expiro | 704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0ca

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
Size

614KB
MD5

a71bdbb53e08a14b8cf924f160c0b720
SHA1

ee167d53e621bc5dd8a15dee2ed293c065411599
SHA256

704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0ca
SHA512

771f84fe9d7e1becb5f58cfde15e0764a3029055b543cd0cf51e63d40bb400fa94d8f7bb1166c4000d70331b9f45b27c52332a3b987af1dc4bddcf38b888496c
SSDEEP

12288:eUzRRaMMMMM2MMMMMsNsKmnO/IYBD7F5t5WSfvQjPWkx3cPzeRly6ZWfC14q5Dcw:eUzRRaMMMMM2MMMMMsygfRF5tTfvQjPF

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/memory/4952-2-0x0000000001000000-0x00000000011CE000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 8 IoCs

pid	Process
2212	elevation_service.exe
668	elevation_service.exe
1508	maintenanceservice.exe
1308	OSE.EXE
2428	ssh-agent.exe
788	AgentService.exe
4308	TrustedInstaller.exe
4048	wbengine.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3350944739-639801879-157714471-1000	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3350944739-639801879-157714471-1000\EnableNotifications = "0"	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\G:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\M:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\Y:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\L:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\X:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\H:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\Z:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\T:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\E:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\K:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\N:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\P:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\Q:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\U:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\W:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\I:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\J:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\O:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\R:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\S:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened (read-only)	\??\V:	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\jnaakooh.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\locator.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\windows\system32\bphconip.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\vds.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\mkcdkmnm.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\vssvc.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\windows\system32\lejldfaa.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\windows\system32\openssh\hgfjigpe.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\windows\system32\llnddddi.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\msdtc.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\vssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\dllhost.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\vds.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\msdtc.exe	OSE.EXE
File created	\??\c:\windows\system32\mnhjqogn.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\fxssvc.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\Appvclient.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\windows\system32\fngkmhqh.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	OSE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\mcfbcncj.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\iibndipn.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\gakpqfhp.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\emdpmifb.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\nlfifejp.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\phgiobhi.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\iojlgkmo.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kcmhlgnd.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\cpkcoelj.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ofbhkgdg.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\epgaijka.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\knjpmnmh.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\oocjcpii.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Internet Explorer\llopmkim.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jeoonppk.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\fcbnjplg.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jre-1.8\bin\phlkpdah.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\ioheelpa.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\knqknjlo.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\chlmfebj.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\onnmbqjl.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\7-Zip\ncjookla.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\gmoggjie.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lmmpfcii.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\fjkphpcb.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ghdhglfd.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kefbfhkg.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\gkjggimm.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\oklgbmqo.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\djgnqiea.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	OSE.EXE
File created	C:\Program Files\Java\jdk-1.8\bin\icjaoghm.tmp	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE
1308	OSE.EXE

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4952	704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
Token: SeAssignPrimaryTokenPrivilege	788	AgentService.exe
Token: SeBackupPrivilege	4048	wbengine.exe
Token: SeRestorePrivilege	4048	wbengine.exe
Token: SeSecurityPrivilege	4048	wbengine.exe
Token: SeTakeOwnershipPrivilege	1308	OSE.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	OSE.EXE

C:\Users\Admin\AppData\Local\Temp\704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe
"C:\Users\Admin\AppData\Local\Temp\704dad95667ccdb58d605fa9c12bb85f1416a8eb3c48c2897b87e0c72193f0caN.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:668

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1508

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1308

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4308

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
adf4bcd76f49a84756e9b2d2cf509fe0

SHA1
0e19861346975e68c678658a35e8f49e52920f40

SHA256
35e1f16baef17590c4f3ba59d5ed0a88c4d7bc883da61a3dbe4a561534292311

SHA512
89b0ba7b9919238ce88fdaaf70afb6c8dc0a19bb7eacfd617ab67cb8a56b1ba3b10789132a1aac4a81a3ddb32125e114926098d6a75a0063d8fffaf85e6e5ab7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
777KB

MD5
cf8c6834529bbcdb060efc774d4f2bb5

SHA1
3cb2d7df0f6ebe734e9c0507b1d44359ffcf0385

SHA256
69e425bf4451b01409b5dcb70f8d743fdd81b0f8b0aa958d0d82b2b07ad12c46

SHA512
803b59cdceac349ced18fbc493a10c14819c283f0240c9d3903dadd3c2e8fb45aec078b37fab583b6dd695bcb78bcbd09486c67193a2070a8c8ab13101f9b099

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e7e5ffb1c3f89cd4cc8f184c4391e207

