expiro | 7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223d

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08/01/2025, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
Size

635KB
MD5

79fe1ca4d124971e6b872d5d6acd25f0
SHA1

eca06b23d460392695fbea380a6e4ed69ea14d55
SHA256

7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223d
SHA512

7e37f5cff2d86b325d3acb44b1a6821c94a221a70fa9ac81369fd8b22aeea3df5e6e652ba46618f7b06393045b09e7d8c7c676334c14666f27b9c1a0cf2dcf61
SSDEEP

12288:WDB+kxedc++Zvwx4jZVvPr+WmCqeDkqZ7K0Y7hbM:WDB+kxeqPZvwujZVn8eDhXYNb

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 3 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2008-0-0x0000000001000000-0x00000000011BA000-memory.dmp	family_expiro1
behavioral1/memory/2008-2-0x0000000001000000-0x00000000011BA000-memory.dmp	family_expiro1
behavioral1/memory/2012-54-0x0000000010000000-0x00000000101A9000-memory.dmp	family_expiro1

Executes dropped EXE 48 IoCs

pid	Process
2012	mscorsvw.exe
476	Process not Found
2748	mscorsvw.exe
1452	mscorsvw.exe
2808	mscorsvw.exe
1416	elevation_service.exe
2776	IEEtwCollector.exe
624	mscorsvw.exe
2152	mscorsvw.exe
868	mscorsvw.exe
856	mscorsvw.exe
468	mscorsvw.exe
2244	mscorsvw.exe
2376	mscorsvw.exe
1192	mscorsvw.exe
2348	mscorsvw.exe
2328	mscorsvw.exe
2052	mscorsvw.exe
992	mscorsvw.exe
1580	mscorsvw.exe
2712	mscorsvw.exe
892	mscorsvw.exe
2740	mscorsvw.exe
1748	mscorsvw.exe
1852	mscorsvw.exe
2560	mscorsvw.exe
536	mscorsvw.exe
1768	mscorsvw.exe
1368	mscorsvw.exe
1280	mscorsvw.exe
2236	mscorsvw.exe
1136	mscorsvw.exe
1248	mscorsvw.exe
2064	mscorsvw.exe
2328	mscorsvw.exe
1968	mscorsvw.exe
1636	mscorsvw.exe
1064	mscorsvw.exe
1240	mscorsvw.exe
2100	mscorsvw.exe
3036	mscorsvw.exe
2796	mscorsvw.exe
2160	mscorsvw.exe
1436	mscorsvw.exe
924	mscorsvw.exe
1716	mscorsvw.exe
2332	mscorsvw.exe
1124	mscorsvw.exe

