
2536	mscorsvw.exe
2104	mscorsvw.exe
1736	mscorsvw.exe
3064	mscorsvw.exe
2096	mscorsvw.exe
2764	mscorsvw.exe
644	mscorsvw.exe
2236	mscorsvw.exe
700	mscorsvw.exe
2276	mscorsvw.exe
2620	mscorsvw.exe
2008	mscorsvw.exe
2752	mscorsvw.exe

Loads dropped DLL 41 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
1936	mscorsvw.exe
1936	mscorsvw.exe
2428	mscorsvw.exe
2428	mscorsvw.exe
1576	mscorsvw.exe
1576	mscorsvw.exe
2224	mscorsvw.exe
2224	mscorsvw.exe
1480	mscorsvw.exe
1480	mscorsvw.exe
2328	mscorsvw.exe
2328	mscorsvw.exe
376	mscorsvw.exe
376	mscorsvw.exe
2504	mscorsvw.exe
2504	mscorsvw.exe
2512	mscorsvw.exe
2512	mscorsvw.exe
1268	mscorsvw.exe
1268	mscorsvw.exe
920	mscorsvw.exe
920	mscorsvw.exe
2824	mscorsvw.exe
2824	mscorsvw.exe
408	mscorsvw.exe
408	mscorsvw.exe
2104	mscorsvw.exe
2104	mscorsvw.exe
3064	mscorsvw.exe
3064	mscorsvw.exe
2764	mscorsvw.exe
2764	mscorsvw.exe
2008	mscorsvw.exe
2008	mscorsvw.exe
2752	mscorsvw.exe
2752	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1846800975-3917212583-2893086201-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1846800975-3917212583-2893086201-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\W:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\H:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\L:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\O:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\K:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\Q:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\S:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\U:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\X:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\Y:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\M:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\G:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\E:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\P:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\I:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\Z:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\R:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\T:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\N:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\J:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\windows\system32\ppflpilf.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\windows\system32\qoclhkio.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\windows\system32\wbem\aqmjeobn.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File created	\??\c:\windows\system32\jaomabof.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\windows\system32\ncoogdmj.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\aglanfin.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\windows\SysWOW64\aombnkmg.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File created	\??\c:\windows\system32\hockonjj.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File created	\??\c:\windows\system32\febbnfmb.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\windows\system32\nngehflq.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\windows\system32\lgpeaiaa.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\windows\system32\kmmepfij.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\elhnkigq.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\vds.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\windows\SysWOW64\cgbfgmjp.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\windows\system32\bpjnajbp.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\windows\system32\imgojhpc.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\locator.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\alg.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\nimidobm.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\iibndipn.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\qfemblig.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\feqkbkgm.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\gdaoemja.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\knqknjlo.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kfefgkli.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Google\Chrome\Application\onnmbqjl.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\idddgalc.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\onicdbam.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\aaehpfnq.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\7-Zip\nnknaeep.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ckillgah.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\jiianoje.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\gakpqfhp.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dgilkpmn.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File created	C:\Program Files\7-Zip\klonohhl.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Internet Explorer\mhmnmakb.