SHA1
026c4b64993d8525627d895ce7f20d364ab5856a

SHA256
ab1e912eb500768c8074d6bbf44bf2f48ec5891c88b76fcfba5f7e9602e72cc8

SHA512
858fdd0ce6f3a7a72b476d2d5dbb1d97911f774e4b6c54d50d9e288ba6fb1dc4c34e40b69c5a8f9ab903d3d792413dd98e0f67ddd470c703655a864e5dba6246

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
dc7453fcca40801b71e78f7a0c7e6bad

SHA1
5f90186fed78519fb0a3d044342b29f858b3d7d9

SHA256
1d0ce0ff857ef803d7795146e4aaee3dc85dedfefd3b6a1fd856e2a89d0762ab

SHA512
e6401928e5b30037de1a1a7af3d1fbc251fb422eaad0a4fde433b4f07200860e09464278ac31f12ac599ef62eef7e7de06b69bccfa8cb53942fc7d8fbc05dd7d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c543740b5510674b4bb08804ebf4a5e1

SHA1
845a053bfc4cae83a8231d2445eb6d7596548174

SHA256
aaf67fe0a1a0d90da276054b3112969d52d2dbf218fba782dc409346a9dd57bf

SHA512
4d71936658f66525e1b1e21807c179e2e25342fd644e5e89d0cad23e3923bea2330ffa3806e72807853081b77378e2e2fe40ad6ebfdcc9b439a9e3d81d73d0dc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
566KB

MD5
af83fe669f3104cea8bff5e6a9c7adbb

SHA1
83034ad99615c36598843e1a1e17319627f50ec8

SHA256
3b1031e75d96526e3c5386762b0a2c88c18ae54db2367af00f99744034efaebe

SHA512
ce5ab9d564b96767d3be33c2cb506418894a21c690900390592c27b752f506b78a1f472aaadaa446e9ae046446470298af5d10e3efa5c49352cca9f104b4e571

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
828KB

MD5
b5359d43507f9d24393964b82a43557d

SHA1
d7f3154c4eb692fb2b9cbaa839b6d574b312bc7f

SHA256
27b42865fa53809fc74696ef82fc195fd57b991df258be681792a0773cf13d84

SHA512
5b5b52c63e7aa75176525f0e6b14ca580e44abbab31b77ab0dbcba191f4575187761cb1c02f5f2ff385c9fa6e7f8a849f2741e9fab7597c0442829feceded13a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bcc3e752a582df4a3f845213835a1096

SHA1
aa37fda8c90686cef05d625f13424547ba354659

SHA256
756acba24aea0358af886677f6b23feec25b6d1b0c73ae3d644213b8e5f5a5a0

SHA512
0061a7fb66936b79032870e0117fcf71a78465a5193361bbb615f9b805cfd76d318c34446187cfeb5ad0f39f45f0c2c8e1a07c68a77757b9c06c0ccfbaf2d50f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
898KB

MD5
f70c4ed2d961857d9b4ada1a98e2dfa8

SHA1
8b058e39aadc82fc7e8d74fb4e0984757c48a241

SHA256
28bb7a96624edf73e51486cba057a5b420b98a6ead937844a9a1d2331a2f5a07

SHA512
2a6f51772626400f871c7154cd2d1f0fc36316e2da76d3047492b93632764086371834acd3997b68ea958605c7c5ae2ad197f50b8a6ca85079880bfd8112383e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
af88465aa4c782e8bb10812199fded6e

SHA1
d048c871a2a74dafff4e14ac0d1caa6cbe8d2776

SHA256
04a4934eb44d1d286cceb7906fa4ad50fa6405fd4f5af753cd95327e857904c4

SHA512
252cc0ba7cc57714482e4db3be344df77a14fbc3594391571b3a5882c96a89e8031ed6c4bf67ff546b886fb38be3791e5853f91a2d85252306e547c32a04a8c0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5ad0fa392006cf132c2dacf2bf907a7d

SHA1
6fb42b0bb5ffa77d81a2cbdb72cccc9fb5e1c405

SHA256
37f6f65b58dab7d03d4de2150436280b60b79f4df8f72b787c7c62386aea8d47

SHA512
5e6d6daec811baa3d3fa5fc4668ded6685e9c78e8cc5de5c19c37ab315d96ed4bb2413954b6a3c39d993e7c808a7b01c86666f788a04139271214f6c7ceba5ad

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
793KB

MD5
3236e2f9579ea5737b246b8f0c535a22

SHA1
ae005391aa0b32588918cb7b171a7b36fc2dd817

SHA256
65b75e13bee68c6e8b557b27d0a272d9d1960ba9febd31d1a6e298c8b9c08d94

SHA512
d774b1ecb6fbe60a83ae4efee2883e9c9bc3f190a5e2424fbf0a9e764b8840302299b08a9ab29ff3e26327589c50a2e5ec78f951d25c0fe72111fb7a79f4fa86