Loads dropped DLL 36 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2376	mscorsvw.exe
2376	mscorsvw.exe
2348	mscorsvw.exe
2348	mscorsvw.exe
2052	mscorsvw.exe
2052	mscorsvw.exe
1580	mscorsvw.exe
1580	mscorsvw.exe
892	mscorsvw.exe
892	mscorsvw.exe
1748	mscorsvw.exe
1748	mscorsvw.exe
2560	mscorsvw.exe
2560	mscorsvw.exe
1768	mscorsvw.exe
1768	mscorsvw.exe
1280	mscorsvw.exe
1280	mscorsvw.exe
1136	mscorsvw.exe
1136	mscorsvw.exe
2064	mscorsvw.exe
2064	mscorsvw.exe
1968	mscorsvw.exe
1968	mscorsvw.exe
1064	mscorsvw.exe
1064	mscorsvw.exe
2100	mscorsvw.exe
2100	mscorsvw.exe
2796	mscorsvw.exe
2796	mscorsvw.exe
1436	mscorsvw.exe
1436	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2703099537-420551529-3771253338-1000\EnableNotifications = "0"	mscorsvw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2703099537-420551529-3771253338-1000	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\L:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\P:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\Q:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\S:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\W:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\G:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\M:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\O:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\E:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\I:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\N:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\U:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\R:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\Z:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\H:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\K:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\T:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\X:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\Y:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\J:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\V:	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened (read-only)	\??\K:	mscorsvw.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	\??\c:\windows\system32\fxssvc.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	\??\c:\windows\system32\msdtc.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	\??\c:\windows\system32\snmptrap.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	\??\c:\windows\system32\ieetwcollector.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	\??\c:\windows\system32\wbengine.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File created	\??\c:\windows\system32\msiexec.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File created	\??\c:\windows\system32\ui0detect.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\alg.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File created	\??\c:\windows\system32\wbem\wmiApsrv.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	\??\c:\windows\system32\vds.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	\??\c:\windows\system32\alg.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\locator.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vds.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	\??\c:\windows\system32\vssvc.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCD4E.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCA90.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14c.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE4C4.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index142.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPEAAD.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD069.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index148.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.vir	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe
2808	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2008	7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 624	2808	mscorsvw.exe	36
PID 2808 wrote to memory of 624	2808	mscorsvw.exe	36
PID 2808 wrote to memory of 624	2808	mscorsvw.exe	36
PID 2808 wrote to memory of 2152	2808	mscorsvw.exe	37
PID 2808 wrote to memory of 2152	2808	mscorsvw.exe	37
PID 2808 wrote to memory of 2152	2808	mscorsvw.exe	37
PID 2808 wrote to memory of 868	2808	mscorsvw.exe	40
PID 2808 wrote to memory of 868	2808	mscorsvw.exe	40
PID 2808 wrote to memory of 868	2808	mscorsvw.exe	40
PID 2808 wrote to memory of 856	2808	mscorsvw.exe	41
PID 2808 wrote to memory of 856	2808	mscorsvw.exe	41
PID 2808 wrote to memory of 856	2808	mscorsvw.exe	41
PID 2808 wrote to memory of 468	2808	mscorsvw.exe	42
PID 2808 wrote to memory of 468	2808	mscorsvw.exe	42
PID 2808 wrote to memory of 468	2808	mscorsvw.exe	42
PID 2808 wrote to memory of 2244	2808	mscorsvw.exe	43
PID 2808 wrote to memory of 2244	2808	mscorsvw.exe	43
PID 2808 wrote to memory of 2244	2808	mscorsvw.exe	43
PID 2808 wrote to memory of 2376	2808	mscorsvw.exe	44
PID 2808 wrote to memory of 2376	2808	mscorsvw.exe	44
PID 2808 wrote to memory of 2376	2808	mscorsvw.exe	44
PID 2808 wrote to memory of 1192	2808	mscorsvw.exe	45
PID 2808 wrote to memory of 1192	2808	mscorsvw.exe	45
PID 2808 wrote to memory of 1192	2808	mscorsvw.exe	45
PID 2808 wrote to memory of 2348	2808	mscorsvw.exe	46
PID 2808 wrote to memory of 2348	2808	mscorsvw.exe	46
PID 2808 wrote to memory of 2348	2808	mscorsvw.exe	46
PID 2808 wrote to memory of 2328	2808	mscorsvw.exe	47
PID 2808 wrote to memory of 2328	2808	mscorsvw.exe	47
PID 2808 wrote to memory of 2328	2808	mscorsvw.exe	47
PID 2808 wrote to memory of 2052	2808	mscorsvw.exe	48
PID 2808 wrote to memory of 2052	2808	mscorsvw.exe	48
PID 2808 wrote to memory of 2052	2808	mscorsvw.exe	48
PID 2808 wrote to memory of 992	2808	mscorsvw.exe	49
PID 2808 wrote to memory of 992	2808	mscorsvw.exe	49
PID 2808 wrote to memory of 992	2808	mscorsvw.exe	49
PID 2808 wrote to memory of 1580	2808	mscorsvw.exe	50
PID 2808 wrote to memory of 1580	2808	mscorsvw.exe	50
PID 2808 wrote to memory of 1580	2808	mscorsvw.exe	50
PID 2808 wrote to memory of 2712	2808	mscorsvw.exe	51
PID 2808 wrote to memory of 2712	2808	mscorsvw.exe	51
PID 2808 wrote to memory of 2712	2808	mscorsvw.exe	51
PID 2808 wrote to memory of 892	2808	mscorsvw.exe	52
PID 2808 wrote to memory of 892	2808	mscorsvw.exe	52
PID 2808 wrote to memory of 892	2808	mscorsvw.exe	52
PID 2808 wrote to memory of 2740	2808	mscorsvw.exe	53
PID 2808 wrote to memory of 2740	2808	mscorsvw.exe	53
PID 2808 wrote to memory of 2740	2808	mscorsvw.exe	53
PID 2808 wrote to memory of 1748	2808	mscorsvw.exe	54
PID 2808 wrote to memory of 1748	2808	mscorsvw.exe	54
PID 2808 wrote to memory of 1748	2808	mscorsvw.exe	54
PID 2808 wrote to memory of 1852	2808	mscorsvw.exe	55
PID 2808 wrote to memory of 1852	2808	mscorsvw.exe	55
PID 2808 wrote to memory of 1852	2808	mscorsvw.exe	55
PID 2808 wrote to memory of 2560	2808	mscorsvw.exe	56
PID 2808 wrote to memory of 2560	2808	mscorsvw.exe	56
PID 2808 wrote to memory of 2560	2808	mscorsvw.exe	56
PID 2808 wrote to memory of 536	2808	mscorsvw.exe	57
PID 2808 wrote to memory of 536	2808	mscorsvw.exe	57
PID 2808 wrote to memory of 536	2808	mscorsvw.exe	57
PID 2808 wrote to memory of 1768	2808	mscorsvw.exe	58
PID 2808 wrote to memory of 1768	2808	mscorsvw.exe	58
PID 2808 wrote to memory of 1768	2808	mscorsvw.exe	58
PID 2808 wrote to memory of 1368	2808	mscorsvw.exe	59