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP770.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index154.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\babocmnj.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP510.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1C66.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\fqfdpkmn.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\knhbicon.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1381.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCCD.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPF2D.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	\??\c:\windows\servicing\dpklcccj.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP1564.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	\??\c:\windows\ehome\naebpokl.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\windows\ehome\eodhmpml.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP158.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe
1332	mscorsvw.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2648	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2648	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe
Token: SeShutdownPrivilege	1332	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 832	1332	mscorsvw.exe	38
PID 1332 wrote to memory of 832	1332	mscorsvw.exe	38
PID 1332 wrote to memory of 832	1332	mscorsvw.exe	38
PID 1332 wrote to memory of 2276	1332	mscorsvw.exe	39
PID 1332 wrote to memory of 2276	1332	mscorsvw.exe	39
PID 1332 wrote to memory of 2276	1332	mscorsvw.exe	39
PID 1332 wrote to memory of 540	1332	mscorsvw.exe	40
PID 1332 wrote to memory of 540	1332	mscorsvw.exe	40
PID 1332 wrote to memory of 540	1332	mscorsvw.exe	40
PID 1332 wrote to memory of 1752	1332	mscorsvw.exe	41
PID 1332 wrote to memory of 1752	1332	mscorsvw.exe	41
PID 1332 wrote to memory of 1752	1332	mscorsvw.exe	41
PID 1332 wrote to memory of 2252	1332	mscorsvw.exe	42
PID 1332 wrote to memory of 2252	1332	mscorsvw.exe	42
PID 1332 wrote to memory of 2252	1332	mscorsvw.exe	42
PID 1332 wrote to memory of 1696	1332	mscorsvw.exe	43
PID 1332 wrote to memory of 1696	1332	mscorsvw.exe	43
PID 1332 wrote to memory of 1696	1332	mscorsvw.exe	43
PID 1332 wrote to memory of 1936	1332	mscorsvw.exe	44
PID 1332 wrote to memory of 1936	1332	mscorsvw.exe	44
PID 1332 wrote to memory of 1936	1332	mscorsvw.exe	44
PID 1332 wrote to memory of 2228	1332	mscorsvw.exe	45
PID 1332 wrote to memory of 2228	1332	mscorsvw.exe	45
PID 1332 wrote to memory of 2228	1332	mscorsvw.exe	45
PID 1332 wrote to memory of 2428	1332	mscorsvw.exe	46
PID 1332 wrote to memory of 2428	1332	mscorsvw.exe	46
PID 1332 wrote to memory of 2428	1332	mscorsvw.exe	46
PID 1332 wrote to memory of 936	1332	mscorsvw.exe	47
PID 1332 wrote to memory of 936	1332	mscorsvw.exe	47
PID 1332 wrote to memory of 936	1332	mscorsvw.exe	47
PID 1332 wrote to memory of 1576	1332	mscorsvw.exe	48
PID 1332 wrote to memory of 1576	1332	mscorsvw.exe	48
PID 1332 wrote to memory of 1576	1332	mscorsvw.exe	48
PID 1332 wrote to memory of 888	1332	mscorsvw.exe	49
PID 1332 wrote to memory of 888	1332	mscorsvw.exe	49
PID 1332 wrote to memory of 888	1332	mscorsvw.exe	49
PID 1332 wrote to memory of 2224	1332	mscorsvw.exe	50
PID 1332 wrote to memory of 2224	1332	mscorsvw.exe	50
PID 1332 wrote to memory of 2224	1332	mscorsvw.exe	50
PID 1332 wrote to memory of 2536	1332	mscorsvw.exe	51
PID 1332 wrote to memory of 2536	1332	mscorsvw.exe	51
PID 1332 wrote to memory of 2536	1332	mscorsvw.exe	51
PID 1332 wrote to memory of 1480	1332	mscorsvw.exe	52
PID 1332 wrote to memory of 1480	1332	mscorsvw.exe	52
PID 1332 wrote to memory of 1480	1332	mscorsvw.exe	52
PID 1332 wrote to memory of 2652	1332	mscorsvw.exe	53
PID 1332 wrote to memory of 2652	1332	mscorsvw.exe	53
PID 1332 wrote to memory of 2652	1332	mscorsvw.exe	53
PID 1332 wrote to memory of 2328	1332	mscorsvw.exe	54
PID 1332 wrote to memory of 2328	1332	mscorsvw.exe	54
PID 1332 wrote to memory of 2328	1332	mscorsvw.exe	54
PID 1332 wrote to memory of 2064	1332	mscorsvw.exe	55
PID 1332 wrote to memory of 2064	1332	mscorsvw.exe	55
PID 1332 wrote to memory of 2064	1332	mscorsvw.exe	55
PID 1332 wrote to memory of 376	1332	mscorsvw.exe	56
PID 1332 wrote to memory of 376	1332	mscorsvw.exe	56
PID 1332 wrote to memory of 376	1332	mscorsvw.exe	56
PID 1332 wrote to memory of 2816	1332	mscorsvw.exe	57
PID 1332 wrote to memory of 2816	1332	mscorsvw.exe	57
PID 1332 wrote to memory of 2816	1332	mscorsvw.exe	57
PID 1332 wrote to memory of 2504	1332	mscorsvw.exe	58
PID 1332 wrote to memory of 2504	1332	mscorsvw.exe	58
PID 1332 wrote to memory of 2504	1332	mscorsvw.exe	58
PID 1332 wrote to memory of 2376	1332	mscorsvw.exe	59

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
"C:\Users\Admin\AppData\Local\Temp\704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2784

