expiro | 9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
Size

610KB
MD5

0972faadc9af1807c3e66cb01aef5c76
SHA1

4e1cb9444397bf64f8c8118104e3573b63b703fd
SHA256

9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb
SHA512

a7000602df6358ddfaf7c67166010e0d98f80dd3957188baee624ace4eeea1ed1eda1e296ee8ceaf0e61b1bbdec3f157c89cf621e2e137941468e2eddb359e25
SSDEEP

12288:BPrneXCtwpxa5ICfznTODkiRrZ3VpWCDy7Frd34:BPr4CmpxayCfznTkhVpN6rdo

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 4 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2636-2-0x0000000000400000-0x0000000000656000-memory.dmp	family_expiro1
behavioral1/memory/2068-56-0x0000000010000000-0x0000000010257000-memory.dmp	family_expiro1
behavioral1/memory/3048-161-0x0000000000400000-0x0000000000660000-memory.dmp	family_expiro1
behavioral1/memory/3048-162-0x0000000000400000-0x0000000000660000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 49 IoCs

pid	Process
2068	mscorsvw.exe
476	Process not Found
2348	mscorsvw.exe
3048	mscorsvw.exe
2572	mscorsvw.exe
1052	elevation_service.exe
620	mscorsvw.exe
1512	mscorsvw.exe
1660	mscorsvw.exe
2196	mscorsvw.exe
2344	mscorsvw.exe
2088	mscorsvw.exe
912	mscorsvw.exe
556	mscorsvw.exe
2508	mscorsvw.exe
1796	mscorsvw.exe
1600	mscorsvw.exe
2736	mscorsvw.exe
380	mscorsvw.exe
2416	mscorsvw.exe
1492	mscorsvw.exe
1616	mscorsvw.exe
2800	mscorsvw.exe
2740	mscorsvw.exe
536	mscorsvw.exe
2540	mscorsvw.exe
3052	mscorsvw.exe
1304	mscorsvw.exe
1724	mscorsvw.exe
3032	mscorsvw.exe
1776	mscorsvw.exe
3068	mscorsvw.exe
2612	mscorsvw.exe
936	mscorsvw.exe
2700	mscorsvw.exe
2448	mscorsvw.exe
380	mscorsvw.exe
2476	mscorsvw.exe
1252	mscorsvw.exe
2160	mscorsvw.exe
2212	mscorsvw.exe
536	mscorsvw.exe
2188	mscorsvw.exe
1724	mscorsvw.exe
2960	mscorsvw.exe
1776	mscorsvw.exe
992	mscorsvw.exe
940	mscorsvw.exe
1956	mscorsvw.exe