C:\Users\Admin\AppData\Local\Temp\7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
"C:\Users\Admin\AppData\Local\Temp\7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2012

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 190 -NGENProcess 194 -Pipe 1a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 210 -NGENProcess 23c -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 15c -InterruptEvent 1a8 -NGENProcess 150 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 254 -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 15c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 150 -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 150 -InterruptEvent 264 -NGENProcess 260 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 254 -NGENProcess 260 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 270 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 264 -NGENProcess 258 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 27c -NGENProcess 214 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 214 -NGENProcess 274 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 284 -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 258 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 28c -NGENProcess 274 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 274 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 294 -NGENProcess 27c -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 27c -NGENProcess 28c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 29c -NGENProcess 284 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 284 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a4 -NGENProcess 28c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 28c -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2ac -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 294 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b4 -NGENProcess 29c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1136
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 29c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2bc -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2a4 -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2c4 -NGENProcess 2ac -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2b4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 240 -NGENProcess 2d4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2e4 -NGENProcess 15c -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 15c -NGENProcess 240 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 15c -InterruptEvent 2ec -NGENProcess 2bc -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2bc -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2f4 -NGENProcess 240 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 15c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1124

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1416

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
648KB

MD5
ad5297303f22667e1582cb65c05b3462

SHA1
a5b14b9fbe64035b0e48075972bdb930f721a3e8

SHA256
bfd98a073b84c6d345c24d6a960137f143372efeb2cdb5006c7a45e26316c8a8

SHA512
42373f9a757741020f03551c791c8dd5b5e8840ded36947976543d6103d5ba3a2cf072756a95d84d08192cf8f95184caf11b6773ab1a62888661132765d42ada

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.5MB

MD5
f52860cae876627fc55aae4e5c0e0cb6

SHA1
53137ba4d25d647ccc797726163ccbec14b497f6

SHA256
f2ae60a9d76d403d65549d0be86d865e9702a510ebf1b29d32e8d3f02c2c6473

SHA512
e763b119aecd0f90e48dbff77d197dbed0abc8b169ff4dc608c179ee0e5d9bdaec5f3d492b2eafff18ff24de120c6ad7acaa54ed72b2f522c4cf22e9d2e0b284

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.vir

Filesize
4.8MB

MD5
10a7e15a85133a713af02dbf8f589544

SHA1
50f3949abf7024dd30d9f5408cf8a8528c08f0a0

SHA256
340d4943e981604c2385b211f3d06b43c60e97bd492badda5266838d7c26a27a

SHA512
56766b2fdde680c5eb6d34694430d991eec898ae448ced9c5b10b68393d7b4dab68c6ba78ee12df78739b101d60606c64bb3f2c5b8733763b65e8dc720b7315b