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\bhlnifll.tmp

Filesize
4.6MB

MD5
107ea44908cc4db8c4d010d2feb1a517

SHA1
844788420045c3e15b77f12ece56ebc81c80e234

SHA256
5ca51d5238641f1c332ed2514ad9738600bf1167ad78e2f94ebbf49141c88c44

SHA512
7aa4173227d679be517393d688d50cfe2b3b698c96f2b08b22cd4c8da3efb02689d0b4930a4bbf0e0ff7f81c801bd4f96c7b0b5703804fa5aec5570c4f269308

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
ad0ab81b3092b851fd9c800f1ee3600e

SHA1
dc46abd55ae5481929f5b847655cb17548c0f420

SHA256
f8930ca6915a081ccac48ec9038d8bbabc9db5a27c22d2ec5004b459b1b8f1f4

SHA512
97f2af482e37383a23355ab89ebfc93a706d9886c748d036006e54812ec3ed87ac0130eeb6d4b4a4bf0ade23a2dad2a5b3ddd55f7e03f1f57e9ae58c89b59fb0

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
2ea5fd9ea443ae23341d20e34d9a1d5a

SHA1
c8c97f7db38ab31b66ec9f9e75c3aacfc4f5c300

SHA256
c341fc4776292e2ff314946f94e211850b71f93d193427fbc3c35be245884728

SHA512
cb71c451a20a74737867a430d011d07c96b0dc005cb1cfdfc26e0ea039f3df48c7f33b3bd33674d389dda037f28e69cd051334d4686595d160c89c99373cc234

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
978KB

MD5
60534c1374c66fa54060a5af1757ccfb

SHA1
7f8a2473300079f435d86d9425d3b6b660574450

SHA256
8ddf7576700c76ab5fd5c0da0b2e65fde4f272813776a8bf5dfb9be06d55a783

SHA512
7bf334a9ca5d75c0179ef9587348b9948d63eba39af8b823cec5b26158ef438bf0c090e29d361ab01f2730fa95af9a39a8e5d42cbafa57c8f93a4a0943d12d77

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7b51b913eccbf6e338b31d95205aa54a

SHA1
4e80e5d1b898683d584ef81a69c5925167f23ea4

SHA256
dc89fa6307619839a1969740eddbeeed94b6944d91e8c7ecbf1a4efa6669f469

SHA512
01b7955335caffa156d20acc122204eede94cdaf2b0ba68f634e537c9ad08e7b82adde5193af2242a3f90f929c488ad0f0cd5e5a9c72c0a40331c06d167b8194

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
928KB

MD5
8b734d2b26c9df117ac138104ffca08e

SHA1
331d53bb6cf86b151c456b5f923df3bbe88e669b

SHA256
ce1a65e00dd613e9fd783ec5f18e58e00c5defbba739e13ce21a6e6fde54b2ee

SHA512
3c1752cee5a630c4c72f6126256efb7f7a545586c70d79d7f198dfb85bb388b81275e2fc9a2ccae699c6a589380b39e541f0ba0340c867e483bf83742bb988a3

Download Submit
C:\Windows\System32\jnaakooh.tmp

Filesize
1.3MB

MD5
2c82fa70b74456f39cde848349f421eb

SHA1
aa8080f5cdefaa1e125c52b2c6717b02918446a1

SHA256
44b366a231af126eb7deedd66bc635dce37ee819d6b18f7c4935d33518db9fa2

SHA512
07fe9370c70ba7185b2bac1de827479257744e2db9e030faba73abb7926eb48e205e16f33e91d731ff31df113b59dafa56e0a482edb2d76e18ec9c1f4bfcd42d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4496c5782505d678e95805cb2e4ce083

SHA1
066e5511a0deb7d84dfd2cbf1451393eeda07c08

SHA256
48374957b820baccab8f205780583bd4895e816ae19366a4ee03cdff39ea8063

SHA512
280631cd59d4a9b886a81d9f6b47d88d5ff00c94e4a0acfbe0ba2d30d778963ed74c508a2d3a9003cd6d27497ca82f465e1078bc2a2194fd64a39ea5d9219a6c

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
1.5MB

MD5
519b277adea6f7fb35ecb0790bd4bdd4

SHA1
4c41db13a0a4677700e1c0834e124f8750fcbf81

SHA256
3cb5cc5834db8a0159eb060a0938f0e098c7319a72c71c14dbbba8a775a20fad

SHA512
645620f644a47cec3e0615ee13505de042a4ed11694f5d401b2637e42fe0abac924f6068ca4bbbc500a7cfbac2f76fa30f321249efd994bc95f6cf849adbd6d2