Loads dropped DLL 35 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
912	mscorsvw.exe
912	mscorsvw.exe
2508	mscorsvw.exe
2508	mscorsvw.exe
1600	mscorsvw.exe
1600	mscorsvw.exe
380	mscorsvw.exe
380	mscorsvw.exe
1492	mscorsvw.exe
1492	mscorsvw.exe
2800	mscorsvw.exe
2800	mscorsvw.exe
536	mscorsvw.exe
536	mscorsvw.exe
3052	mscorsvw.exe
3052	mscorsvw.exe
1724	mscorsvw.exe
1724	mscorsvw.exe
1776	mscorsvw.exe
1776	mscorsvw.exe
2612	mscorsvw.exe
2612	mscorsvw.exe
2700	mscorsvw.exe
2700	mscorsvw.exe
380	mscorsvw.exe
380	mscorsvw.exe
1252	mscorsvw.exe
1252	mscorsvw.exe
2212	mscorsvw.exe
2212	mscorsvw.exe
2188	mscorsvw.exe
2188	mscorsvw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1846800975-3917212583-2893086201-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1846800975-3917212583-2893086201-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\O:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\Q:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\M:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\N:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\G:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\K:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\U:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\W:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\X:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\Y:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\E:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\I:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\J:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\P:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\V:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\T:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\Z:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\L:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\R:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\S:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\Y:	mscorsvw.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\beibpfdg.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\SysWOW64\acanpjbl.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\system32\qoqklcfm.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\system32\hhdocinm.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\system32\wbem\lekddonp.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\SysWOW64\finnfjne.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File created	\??\c:\windows\system32\kleeppfm.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\system32\pajhoefm.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\system32\ahgidflm.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\system32\jjfgqhop.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\alg.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\system32\mjliibhp.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	mscorsvw.exe
File created	\??\c:\windows\system32\nhgedold.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\vds.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\system32\cbaegcop.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\system32\ndgeiped.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\ljpofdbo.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\system32\qclpilae.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Internet Explorer\agpepnfq.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\7-Zip\nnknaeep.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\7-Zip\dklkkafp.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\gmoggjie.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\jiianoje.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\feqkbkgm.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\ofpdkdno.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\enendkpo.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\program files\windows media player\aakpcnmg.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ighnagcm.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Internet Explorer\aglddoil.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\gdaoemja.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\cgakfigd.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File created	C:\Program Files\DVD Maker\knqknjlo.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\hpbanfjo.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Google\Chrome\Application\bhlnifll.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\emdpmifb.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index151.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC18B.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCC35.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCE47.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index144.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD681.tmp\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPDB90.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index145.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPD00C.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCA03.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC497.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index150.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\okjlgbho.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index149.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index152.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index146.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC755.tmp\Microsoft.Office.Tools.v9.0.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index147.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14a.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBDD3.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\ofgnfcdn.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe
2572	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2636	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
Token: SeDebugPrivilege	3048	mscorsvw.exe
Token: SeDebugPrivilege	3048	mscorsvw.exe
Token: SeDebugPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	3048	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe
Token: SeShutdownPrivilege	2572	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 620	2572	mscorsvw.exe	36
PID 2572 wrote to memory of 620	2572	mscorsvw.exe	36
PID 2572 wrote to memory of 620	2572	mscorsvw.exe	36
PID 2572 wrote to memory of 1512	2572	mscorsvw.exe	37
PID 2572 wrote to memory of 1512	2572	mscorsvw.exe	37
PID 2572 wrote to memory of 1512	2572	mscorsvw.exe	37
PID 2572 wrote to memory of 1660	2572	mscorsvw.exe	39
PID 2572 wrote to memory of 1660	2572	mscorsvw.exe	39
PID 2572 wrote to memory of 1660	2572	mscorsvw.exe	39
PID 2572 wrote to memory of 2196	2572	mscorsvw.exe	40
PID 2572 wrote to memory of 2196	2572	mscorsvw.exe	40
PID 2572 wrote to memory of 2196	2572	mscorsvw.exe	40
PID 2572 wrote to memory of 2344	2572	mscorsvw.exe	41
PID 2572 wrote to memory of 2344	2572	mscorsvw.exe	41
PID 2572 wrote to memory of 2344	2572	mscorsvw.exe	41
PID 2572 wrote to memory of 2088	2572	mscorsvw.exe	42
PID 2572 wrote to memory of 2088	2572	mscorsvw.exe	42
PID 2572 wrote to memory of 2088	2572	mscorsvw.exe	42
PID 2572 wrote to memory of 912	2572	mscorsvw.exe	43
PID 2572 wrote to memory of 912	2572	mscorsvw.exe	43
PID 2572 wrote to memory of 912	2572	mscorsvw.exe	43
PID 2572 wrote to memory of 556	2572	mscorsvw.exe	44
PID 2572 wrote to memory of 556	2572	mscorsvw.exe	44
PID 2572 wrote to memory of 556	2572	mscorsvw.exe	44
PID 2572 wrote to memory of 2508	2572	mscorsvw.exe	45
PID 2572 wrote to memory of 2508	2572	mscorsvw.exe	45
PID 2572 wrote to memory of 2508	2572	mscorsvw.exe	45
PID 2572 wrote to memory of 1796	2572	mscorsvw.exe	46
PID 2572 wrote to memory of 1796	2572	mscorsvw.exe	46
PID 2572 wrote to memory of 1796	2572	mscorsvw.exe	46
PID 2572 wrote to memory of 1600	2572	mscorsvw.exe	47
PID 2572 wrote to memory of 1600	2572	mscorsvw.exe	47
PID 2572 wrote to memory of 1600	2572	mscorsvw.exe	47
PID 2572 wrote to memory of 2736	2572	mscorsvw.exe	48
PID 2572 wrote to memory of 2736	2572	mscorsvw.exe	48
PID 2572 wrote to memory of 2736	2572	mscorsvw.exe	48
PID 2572 wrote to memory of 380	2572	mscorsvw.exe	49
PID 2572 wrote to memory of 380	2572	mscorsvw.exe	49
PID 2572 wrote to memory of 380	2572	mscorsvw.exe	49
PID 2572 wrote to memory of 2416	2572	mscorsvw.exe	50
PID 2572 wrote to memory of 2416	2572	mscorsvw.exe	50
PID 2572 wrote to memory of 2416	2572	mscorsvw.exe	50
PID 2572 wrote to memory of 1492	2572	mscorsvw.exe	51
PID 2572 wrote to memory of 1492	2572	mscorsvw.exe	51
PID 2572 wrote to memory of 1492	2572	mscorsvw.exe	51
PID 2572 wrote to memory of 1616	2572	mscorsvw.exe	52
PID 2572 wrote to memory of 1616	2572	mscorsvw.exe	52
PID 2572 wrote to memory of 1616	2572	mscorsvw.exe	52
PID 2572 wrote to memory of 2800	2572	mscorsvw.exe	53
PID 2572 wrote to memory of 2800	2572	mscorsvw.exe	53
PID 2572 wrote to memory of 2800	2572	mscorsvw.exe	53
PID 2572 wrote to memory of 2740	2572	mscorsvw.exe	54
PID 2572 wrote to memory of 2740	2572	mscorsvw.exe	54
PID 2572 wrote to memory of 2740	2572	mscorsvw.exe	54
PID 2572 wrote to memory of 536	2572	mscorsvw.exe	55
PID 2572 wrote to memory of 536	2572	mscorsvw.exe	55
PID 2572 wrote to memory of 536	2572	mscorsvw.exe	55
PID 2572 wrote to memory of 2540	2572	mscorsvw.exe	56
PID 2572 wrote to memory of 2540	2572	mscorsvw.exe	56
PID 2572 wrote to memory of 2540	2572	mscorsvw.exe	56
PID 2572 wrote to memory of 3052	2572	mscorsvw.exe	57
PID 2572 wrote to memory of 3052	2572	mscorsvw.exe	57
PID 2572 wrote to memory of 3052	2572	mscorsvw.exe	57
PID 2572 wrote to memory of 1304	2572	mscorsvw.exe	58