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.2MB

MD5
5af222c4a60bf638ffcbeb70099702f2

SHA1
9e2bab758564645a0f0b89d2c3cf714a8bf818f9

SHA256
cf9c739d1e55dc0681cb013cfba838b8f6f2f87fe1f06a9bdef76a728fa74ec1

SHA512
e098ce123d71516a02af6ad2f4c0c10836aa374e3cf8375b5487dcec457a3a1fc264577acdb6404021284b3a625ab8819899ad63571aac5db03e39eeccf2ab03

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
590KB

MD5
4aa5b4f3331c0d707c9f32b547da231f

SHA1
77e0583649b05db0fa945d7b7628f311a408cc39

SHA256
ef5cc2f1f23da6e3b021dc23c5220534927ae2ee7085636ce35ee66fcd35121d

SHA512
be24f3da0a6e3f59a522a390748dfcac235ba62f448773123437cea6a798f7232185f638ff54a5a20bdbc60dfe7a0a9709b0b84c58f3511619b29968095a3c34

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
e1c6a9bd0daba8228b9f1d00428b728f

SHA1
3a390d3d3c7a56b91ee24ab16120b9e063521ccb

SHA256
ba7e46af811d4c3d392b45f9eacff4c2e6922dd6925f731d8e9b88f56922b47e

SHA512
d66854db07802ddbeacc97608cc217900d8d4d847a0b3fce403a5101c4038a179e48817cee971c2ed37161a5aa55ced0852d3d9490373acc5b469473786deb1f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
618KB

MD5
a076be7549f037c382ddfc2d3d179f46

SHA1
7a127f6798a3b30b403012722043600e8b80bcad

SHA256
00e7046352e7b559982b5cc6d8ad3252d2cf01572a4821bd3129bbc1be92c632

SHA512
f96eb5cfa5875b30ce99929af09cf3b6471ba8812c5a236c3bf5d39a24775988c12c964db5ae619d70d116d7cdab63e681b30eb12aea7f9914291453dcced44c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
4a1c8dfd591702400af90b8b6fa494cb

SHA1
9d50486fb06f96bca25374d22d14c3b13edead29

SHA256
edcc5f3cff47a1ca8a5ba2b4c3710618388a79873138392c8308835885d2f164

SHA512
35340ac03e8a320bcd1ffef77e20075a08972d3907f96797af87de5702bf18c52750f568c57efc4153a0d78b4e750ea51078618bd108ebc9add01e4d47b57296

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
567KB

MD5
340d671673d443100b4bd1e80dff8cfe

SHA1
3debb996b28a85c9e6a4f38dbfec442a3c3bded5

SHA256
01317a22d6ebf9e166bdc3850d46bd9ffa904ecbe9fb36798fa9c1977e40c7d2

SHA512
681b97902848120237dbb485e75101ce9f07e5a80b1fcb5122642b5c97c35ab69d47a76640baca3685a4a2a55843ef8da2f212097493002a880120d0ef02fab2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
c1f9bde12a2f5d3e2deda6e5e42383cd

SHA1
89672ca304a685296ba86a1d1f8f19c6a13acebb

SHA256
acf86824ae64ec431218119959499874dd765cc58497e0fc55fc9940c510f7fb

SHA512
fd159d6c88990a9cfafad148200db8b185a4f79d833a2f183dffd0b3ef18ee5d29cd8348d4687efc7af5031861b990b5725794c5977eeda7862696d58ae73ebc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
598KB

MD5
5c048f6a754e8146b7c6b246cedf28b4

SHA1
54f5173305cd9a221642892dc2bf8019d5cd2201

SHA256
62b130a79d53f3b13e0c4b9c4ca43cd3fac3771f871e247a8f46117efc67f223

SHA512
88bb70a1e9461bf599707a66fe400b126fafaf1f7819109365e5ea96873a088a6bafbacb3c83c1e63e84a5ee6b387300cbe47ca64a041a916024cd8e7274bdb3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\20f3a8e5ab601872bcbea2dd3387964a\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
285c3f39845156e3a01364090cc6798a