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1708

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 16c -NGENProcess 170 -Pipe 17c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 238 -NGENProcess 244 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 1bc -NGENProcess 1a8 -Pipe 100 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 258 -NGENProcess 168 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 260 -NGENProcess 230 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1bc -NGENProcess 168 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 11c -NGENProcess 168 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 1ac -NGENProcess 1bc -Pipe 11c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 1bc -NGENProcess 190 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 27c -NGENProcess 244 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 244 -NGENProcess 1ac -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 284 -NGENProcess 190 -Pipe 168 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 288 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1bc -NGENProcess 190 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 190 -NGENProcess 274 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 190 -InterruptEvent 294 -NGENProcess 270 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 270 -NGENProcess 1bc -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 29c -NGENProcess 274 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 274 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 2a4 -NGENProcess 1bc -Pipe 190 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2504
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 1bc -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1bc -NGENProcess 274 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 258 -NGENProcess 288 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2b4 -NGENProcess 2a8 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2a8 -NGENProcess 1bc -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2bc -NGENProcess 288 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 288 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2c4 -NGENProcess 1bc -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2bc -NGENProcess 2c8 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a8 -NGENProcess 1bc -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c8 -NGENProcess 1bc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d4 -NGENProcess 2c0 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2104
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2c0 -NGENProcess 2cc -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2dc -NGENProcess 1bc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 1bc -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 2ec -NGENProcess 2c8 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2dc -NGENProcess 2f0 -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2c8 -NGENProcess 2a0 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2f8 -NGENProcess 2bc -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2ec -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2a0 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2bc -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 2e8 -NGENProcess 2f8 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2752

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2916

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ncjookla.tmp

Filesize
694KB

MD5
11522eaa20c20d644dfae287d612ab02

SHA1
4eee6f9ed27988b01e192eff399d8720fd4678c5

SHA256
b99168ae6b6dce4658c4362ee483995eba2672f3f363bad35fb2903e2647e51c

SHA512
af152186b6edc60c0ff0d9125854f17f6e41fb3de386aa09e7443271791f19a44aec44f709c11f3860ac0d232b22411b40062d14d4fa5a0121b779bf761f379a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
5511290a295b69310121ba8647d71b62

SHA1
84d43c2fdde6d5a53c49ed407967ddd47d295aba

SHA256
05def71a1988888a4005579b5e1ada41a0c2c1beaa2ee69c0bc940347e98c43c

SHA512
aaf27df823b22774178fb2ef8923ba3b656d30a7245e1529a0f776deaee95e4a32d67c05f9968a87f730b469ec8ba055b4e2ae22cbfadfae662fa4a23e40f331

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\cpkcoelj.tmp

Filesize
4.8MB

MD5
9b9736bb7173339b9f32bd722b7da3d3

SHA1
637e5d5cf246a2093d78c6e8cbdc023c577a3f8c

SHA256
74a5075685c4b3b8b5f1e26c6b9af59a08df47dd40863f913c864f101b203494

SHA512
bc7cf26c58a887719b8bbbb1f5eac3fb62bc1f7aee577d6d8985ac831f45ed7dc599e6dd345f1b3ecaad4591f7554e5d892affdb1255c8c413b5f6ade1515cbd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
5cb5c63d37ef5926df7274c12807ae40

SHA1
eca82c6522fc8e3923aa26bae95459031eea60f4

SHA256
570bf97a00e2a23c4ac463c88ab2c66554e68ea6ca83fda0d6e2d79371ce8802

SHA512
dba38f2111742eab01684a65a8ae59b19c24bbf66fcc5cc0f92f2e9c435abb1e6624efa4d6676165ccbc8d1ae8f0109c9841c0e42036bbea0e4c38960ee24108

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
0d0049964f0a9b47449eb9631f1a9b33

SHA1
d7231095e7dd5398e3efc3f38019bf96c3f08f4c

SHA256
5955be89f316b36d613ee1637e17a006fd7d2f238753235bff300db89f117681

SHA512
1d214cd0d388395a0fb56762eed34b020c4c9afd0794e9a08b40d5d106a008e561eefb133879dfddf8f61862f01efc4526e2b957e6696c3db52f55226cf28124

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
0aae2efe978c5c4e3d548bf37c398b7f

SHA1
123195b836095ac608b41739ce221a4347e5c142

SHA256
18f21362fcdec046b2cbacd7d5d060b2eef4bc8cda6bf2814d713de34c4ac44b

SHA512
2f29942b3da654017c4bd8fcbafd3c23353d7de6b2ed2b2b32bb0b73917796f3c21b778e481745481bca623c8084eade8456d15ef55e3fc6849e31afe7d56313