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
"C:\Users\Admin\AppData\Local\Temp\9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2068

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 238 -NGENProcess 244 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 110 -InterruptEvent 1c4 -NGENProcess 1ec -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 258 -NGENProcess 150 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 110 -NGENProcess 24c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 110 -InterruptEvent 264 -NGENProcess 1d8 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 1ec -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1ec -NGENProcess 110 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 274 -NGENProcess 268 -Pipe 150 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1c4 -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 264 -NGENProcess 278 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 278 -NGENProcess 24c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 284 -NGENProcess 1d8 -Pipe 110 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 264 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 26c -NGENProcess 1d8 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1d8 -NGENProcess 288 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 294 -NGENProcess 264 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 264 -NGENProcess 26c -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 28c -NGENProcess 24c -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 24c -NGENProcess 268 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 2a4 -NGENProcess 280 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 280 -NGENProcess 28c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2ac -NGENProcess 268 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 268 -NGENProcess 2a4 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2b4 -NGENProcess 28c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 28c -NGENProcess 2ac -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 280 -NGENProcess 26c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 26c -NGENProcess 2a4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2c4 -NGENProcess 2b4 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2b4 -NGENProcess 280 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2cc -NGENProcess 2a4 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2a4 -NGENProcess 2c4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2d4 -NGENProcess 280 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 280 -NGENProcess 2cc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2e0 -NGENProcess 2bc -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2d4 -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2ec -NGENProcess 2c4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2c4 -NGENProcess 2e4 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 2f0 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2ec -NGENProcess 2f8 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 308 -NGENProcess 2c4 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1956