SHA1
55fbc31aa7cfdc66861f89cf24878503cc8587bb

SHA256
268f94a20aaa6242faf076699abffe3ddcc4077fcbb71f5eeabbcc6b270f78bc

SHA512
4fd698e40bee06bb7a7e50f60f26076519b12fef871964c2fd0463b113ffcedac0ef2a20c13819a1de565d55bf3d6a90cb3f71a1026a2732950b791da795fad5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\45b4ca574e65a4b16c872062e578dcac\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
371918dfa6ba22dd6cc5e94a946511ae

SHA1
46d180c262c1dcbc791b7b161b02683c43f6b9f6

SHA256
4d2bb3224c01591f9e88ab63c7e717730f4feaa2fde95d6d4642d583ef7b809e

SHA512
1accfa2e53eb2b8e3a628a5a2faba16eb509c5bbc344581fa8dd028c85cb1f53d5c9c714cbd664838fd04b7dc0398c5ddcf0c9d07820e30390102b24aaa02bbb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9ecaa225137bd86a82f5531e30296ec7\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
46350d0d1e47a11beab87daca47b99d9

SHA1
26f16a01b0b9c195c4d7f9509f8844a2543469db

SHA256
a2050910dccddec358e05d8ca7de8917af0b2e05329f0e0233ccbad8f26345eb

SHA512
a0b7d2ed1389896bb73ff52c0843d9f6c5623549d6ee55132444edf419054ff4be452d06b9647e67d34b4614e4d659a8c9cfaef026dfaa3583a405148f273740

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\d36b723c6f181bb88f9031026959690b\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
e8732d3a378d2e4d27e8e34448671ebb

SHA1
ed8df2f0db851c363e688b1abf1bf2cd296f710a

SHA256
0107ca8e713c3b05d461f5af50cbcab5607a927dd8f42393e6916a6ad8cef076

SHA512
8ba3b7042b0fef36ba40d0b8e7555126edf1d40e7c0be070f67204e57f32d4347758f9971d01f34df47ccf33d401dd846e209e16c63e4e31eb32cdbb43715ae1

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
648KB

MD5
65201557af02494db68a91bf8c62961c

SHA1
414f0e47adcb12a14517c8f916ea97c6127aadfe

SHA256
03a26ae34b74a03f9e9be934ef13260c8f7f3e6178291430f548d375b4cd99df

SHA512
379134c381383127c8bfcd295ac9840320afa15dbf1c25152e8da1398e6621d93ee6aed65e73c39a51e81696d33ac6729ddcf8bd864d4b9b025d21f3fbd865e0

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
632KB

MD5
3e74b6d2ddcea349a7a377086c9d7d20

SHA1
ff9bf7c0eaecd47bd352fa5f4f08e45f23994414

SHA256
701200599c6a1324b487aa3ed1644e5644a4204dd93d2727530ddea0e8780f5a

SHA512
ff6c8409f73a130b6c69a35194ba846d544a0f6bdc4ce9ae42b7acd841d44055bcc676f93b28125086f00f0214b2ceb0942a75e2afed774669e0e7fa175407b7

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
544KB

MD5
f45e253c80110d0783d8a0ab77d2de2d

SHA1
9621ed60d9f3d4b7ced3f982a7395ca3e517ab18

SHA256
d6474a38f82c9f734e8cefd7cf3e378d987db8352514fd0c958c1d641f557d0b

SHA512
32213410c5aa5158876f3eb8cf164a2a54dadde8146dc51d05e93dfe387576edc707666f921951e841cf3ab44109f74de27e48e3dde43fccbee990db62e65c50

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
585KB

MD5
f03e19ef7c99f338286515c03eb06e12

SHA1
86b88024de80d64cc5367fc8b711699543965c29

SHA256
279fa42cc43732569cd48465a3213ef186fd93f2f8209c7378f870fc5446ea60

SHA512
1ac1902748d49e2e5fc4d1c5f5b013a210c9163855d50bfebae74b2ec50d9b0081f6cf58c04010b5be6b2236ba9ca9bf28d518f7f311ecbd10209c1ae5fb5b36

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
9c77ea4a5138ee02f53fbe1b7846782f