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
01128ff626d309adaafc312e15e0a13d

SHA1
767882f29a14bef3c2f7f96bc3c032ea18ec21b5

SHA256
8244a1da976f2bd9252510b46de37da6e37b22e03d533fad1fba1da2d60e3265

SHA512
b32d43a3322ed96e8ccb461f59b6bb7caa5fedef0d11a62c88551fcdc04685ae12afd0d4f91d0dc3a0c6a7099058d06587897b00cd09ad67103d302a227c9c9a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
613KB

MD5
bbcea33c28b6874f5f1c40cf02977a3f

SHA1
f5dec747f683bc50142e566438dda88e352dfeaf

SHA256
63f503e977ab259ae2254af92f7f21ddcb579bec33dd58cd94535e5c036bc0a0

SHA512
6d565c07b61ecfda963ada1739d76e7c8d389adbe1b90f6e9c3303ccb91916ad4ac9861c8ff76bc9851b0cdbf819f2865cca8906e14e3dd9f1eeb2da823399b8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
7b0b1649c1be0fcaddc0a885a819d15f

SHA1
bfe5a7969b72d940b4732e3e46a607fefba3c261

SHA256
b8fb02621860c6f66d463120409b45b9b336e0a8c0ca30e724fc11c8e49c49cc

SHA512
d7f24fce5b193753b8388a7b3bb0c1b729686ad14049f4746e8141d598befeb7239368e28cd33a2d69d06d33475a541bfed235107a06e53c5c28f1de829b8f4e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
644KB

MD5
a5ca62f46b33e37886a70d2ffba6a4d6

SHA1
0e114beaa3897f8471c6e8bf2d784d3401d2643e

SHA256
194a13d2ef8345b7d3f6e493da24e79d8a36a7209c21bbd858dc118239e904bc

SHA512
b50f03b5ee53f6f27a05b1b5fcb89de5ba5eb126d0666f78dcf658363f1c35c3f27b7285f29df56706245c2ba69f1ea6a4c231dd1c7b1a6bb0c2d974f0b6908e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\190feb30a6b5c559a2a4b9c2efa4f4cd\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
62462ce7f99cd39816d8c7e344ffcff7

SHA1
1a4d340ef164d832affccea1b727dbb7cf4fe55b

SHA256
f9e1f9375384b17af12097b752d42db2c109e398e448b1e1fe75600457180d7e

SHA512
a8881f67ae2c4fbb2b18298e36c091b081819704444ea6cca48a66b41b7fac2106d412ddad365ef6b597f3edede98fe5951d21f12b286d59fbfba3696cf9bdb3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2a592dd19ce3c83332cb692ab296db02\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
ad4f943b99a77dbf393c39dd27f2bd99

SHA1
8e826e9efe3c37b53119b437a422bdf1e4752100

SHA256
edc9c1b29257e5203ea0aa1c05454497f2f31c47baf01785462a87bb88413c6a

SHA512
62910e7d0c992b71d6b183f65e1b013f757be4653421592777c513bca5f4d3bd893ab294298864325cb051537f5723f9d6e45eb719e5916ea0f609648928d385

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\375bf7f708265ed7e83eee5381e08fcc\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
e07e4a04d5b6779ca49442af0425335b

SHA1
a6e9faa378daae850679dde415c2cef550e274cd

SHA256
d295b763cbb65922892a88f87f3b9cd33006442e5c351031017c1c09863afd81

SHA512
0981282e01c4f471cb67ea5459f9fc90a12cbdbc05d4c9f75d8ed278f76a7bb7c1090716d246cb0333e77fd7131906a10553d306efe500b064abd07bbd8f5f22

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\5c52c3077b3ba9dbffad956685bf329c\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
c4ea4c8e2f3096f33bc0c339c9e6fad6

SHA1
5b2f014e36cedb8ccea94cfe09944ac973971c98

SHA256
33e2b31b02920beb5def4dedfc6947d660cbf6097fe05679f8cd988e9091b389

SHA512
a8b09961e8670fafe73f5c69cc4e308e0be933ee0e9dc1b5bd44259208ad6dfa55e549d39605a19877a64919c8d1102366190972f93e09018ab6c7b34087325d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