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ncjookla.tmp

Filesize
694KB

MD5
a2aeffdbbd8ea87a7b29835036885b47

SHA1
95c55ceab182ecba0c622d2817f9594fdbcd6e56

SHA256
5828c3cbcb1d0666e790825f213ff13737fb61ccb730215fbe6fdeeb2e84cc94

SHA512
aab11de99c2cfbfafb4b256c0552477e918fc207f4dac25392c19fbb0fd074ac7258ad9cedaf984403997aabaf568e295e18e643e4a972c181360c75098b68d3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
6d22a322ddc1d77e65b3c18f8ba7936a

SHA1
49c5cc95c22c94d8d48b1fbfbf966d398cf520dd

SHA256
c401e2c8f7963587846ed9f87a99dae4e745f4f5359ea1b7375217abbdb7cabb

SHA512
9139e2b812670e6ec4997d5011a4ff5f62e3f0d3d239787f0d57dbeb4a24682404facad865379055d414cd9be766a6b3566ddf4fe842b217082a5ecb66fa19c6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp

Filesize
4.8MB

MD5
0f7d354ed8a44f797f1f76847525301f

SHA1
f3d224c45effac882575e15a8034d120435ec908

SHA256
14a82a559b2b4fc8fbf4b9d7633a411b1f7a49e2c43390606a8862e6012b4238

SHA512
14cf4e2f0a3cd7600da371d1d1601a3c1c8e08ad9a0b2d328179ac5c26134d6c32f5163cde53f81bdfabe14683a29821d50490c95d9789c041ec59a1e8eecf05

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
7044ec01780be414f188252d758b72f2

SHA1
9a9d6f956db302e42b8a3895fe8627c6493c1ceb

SHA256
8e9462cae1334c79ef059cdf380eb366c31e3965c2af16a7f0ad7b65b12d6a10

SHA512
771809f836826004aec1c64e8852813c57ee03f625f194f5213610f249b2fa0710dbeded345d0ceee098349cade23ab56f5d974dbcc7ef0446e2389110b2609b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
50d6de81ea31f0d39dde5cea6c1bbd72

SHA1
a2a47dbee39cbdbc9d899d3ed073289a34a718f4

SHA256
01b3a764926ff0e4c04e31d6f2a0d09542b8d9d15664da4cccd4d13e13ea5c53

SHA512
465468d026503314a206c1755eaeccfa28ba4cb831c5ea9b3ca5492e3aa87846db415e24970e14dbd543c2f2f03199772ef0f60011c3359a58469ff82083e5f2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

Filesize
8KB

MD5
57ee4c8f5f4703e7a4eea4a7dadb5169

SHA1
9bf2b1bf35e6e85d8d784aed6b8539d32b6cdc25

SHA256
cb02102953142485a9ccb3daf4fe6782988ebab00d5bd44352c03243031f09aa

SHA512
35427fc7c4346475bef61f6ab63faf12fb234c78f77f0623a4fe1f648e2abe6c972f4ba49726ac6bee6abdfa8143ca4a96e0a9fe11bf33afe20dc4478dc069a2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
613KB