SHA1
2d233cae013cb3f34ab5f92264f5435c081533d2

SHA256
c7227edbce103bc16fd9148261b0b4534852920e28da142831bcd1e83ca96c00

SHA512
d067cd0d9a766cd8e388c4ab8a0f7ceddb412c4c3db4e727eb9f82eaefd3a7c8bedc9471252c7c7ffffc2c9bdc8ab889bb8519614951702543cff5bcbc2c7f27

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
646KB

MD5
7b6749267ca71dc488c8bab29f10c798

SHA1
fb340cbacc1fa82f6aea0709eec69a9e4d37d58f

SHA256
78ae493cfbc12fbe527cff256325b1ee32efafaccadc03e7c268b80316c2cb9f

SHA512
c92473b46ebd062615a55a0fd02e2223733473764ed9d39e381d5be478cb61ff067f4df908542ab03e2f504551aaf1eadb7f63f2520d8b22cbdaa9059ff39532

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
633KB

MD5
1a8d3dc04e71c9e86b4ce71f4814c6dc

SHA1
daa93bebbda1e5fd09b20d658baf82c7dedc3b84

SHA256
fae6e6ee03668289e3a2a1c301bdad55ba100ade2ebdfcff2c49691435236047

SHA512
16a76f65e02b084ccfaa930d0caaf9859f403f3ac5c89593003302da9f23548e3ee50aba29ad9d4fa1d337c53937cd8b0f8e87d06967dacea0f72be41ea8382b

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
522KB

MD5
1a2da83c6ae92b44d4a5aca3def48dbf

SHA1
899b85439e752afba453d0b6fde8e9b5f08ccc6c

SHA256
6fd4f6170ff2fe18dae8ad9034a539e6d81b186caba0387700dd6e79ba7d447e

SHA512
41035b1a20daddd89bee2754a7dbcdbcc78f83832e7a526e0a459db7c88626ce1fbd1df3d149e0041d3ad43c780141ad680555af617444b8dae960256a912ab8

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
6e708eec40bb25c923d01f7c59b321e7

SHA1
48e5dfddba0556ce37d18e4ea342cc6d40dddf7b

SHA256
84237867842b4fe007e3e3c1f0479ad8000079cdded8cbfb5141db879c68b2b1

SHA512
77beffb3e51b0b8934e9c21c3c83ba28f533036bdef9c5ea6655535d7f21a2704836e38b20d36bd1978906f80bbad7d77ed4570d58e7a6dbf415a9a7140918fb

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
617KB

MD5
50d0e888c5f95aca2d0a468008deb4ce

SHA1
fbc8bd6a7e26a38f417b86b818318ce802ce145b

SHA256
fe711afc2223e459874c9f274fba9016d7bf4c6ba335b1680203884347dc0dd8

SHA512
b6b881942ed6a1c12b4472a1729a6af2b17626fac3ec7a8058c09b4c576ff06b90e1b04e0701775df1e93bccd296ac8e39c6da9db60b9a545b8780af010fa067

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC3FB.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC707.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCA90.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCD4E.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD069.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD327.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD588.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD836.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
memory/468-292-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/536-458-0x0000000003040000-0x000000000304A000-memory.dmp

Filesize
40KB

Download
memory/536-456-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/536-460-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/624-166-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/624-99-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/856-282-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/856-289-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/868-276-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/868-283-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/892-412-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/892-422-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/892-408-0x00000000006E0000-0x00000000006F6000-memory.dmp

Filesize
88KB

Download
memory/892-407-0x00000000006C0000-0x00000000006DA000-memory.dmp

Filesize
104KB

Download
memory/892-404-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/892-413-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/992-381-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/992-378-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/992-379-0x00000000032E0000-0x00000000032F4000-memory.dmp

Filesize
80KB

Download
memory/992-376-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1192-324-0x0000000000920000-0x000000000092E000-memory.dmp

Filesize
56KB

Download
memory/1192-328-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1192-322-0x00000000007B0000-0x00000000007C8000-memory.dmp

Filesize
96KB

Download
memory/1192-325-0x0000000003030000-0x000000000304A000-memory.dmp

Filesize
104KB

Download
memory/1192-326-0x00000000031E0000-0x00000000031FE000-memory.dmp

Filesize
120KB

Download
memory/1416-82-0x0000000140000000-0x000000014036B000-memory.dmp

Filesize
3.4MB

Download
memory/1416-133-0x0000000140000000-0x000000014036B000-memory.dmp

Filesize
3.4MB

Download
memory/1452-46-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/1580-390-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/1580-400-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1580-385-0x0000000003170000-0x0000000003184000-memory.dmp