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
efcaaadfd8111b743aa5707de2b77577

SHA1
c7a872f2e1f559cd3e2890d68685b47fca07df57

SHA256
5804d0ad7dd6a4c6024908ae93916efa173143eb65541860bbc87662d0dfa7b7

SHA512
819efd65d4bd8a6584f6b8d3fe2b50f81ce47f3d1b6d5e04900948e53d777272e3dfac231615a5da2bea249773d2b8b24142cb601df65b6fb0c1573d4e5fdc46

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
700KB

MD5
38d7562625c22986cbe4419999b6a60c

SHA1
7f0b47224ef93c5a6e3fb10c32ddf550d9da8a33

SHA256
588865e9ef8622495c783047eb8f1b516af003d5ce7335d49b1fee709faa8e53

SHA512
8379cc57de8e18062703a72f7864b3c0a0e6ec1308c0a815fdcd6356db7a7544260bf59830f0469626940b10fd9092dae40db971239e699adae3632b14150dd9

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
623KB

MD5
222b97f35d12012e7b08c211facf97b9

SHA1
4cc300db37a7afbc432897f02dcfd2679bc36651

SHA256
80ed69297478f450455fd8de0cf964ada9e9e50bb9a4fa37eda33fdb3b0d74e0

SHA512
51ab832f2901234cb9ade8437fe9f6891afbb1c37f1a842c1d82ae6327a4591f6d57b7c8d5906db263d48f39cbb065bf5da922ac975aadb68adecea5463d7797

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
572KB

MD5
49b93b35f5365c404d0fe574f966f17c

SHA1
260b5b9bd95309b6571fcd9f8fd6c9607eed04c9

SHA256
6c02f259d04272cb1f37e18d1b5d47f041e9279956d75d7c9648c51b4ea31dff

SHA512
5a4bdfcf3dae1d19d10a3fdab78ba62bb3610437a54fe848de6759866cc110170fd1213e1d25e00de130bb718e98f489a82cdf279647fbfc6c0cbf16b9271a1b

Download Submit
memory/668-29-0x0000000140000000-0x0000000140384000-memory.dmp

Filesize
3.5MB

Download
memory/668-28-0x0000000140000000-0x0000000140384000-memory.dmp

Filesize
3.5MB

Download
memory/788-88-0x0000000140000000-0x0000000140319000-memory.dmp

Filesize
3.1MB

Download
memory/788-81-0x0000000140000000-0x0000000140319000-memory.dmp

Filesize
3.1MB

Download
memory/1308-60-0x0000000140015000-0x0000000140016000-memory.dmp

Filesize
4KB

Download
memory/1308-150-0x0000000140000000-0x0000000140228000-memory.dmp

Filesize
2.2MB

Download
memory/1308-59-0x0000000140000000-0x0000000140228000-memory.dmp

Filesize
2.2MB

Download
memory/1508-36-0x0000000140000000-0x0000000140228000-memory.dmp

Filesize
2.2MB

Download
memory/1508-37-0x0000000140000000-0x0000000140228000-memory.dmp

Filesize
2.2MB

Download
memory/2212-20-0x0000000140000000-0x000000014038D000-memory.dmp

Filesize
3.6MB

Download
memory/2212-21-0x0000000140000000-0x000000014038D000-memory.dmp

Filesize
3.6MB

Download
memory/2428-73-0x0000000140000000-0x000000014025B000-memory.dmp

Filesize
2.4MB

Download
memory/2428-172-0x0000000140000000-0x000000014025B000-memory.dmp

Filesize
2.4MB

Download
memory/2428-74-0x0000000140000000-0x000000014025B000-memory.dmp

Filesize
2.4MB

Download
memory/2428-171-0x0000000140000000-0x000000014025B000-memory.dmp

Filesize
2.4MB

Download
memory/4048-183-0x0000000140000000-0x000000014036F000-memory.dmp

Filesize
3.4MB

Download
memory/4048-90-0x0000000140000000-0x000000014036F000-memory.dmp

Filesize
3.4MB

Download
memory/4952-0-0x0000000001000000-0x00000000011CE000-memory.dmp

Filesize
1.8MB

Download
memory/4952-2-0x0000000001000000-0x00000000011CE000-memory.dmp

Filesize
1.8MB

Download
memory/4952-1-0x0000000001002000-0x0000000001003000-memory.dmp

Filesize
4KB

Download