MD5
f009de1074d5ceaf0d04bfd97a235bae

SHA1
9b293c17609b218183beed9b10c9eb9197d93ef0

SHA256
59693714c69c1b6484faf6d470bfb6f21e806955a31b86a8468ac16cc25543a0

SHA512
2a566cf5657861b89853dea446ffedea18c5e218bfb6613a6044ea32d5aefef8b3add29fcae2a43581a9546c1ded13d1504ccbff93c855bf601760de2b3c7797

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
8ebb0d2317312357063ab21725002f74

SHA1
33ae32e3e26244dcf589a6928bc73b7cb2e6ab58

SHA256
5b53069a97f6e2547189819d5370aedf2eebd7e7c3840a404a629a95f0c4d3a6

SHA512
8b81242e0e8758fbf2d84d25f912ae13ce81adb52169bf40893b7c526b25bb425e1ae9fa762b9243438f625efd135950e93bf95b80e263fc49e8658759211ab2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
644KB

MD5
4e600887f89a82a1e7d50471768dfc0e

SHA1
9133b485fb8735c2a57867aaa5f7b28304a01ea7

SHA256
94ad2a155ae782917c5a53bd2a90adeaef5af510edee6fdd09c1b9c01ac954a6

SHA512
5ecbaaccea8dccdc3b7267187d8292ec56ce3bf4ad68eea59984a8148bdc2b4fa9837dd5f28fb6d04a9132d02440e2edba6ced1eb0cda8a715f99cceec6f4bb7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

Filesize
205KB

MD5
0a41e63195a60814fe770be368b4992f

SHA1
d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

SHA256
4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

SHA512
1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

Filesize
43KB

MD5
68c51bcdc03e97a119431061273f045a

SHA1
6ecba97b7be73bf465adf3aa1d6798fedcc1e435

SHA256
4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

SHA512
d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

Filesize
198KB

MD5
9d9305a1998234e5a8f7047e1d8c0efe

SHA1
ba7e589d4943cd4fc9f26c55e83c77559e7337a8

SHA256
469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

SHA512
58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\38abae6b581afd79fd103a586cdf05ab\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

Filesize
221KB

MD5
5b6428fd58c08c5a9bf58d66db56bc69

SHA1
f9469b7db22138e3c8e8fa0105b6604ce11c52be

SHA256
e486774d7e1c67394231038d5f282b5b361889466e4a523d6845b8f6d6f25b9b

SHA512
162d51a46d45eee3fefcc40693ea0ea3659f40134aa155b1c183589537ca1a5e8cfc58013b727d3a54af056d527b7d1214a02d7fdb9db80f703f6e16758a20f2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\55d771f97fb2868209628d61205ea05d\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

Filesize
305KB

MD5
c809941cfd17684f42b468ebedd7f994

SHA1
6a615359c3774c7cd01a360030979da6364b7d10

SHA256
16f494ae1ace72f837cf4b987a6a4bf67c314bde6cfeb0f83b9209e5d020f856

SHA512
1fcc7c9b5e434e4b1effb964817803d9e96396b543a619c478dbe30677bb95479174dba6f7ec3f30d8a8bc7ad1e12e228f8c3070293768b5d81326d8474ccb19

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

Filesize
70KB

MD5
57b601497b76f8cd4f0486d8c8bf918e

SHA1
da797c446d4ca5a328f6322219f14efe90a5be54

SHA256
1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

SHA512
1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\87cc4025d4f0bd3d07686b37ef2b3b8c\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

Filesize
122KB

MD5
51bf44d66c72614cce3fca8868bb2ccb

SHA1
1c2288ab8e9a9cc59ebccc66e665ea193cd47764

SHA256
b9ad4e43d9cab9935c084ae637ea613f48998c4b2494ff290db2936d8fcb2898

SHA512
98d75b85e7df04a6b5eba4dccb2a3346b751ce4fb0179a2dafc405cb5c4b3cb1a7d7d7ac668f6ea0423ec8a5e5db6d546967b78ad4a52dd113e88a331607c7b3