Filesize
80KB

Download
memory/1580-384-0x0000000000950000-0x000000000095C000-memory.dmp

Filesize
48KB

Download
memory/1580-383-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/1580-389-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/1748-427-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/1748-441-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1748-431-0x0000000003100000-0x000000000310E000-memory.dmp

Filesize
56KB

Download
memory/1768-462-0x000000001C100000-0x000000001C10A000-memory.dmp

Filesize
40KB

Download
memory/1852-443-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1852-440-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2008-2-0x0000000001000000-0x00000000011BA000-memory.dmp

Filesize
1.7MB

Download
memory/2008-1-0x0000000001008000-0x0000000001009000-memory.dmp

Filesize
4KB

Download
memory/2008-0-0x0000000001000000-0x00000000011BA000-memory.dmp

Filesize
1.7MB

Download
memory/2012-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2012-21-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/2012-54-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/2052-361-0x00000000030E0000-0x00000000030F6000-memory.dmp

Filesize
88KB

Download
memory/2052-360-0x0000000003090000-0x000000000309E000-memory.dmp

Filesize
56KB

Download
memory/2052-367-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2052-366-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/2052-362-0x0000000003100000-0x0000000003110000-memory.dmp

Filesize
64KB

Download
memory/2052-377-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2052-359-0x0000000000910000-0x000000000091C000-memory.dmp

Filesize
48KB

Download
memory/2052-358-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/2152-167-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2152-165-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2244-300-0x0000000003170000-0x0000000003186000-memory.dmp

Filesize
88KB

Download
memory/2244-302-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2244-291-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2244-298-0x00000000007F0000-0x00000000007FC000-memory.dmp

Filesize
48KB

Download
memory/2244-299-0x0000000002F90000-0x0000000002FD8000-memory.dmp

Filesize
288KB

Download
memory/2244-297-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2328-356-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2328-354-0x00000000008C0000-0x00000000008D0000-memory.dmp

Filesize
64KB

Download
memory/2328-352-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/2348-333-0x00000000008D0000-0x00000000008EA000-memory.dmp

Filesize
104KB

Download
memory/2348-332-0x0000000000840000-0x0000000000856000-memory.dmp

Filesize
88KB

Download
memory/2348-331-0x0000000000830000-0x000000000083E000-memory.dmp

Filesize
56KB

Download
memory/2348-330-0x00000000007B0000-0x00000000007C8000-memory.dmp

Filesize
96KB

Download
memory/2348-334-0x00000000008F0000-0x000000000090E000-memory.dmp

Filesize
120KB

Download
memory/2348-351-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2348-342-0x0000000003590000-0x00000000035A8000-memory.dmp

Filesize
96KB

Download
memory/2348-341-0x0000000003590000-0x00000000035A8000-memory.dmp

Filesize
96KB

Download
memory/2376-304-0x0000000003030000-0x000000000303E000-memory.dmp

Filesize
56KB

Download
memory/2376-305-0x0000000003080000-0x000000000308C000-memory.dmp

Filesize
48KB

Download
memory/2376-321-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2376-311-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/2376-312-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/2376-306-0x000000001C4A0000-0x000000001C4E8000-memory.dmp

Filesize
288KB

Download
memory/2376-307-0x0000000003090000-0x00000000030A6000-memory.dmp

Filesize
88KB

Download
memory/2560-457-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2712-405-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2712-399-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2712-402-0x0000000000990000-0x00000000009A6000-memory.dmp

Filesize
88KB

Download
memory/2712-401-0x00000000007C0000-0x00000000007DA000-memory.dmp

Filesize
104KB

Download
memory/2740-423-0x0000000000810000-0x000000000081E000-memory.dmp

Filesize
56KB

Download
memory/2740-425-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2748-63-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/2748-36-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/2748-35-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/2776-205-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2776-164-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2776-89-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2808-92-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2808-58-0x0000000140001000-0x0000000140002000-memory.dmp

Filesize
4KB

Download
memory/2808-57-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download