Filesize
2.1MB

MD5
10b5a285eafccdd35390bb49861657e7

SHA1
62c05a4380e68418463529298058f3d2de19660d

SHA256
5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

SHA512
19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
694KB

MD5
721987d1534080efafaaf3223dc7b2cd

SHA1
b790a04d5305c1d0fe30bde638c407ed2857d9ef

SHA256
fe517f8306edd8d7b2f195986a42f0f7bc7a3ff050efef2a0f865f25dfaccd73

SHA512
d6c3f461bdd3fcc9646aa47bb12d86fa16de9ca41ab15493502ed24e153141c7890c4dfde7504e2b6a455660972e724ddffaf831c5719320af93860b8f89ee27

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
e9e58c98abd55d5457e7f22e80e1b243

SHA1
d61815e258dd906eb4ba1415ac52c89929b8b603

SHA256
25c50f7815889344fbf8218ea223069f609f51db69e04666571b09ec5f5981fb

SHA512
3140d02c4abbdb36fe2261221643a0bf7b28d26fa311a7bda1a067ce129066851db177a4a264a888468e9bb459a1d3a4be9c9f0306c8d4f500982c2912018d44

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
2.0MB

MD5
96ad18bf1e6a7eb1ae64f7168e1b4ce7

SHA1
acee9536e8197668e7aa88b69663cb3089a4f160

SHA256
f03d98fccace5ac9e0099ed10ee11760eca2b9b44d293fbf1548de3ba9d6d3cd

SHA512
ba485d8e7d33aacf63a80518e70d0ac3548a028305e998a849a179413121014969e43966b940453083ab52c8b1b408acbf1800a08df67a60152350f7b8032665

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
cd86ee1f05f5f088e77317d51e4d63ed

SHA1
8a6639b2979a61aebe5bf1f8874f3dc9eecfb910

SHA256
081f5a0a6bc2f970502589a2ea4d1216c53c5f9aeed6b2327b9ad1056c628b80

SHA512
d1439aa4eada0868d3fe0160d087d15e4220640f483d10caa6ae8066ba076f3c599dccef12979813e066d944523527ef665c90b619f1020ba6cacc735a8d7d27

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
679KB

MD5
34b8ca1366b2d3be2185c03ad47a64e6

SHA1
701aab2d8034fa5b758fbe6cc3ca61107a83b1d8

SHA256
a67744aabd30ca1c4d3e3c429dd201c8655fcea9580a1f2ef26eb626d1dff5b6

SHA512
f5a2422f629aa71371671d1da41ae125301009d20c0eed3a4ec12c256de196d280917ed3521cbe874ad0160e1e382574d6afd6f6a0f46d33e1394322916883e4

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
591KB

MD5
1fe411884c1b5310fa013d3291a0106c

SHA1
305cbf75f7ec4a9acece5a2b5bd479c74187ec2d

SHA256
3d6fa781e2ec4d5b5bf65def57ba34dbe634e071875b7919f007c1c8eb960099

SHA512
4c10cee3a99a3c9b3722ca06c2a5c1e4a96ea750f77fe347ec92dba83b4cc02bb1a057e93b8a75d408c8071222b4500ab463893a4ff2ac019d14d9b71cd3e6d0

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
632KB

MD5
7fdfbc59a2c4e85df103dce39c14bcd6

SHA1
77a434af9d929147f41d4a839779cafa3114cfa6

SHA256
76831c097c707d51e980bc9c20e373bedca8d86fb7b379e1a5f9b62a1a0c67d1

SHA512
5f6fb0cfd19a478ef524bc9e6d3537882f96db34b7a0adedb41ec23f11e8b9cc412d4b58121896120d8728c4a1379743f70a838d3edad30815b20f738fb1feee

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
a58ea841c4509a743f9f42e33e74f39a

SHA1
b1b74ca468d86deab0b511efad863c1a1abfbe57

SHA256
33a8ceec0bac881e6c6bbb64694ae5bc8a06de2e4337499e7ccfa97e8052d274

SHA512
d48dd97c8062728ec4bda873d9d3f92a5aaaa9431d8887271e5d20c3e56bebd323279e6893e482a1decdd0c8d7e06e0d2ef822bbf49771c701c3d7d2a381804d

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
693KB

MD5
36f2a68eec4c1157ff707a7cfb1c162f

SHA1
d44c8f72bc658d7b04d7a9fe8a7baf722d016331

SHA256
fc923d52ea15e073c822b7ae0a415d5545fcc2724a6c7a0c551629e20134c33e

SHA512
baedd5d1e631bccdfe85860687d871d0340a4494ecd79c0bbd8f3d7aaf5b93e907a3c73b605bab6f4d8c2feed28196fff6e900d420c01068ed7387aaa6de10a3