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

Filesize
82KB

MD5
2eeeff61d87428ae7a2e651822adfdc4

SHA1
66f3811045a785626e6e1ea7bab7e42262f4c4c1

SHA256
37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

SHA512
cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\f894013e930b164e7e9282c2662a3a9e\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

Filesize
271KB

MD5
2a030841615b3f7d515763a55d4c1d4d

SHA1
93e19dacaca36afd09d9efcb151352f3da538e03

SHA256
98a0323646972c46bafcc3b58bbe8d3a82ae92a5c73cb444f7d17a8feb581972

SHA512
f02d387c42599c77c1c8992aac8a768507874d57569be4eebeaeb2268aa56c532b78f78af98363604faa3f8acfb634f439c155965435e447185f4dc26baf9f28

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

Filesize
43KB

MD5
dd1dfa421035fdfb6fd96d301a8c3d96

SHA1
d535030ad8d53d57f45bc14c7c7b69efd929efb3

SHA256
f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

SHA512
8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
694KB

MD5
01bd56b39818484a0f2dcc5964e952cb

SHA1
77248ceaedf2643c959a3153360918f9db530089

SHA256
b732719b1326febdd501bd021f249504630aa34b6b635890bc30d338aa21e378

SHA512
acef6e93bb09e0c73077b7281e49bcea80033a1e1904ff1dadd1ae77ec3351982c0934c781d2f2047bfc7f95dc4811fb7f952d06823e7de9ed02e3dae4690971

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
7fa6ef139e050cffc38e667e2d7fbbaf

SHA1
89c496663a4e4009412f8c485e8a7ad26e1fa3c1

SHA256
e59cb6e007a6098df1f7795e918626b293ee5083f6387ace6ff1419bdbca7926

SHA512
ad4979703083b3255c6578b7c343162525f14f626febad0db756c827eeaa57870a43dcef5b68176cedf37c6954f2615bda4bbb7a90dd1c1dbddd80e461e5db49

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
769KB

MD5
88e460603912289d3faca5c52db4693b

SHA1
69229de0ad34f49015f98a33f0ec0fe5b1ccede6

SHA256
066a47dc46107a1e3f533264f0905ca2c2c9824819df3d3990be1a19d5f3c222

SHA512
60ae9563ddbb428cb701aabb81b259dfc7d330011fa14d6a30d63ce0c97985680bc6635861393bf6332c4f4f11944fca72aef39e8a6619d1aaa704394ad866bb

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
2.0MB

MD5
39c573393efb27b814d4a8b43ae4e731

SHA1
d834ebbd3f1ac906be69b00a0d21cbd598556661

SHA256
dd5ead36461e5a889eead04804e454d1cc269717187f2e421bf3d6df8b9724cc

SHA512
404cd1d974f8db74e4f09d06dced870a9d7687f0f28e62e818332073877110b2001930fbd0cdcc84020ef664363956f7bf0ebf331d178b90ef71df447e438a1b

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
27a37e40a867d9546db9b01af7ec728e

SHA1
07e564722cf8cffd8f660f9f1a7a3ef63426e87c

SHA256
473bb8dd7495c3709188523ed1dc3ba41c7370fde2e0f069662a52c6915623c8

SHA512
78f32e666bd01de68e13616e4da4f9cf6f2722b2f75c2db303edda6059c28dfd4ca31f802bee4af62dccd82f5f41ac1af8bd3bf35037247fb4aafc2847f4b84b

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
679KB

MD5
061fa6ed92b6e0d76ef852bf082e110c

SHA1
b5f058533694d92f53dfbd423f781439309f0f07

SHA256
d4dfc58abee93b3928ad9884a118b18797c931f1bb7a778de0b3e9dca43e5ccd

SHA512
5c48c54b4074bb0cca958dddd6f6d8333fd04844e5b2f164f08859beb99893e782fc28e30c838a099a144d8bae46940317078ca1a7b26297e6b72c9f1b7ce6bf

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
591KB

MD5
bc10d70d313309dd7d2a36ff39e675a5

SHA1
ad622e869dd093e546dbacbdcbe261a1810a625a

SHA256
70d28a5001614a8013fa4fd4e1dea31b2a58b48229f9e669d526e7e67c7d1d5d

SHA512
0d4344707bfd9199cf223367cac54b44089117e7b11db5ddca97aa058d99e0bda4d2e73fa7ab93171ef9c75f0f47b7e645274d5da1ed470300408a499a605afa

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
632KB

MD5
c56375d59c661c275257fce5b9bdee3f

SHA1
4f753993da0e2816ba5ed4ae35c58a35ca51dca3

SHA256
1cc12c67b0dbce1df1be7b1c6480df9c0533a5c5471a580a486ba5db689fac54

SHA512
a8383089d652bd41bd938af9f68291d14e6a4ecbfe5f72c4267b2c3e61f9bd0055f771cb2f3138e6621f0a6a13c430b8cf770ee9fbc957dd7033c36c8817a609

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
342f712a604dd3a0a108a1badab061bd

SHA1
c19d39a54ca44649dea9c83edd18c0f8b9b0fc5d

SHA256
ad5736cd1ca27107531bf365c2af5c07d03fa6f20942a4c4f102557a7eb17f0d

SHA512
6628cffa8bdc636a0e755aa00241b439edaa1f3e8ef70a03216786903b4b5bf62e8f25320232d018999701872b948306071c6c3da1f4d9170c2d4210fb342ff9

Download Submit
\??\c:\windows\system32\ieetwcollector.exe

Filesize
662KB

MD5
05ac9ca41f28763beafde9aeacb02923

SHA1
141ea5abded269436fddaea75f053516f086618f

SHA256
e2d15c691c8c3bfc4541a325c9cc273aa3d171d40dc365882439b8d76957048e

SHA512
acb06cf3a96d4823dfa032024e9132535221f677ee3da59a512a647561d01c38b6ffd52e332d084c4b5e6cd32696a6beec0026275a28d03c097dcaf208e5e3fb

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
693KB

MD5
f09dc949ad36f7ef9cf174d9b29db9bb

SHA1
82a7ea10e776d6e3f82bd034c411b1b23a661233

SHA256
771f315755560841bfe3d9f50879967ebba186134337aa61c0c27563d863b2e9

SHA512
4a1d1120b0f53781958dec1906dec1e930dc86cd6db6ed04f809595e2b42185774b80ca1be26e85f7fa8cce896f458cad0d54f0cb68ae697febff3095f103f37

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
679KB

MD5
c90d97ddff38ee931f33e6c6dccfa17e

SHA1
9531d9069672db2a6f388ae9399da1088f086b84

SHA256
a1f71c2bb9578bdf3086d23f7a43870611ce71ac6c1dd5834d7720563657f7ee

SHA512
2d67e2d453085ddb98d22ed5216b569560face5de021c3ab194a1da3b6c11e868afed152e3ae970b09696ec0ecb97b2e644c04186167c59fba66d74804a6d247

Download Submit
\??\c:\windows\system32\searchindexer.exe

Filesize
1.1MB

MD5
e7dd3c6fab8f51effb4afc1202420aec

SHA1
23f532e8dc5daf5639083c893bb6951fad8edd60

SHA256
050d1b6bb56950cfa7cb0e8886bcb4ed6ca3ceb506acb095aca315e90a53d05b

SHA512
bd7f29e27d7fc31f927457c46cf35afa4296af2cba6aad74884bac6a9a0640ec0dae3f735e6511a019ffa831f9b121b9c61511e5bd58c57e4b7064b9d17c6fde