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
679KB

MD5
9d3f294dbbfd7a86be49c95d2c368989

SHA1
ae7c023f9d01242f82ddd9bdf13ae5fd49f862f4

SHA256
6601014888cfcfb0748454ec19f69e200ef0b54e2b809478ccf1ea9386f0ab36

SHA512
a9367e65ba71093a15f26940d1aeb466121c4c60c3081d42485409c5d5a998b3830140b8c3c72bd43146e21d4159cc78fa557dd1389ae8e5e2118335d2f1e567

Download Submit
\??\c:\windows\system32\searchindexer.exe

Filesize
1.1MB

MD5
8714214c87f78da7b57e07b35bca40e5

SHA1
0e7c362bad2c42e3559ffdee597e8a27e0e68f9f

SHA256
29283be12f213b2c26d305d37ba2c679da1e19926e88ca4baef967387bbad644

SHA512
5902eba876cec2bbd92bc1cb92d6018b2bcbe7b4f6bb30cd7b79388f5ccde20adae79deddbc25dddc6d80cefebb6d8b32b0c030f7bd366509cc08d1a91c0ae2d

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
569KB

MD5
ec3b10bce20c4bd9ed4c48bee54f38cc

SHA1
eac53d1e74049da84f3b5d624704e7dfb4e42d68

SHA256
15d57cabf6b7488c31167a3d5e150d20d24cf576800a3659607cf0f080f2eb9d

SHA512
dc90a1d2866b8006f7449bc1a22bfbfd7e7cf96a4b3551ce9d74205286116082f8a968ad03429b2b438c2ff6a1e166ad1b115e1c9055e7be9114f702f609ec63

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
595KB

MD5
73080e2b5e2dfa6f0f686252aacadee4

SHA1
d6af66bdc99047ebaaa178bbf5e59e16316832cf

SHA256
6386158110fc88b383fd052d2172e97139eb795e279d17a25329f1c803397f37

SHA512
4f756188fade0c6cf4fb7c2c4ea9db507def78f39c329eea781979aa0bb726ce29a116216ecdc953ceb6da42f9ea1ce26612e2a76a3147000db6f8f9d6548b50

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.0MB

MD5
17a22d8827df2045e965fd46a05ce9d3

SHA1
6c0dfd3be1512a21e3159a2ac351c1a27cde3785

SHA256
c03a68f8a8496a81fab6dc3fae734f2a15c0be19365a2bb6e98989d0aba3ea8d

SHA512
673bc088d2b5cd7b1a8bb5e447101515532910a7d281255e2d7531a50548c1ad9cf7fa7240a56d97473263e2bb306e6d94f436852a154c16bfd872e99e83ab11

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
c654c188d0dcb845a173be5573e2526b

SHA1
18ef46583c2d4aaa2cbe3c05b5d367d601585139

SHA256
533c414b9fc393b8470f294e0dbcc9646ac8bbcbff3f6ac2c747eb4020099fdb

SHA512
2ac8601fef1b8054bb713c8fbdb358fd3da9e20210421d45cef99c1995fcba2f0e435908e89bba5c10af92f91633708213e78179e048069eb4ad5390d04683db

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
753KB

MD5
cce19f3ac61043ee46f1410db6e9cc6d

SHA1
45675253fb9f0cd182caaf3b7b016ebc72466e67

SHA256
22f785f18d88ee46e0b4f6bc469babd3c82e72bab3ab2d478db0bc0ab4027fc0

SHA512
90454878069d3032aa7fd79da8abec224cdaaf2e11102aef5fa1eb518794145ffec8038aeb2a723cf0ee8fc3576f7983073bc5606723685d61d556a5bbe9e4f0

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.0MB

MD5
bc83efbbfb4b27a13d371ecb8fa8b4be

SHA1
4663e2c9edc5c8092bf0b3d88ee5068035b9b3a5

SHA256
3058b0bb13a7cadba0bfc27f511b97d582e57c6f0daf854cad93f58395a5c833

SHA512
32a308806ce36f99a2d7b64c9250ca6bdb371a72939923de0608daa73521231f2e0b4cb95417e595c01c44828a3686628377ac18f18167fe4e58f888c1f5295c

Download Submit
\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
769KB

MD5
beda23b1cf5c17e9bddbaeb975749e19

SHA1
bcc6b53d1f9706a6cc9f15ca3d1e608784ad9f16

SHA256
beb86e82858c8ca3c07195eecc3c082ed39a76e801388a8d4df1b4394d12aff2

SHA512
4d2d04a9c181f341d74b1b11eda41a4bdde26db3daf9ee6519221365185159ed23015486d5a6a8be6250bab14b3d53ea93faed3df3ff298d5f9d71a8564f6efb

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
636KB

MD5
ac2aef94db7b640eb569ea222b08073b

SHA1
9ad9b696b1927031c19c2b854991461b4a079497

SHA256
9e0e93240c2d280c6552be47818ec8872213c7333603a5e97b01ebf2d2977dd5

SHA512
76c17165947f7797daa0116956a56d362e473ed74e2a6be1c7dca302094838587df61bafc3fb18720aeb03c3969f5b21b8c0d42e44b30bd510a57170bb485251

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
01fc504dd561494ebb4f3a8c58a3b03c

SHA1
52894a1613d51cad33cb9e41a62f088413ec76dd

SHA256
642bd9c168bf86a670edf772feb833d583873cc873040f2c5981c789b7825c06

SHA512
eec9588758b95b2994e386b1cd88ec7a132c69f0cbbb479d64fb5cf3c9013c358dc8727ccad7df9283cc86e52bb577955e8f8225c111da884a5111691593eb28

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
662KB

MD5
124ac3164f2670b5a4adcf8c9a25071a

SHA1
17f5da4eae2cbbe87f7d1d87c01cf8d53f1623b6

SHA256
3f4ba469adc35ebff5ff984908b5a65255ff61448911f94a8bdb182dc29a47fa

SHA512
12fb4dd8f4bcae272403550b4f8c9461ed5991a93874e2652d0905b49ab4bc2c86dd04bd7122c9f056281f4958e337d270a2226fef338865e7005c744d40e82c

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP158.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP510.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP770.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA1E.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPFE6B.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
memory/376-517-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/540-332-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/540-334-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/832-200-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/832-169-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/888-438-0x0000000000730000-0x000000000073C000-memory.dmp

Filesize
48KB

Download
memory/888-441-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/888-439-0x000000001C530000-0x000000001C544000-memory.dmp

Filesize
80KB

Download
memory/936-407-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/936-405-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/936-403-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/936-401-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/1332-57-0x0000000140001000-0x0000000140002000-memory.dmp

Filesize
4KB

Download
memory/1332-56-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/1332-168-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/1480-482-0x000000001CCF0000-0x000000001CD0A000-memory.dmp

Filesize
104KB

Download
memory/1480-492-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/1480-479-0x00000000006D0000-0x00000000006E6000-memory.dmp

Filesize
88KB

Download
memory/1480-478-0x00000000006B0000-0x00000000006CA000-memory.dmp

Filesize
104KB

Download
memory/1480-483-0x000000001CCF0000-0x000000001CD0A000-memory.dmp

Filesize
104KB

Download
memory/1576-413-0x0000000000730000-0x000000000073C000-memory.dmp

Filesize
48KB

Download
memory/1576-415-0x00000000007C0000-0x00000000007CE000-memory.dmp

Filesize
56KB

Download
memory/1576-417-0x0000000002FF0000-0x0000000003038000-memory.dmp

Filesize
288KB

Download
memory/1576-418-0x0000000003040000-0x000000000305A000-memory.dmp

Filesize
104KB

Download
memory/1576-419-0x0000000003060000-0x0000000003070000-memory.dmp

Filesize
64KB

Download
memory/1576-416-0x00000000007D0000-0x00000000007E6000-memory.dmp

Filesize
88KB

Download
memory/1576-424-0x0000000003250000-0x000000000325C000-memory.dmp

Filesize
48KB

Download
memory/1576-423-0x0000000003250000-0x000000000325C000-memory.dmp

Filesize
48KB

Download
memory/1576-433-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/1576-414-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/1696-345-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/1696-343-0x0000000002FE0000-0x0000000002FF6000-memory.dmp

Filesize
88KB

Download
memory/1696-340-0x00000000008A0000-0x00000000008AE000-memory.dmp

Filesize
56KB

Download
memory/1696-341-0x0000000002F70000-0x0000000002F7C000-memory.dmp

Filesize
48KB

Download
memory/1696-338-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/1696-342-0x0000000002F90000-0x0000000002FD8000-memory.dmp

Filesize
288KB

Download
memory/1708-46-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1752-336-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/1936-347-0x0000000000830000-0x000000000083E000-memory.dmp

Filesize
56KB

Download
memory/1936-355-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/1936-348-0x0000000000860000-0x000000000086C000-memory.dmp

Filesize
48KB

Download
memory/1936-350-0x0000000000980000-0x0000000000996000-memory.dmp

Filesize
88KB

Download
memory/1936-349-0x000000001C490000-0x000000001C4D8000-memory.dmp

Filesize
288KB

Download
memory/1936-354-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/1936-364-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2064-507-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2116-85-0x0000000140000000-0x0000000140390000-memory.dmp

Filesize
3.6MB

Download
memory/2116-86-0x0000000140000000-0x0000000140390000-memory.dmp

Filesize
3.6MB

Download
memory/2224-448-0x0000000002FB0000-0x0000000002FBC000-memory.dmp

Filesize
48KB

Download
memory/2224-447-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/2224-464-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2224-453-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/2224-454-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/2224-449-0x0000000003190000-0x00000000031A4000-memory.dmp

Filesize
80KB

Download
memory/2228-365-0x00000000006B0000-0x00000000006C8000-memory.dmp

Filesize
96KB

Download
memory/2228-369-0x0000000003100000-0x000000000311E000-memory.dmp

Filesize
120KB

Download
memory/2228-368-0x00000000030E0000-0x00000000030FA000-memory.dmp

Filesize
104KB

Download
memory/2228-367-0x0000000000710000-0x000000000071E000-memory.dmp

Filesize
56KB

Download
memory/2228-371-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2252-339-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2276-204-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2328-506-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2328-498-0x00000000007F0000-0x00000000007FE000-memory.dmp

Filesize
56KB

Download
memory/2328-496-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/2428-392-0x000000001D540000-0x000000001D558000-memory.dmp

Filesize
96KB

Download
memory/2428-391-0x000000001D540000-0x000000001D558000-memory.dmp

Filesize
96KB

Download
memory/2428-377-0x0000000002FC0000-0x0000000002FD6000-memory.dmp

Filesize
88KB

Download
memory/2428-402-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2428-378-0x000000001C4F0000-0x000000001C538000-memory.dmp

Filesize
288KB

Download
memory/2428-379-0x00000000030F0000-0x000000000310A000-memory.dmp

Filesize
104KB

Download
memory/2428-372-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2428-376-0x0000000002FB0000-0x0000000002FBE000-memory.dmp

Filesize
56KB

Download
memory/2428-375-0x0000000002FA0000-0x0000000002FAC000-memory.dmp

Filesize
48KB

Download
memory/2428-374-0x0000000002F30000-0x0000000002F48000-memory.dmp

Filesize
96KB

Download
memory/2428-380-0x000000001CA10000-0x000000001CA2E000-memory.dmp

Filesize
120KB

Download
memory/2536-470-0x00000000005C0000-0x00000000005D6000-memory.dmp

Filesize
88KB

Download
memory/2536-472-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2536-469-0x00000000005A0000-0x00000000005BA000-memory.dmp

Filesize
104KB

Download
memory/2536-463-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2648-0-0x0000000001000000-0x00000000011CE000-memory.dmp

Filesize
1.8MB

Download
memory/2648-2-0x0000000001000000-0x00000000011CE000-memory.dmp

Filesize
1.8MB

Download
memory/2648-1-0x0000000001002000-0x0000000001003000-memory.dmp

Filesize
4KB

Download
memory/2652-494-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2652-80-0x0000000010000000-0x0000000010200000-memory.dmp

Filesize
2.0MB

Download
memory/2652-491-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2652-493-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/2652-35-0x0000000010000000-0x0000000010200000-memory.dmp

Filesize
2.0MB

Download
memory/2652-36-0x0000000010000000-0x0000000010200000-memory.dmp

Filesize
2.0MB

Download
memory/2784-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2784-53-0x0000000010000000-0x00000000101CD000-memory.dmp

Filesize
1.8MB

Download
memory/2784-21-0x0000000010000000-0x00000000101CD000-memory.dmp

Filesize
1.8MB

Download
memory/2868-105-0x0000000140000000-0x0000000140223000-memory.dmp

Filesize
2.1MB

Download
memory/2868-135-0x0000000140000000-0x0000000140223000-memory.dmp

Filesize
2.1MB

Download
memory/2916-94-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2916-253-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2916-196-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download