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
569KB

MD5
54238db75a27db47f1ab4f710f6e8199

SHA1
07c245ed91b6589ab6252d78f9525e6fb9ea3134

SHA256
14a1c7af287d8737fe1b2a703ccaed4879110cd8b0c153f08d51a56538935e2c

SHA512
f86fc52fbc62be3ee31ea82331970b6d7e7bd31b18deca41988b576b3ea6cbbf4bc807802fbee25a888d899c25de83f76c63564801804cfdbc84d0365f695d0b

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
595KB

MD5
938ced4056d85488eacdd0c7ad43b95a

SHA1
b0c5e0645aa84aa96b2e903df51388339c839dd0

SHA256
5f2252db824bfb7db067a4d1a1d0980a9451bab6d660ecd52af0038ccdad4365

SHA512
1c71e0e9de66b3bfcfb9ad0eec832b9b1de2afd0621c77ddab5081f15d926095a237360a688ad51da1ffae674fce0a12757bbc22a6c0636e2c4e8ac8ad099963

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.0MB

MD5
004c898a129c97f1ff00065e2be77d9e

SHA1
dd28756143c48dfb93d987fc436908edc326f6a8

SHA256
3ec06dd5ca52d1064477c82bf5bdacbfadcf583695d00399a26ba8ae88249a51

SHA512
d58d958bca9191d147d3582bab4f131d078547e74f0c943f42ff5b9cfa243f359c0d7f879ceca17802b3966c3924bfcd28315e2ba2eb473920b2218d99efd5c4

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
33babcccecfbf93efc3918cf6c7253a6

SHA1
c2d6f452aade50136064d66173c823ba75ae1032

SHA256
4723ff27d656d6d7bc7fa34d623108d7987dc25603bbac670ae40dc531b58905

SHA512
79faec7fe754e4b52b750a1c0f10aa1af1757c22c1fddbee8761d61466b8d0f26e142eee52d38aebab499e2b7ff0c2a8bac9ba34c9df876c7cc9b90e3fdd0ceb

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
753KB

MD5
194b4cfb665ff6537ba26322f48239ec

SHA1
f89e38b35958e7aeae6fc6fc24903b2dba9fce4f

SHA256
0f5db3070907afb94831b592a01c6fc271a4da6cc88812886565d27e71d1e3b6

SHA512
e1475d6408aeb30b89e9c50688cff53998e3a5093a08c2a97021cd05e68f3dd8ef26da7ca5c98913914280ea869b1d4c973d1df2e98a2e43284d02053fd78799

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.0MB

MD5
05b787b6435d092b822bbc0db1ac1d0f

SHA1
92f698c1b84f20979a7010a9a9c05ea3c210d135

SHA256
e74a04106f4ba1a6fc60665b88d99e0f5df2d040a849dcf9ccabb32dadf248d7

SHA512
2a0dc90e15a8ca85fc6ce16b5f1cfba991c7d84b61dd3c08628ba1ce55187ae35baef5ab974899495ad2cb971212f9b8be9d1db1d47ad0cfb0ba2c631d235580

Download Submit
\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
334b1001f151fb9ffcb675217563b01f

SHA1
5858631eebd3031acb76c99a0de6f7b389ebeed3

SHA256
93b4bb999405a866f8c79d62b3ca19dc1bc6340698278325c10732ed723c7eb4

SHA512
1f1cf632262459240b969aa30a74d6b1a284e518d470a0fc795d3e0012093cff92ab8dec1dcee5c6b23ec00dcc418f314d7cece1b3591bc583397c4ae3b4ae67

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
636KB

MD5
ba6213d83e8f9532463d9ed88abcead6

SHA1
e1582e8837dab92a04a31a8d16c4a761dff7786b

SHA256
efe5ca6b083bdf56c6ebcf9d93282fcae8d8fd9a70a74d97d483f50c8008b6fb

SHA512
77a18a003ad7a37299295683286c0793594f4fb174ff8e7e477d9dd8d5b9502fe8b6a96f3245f3625378b1979a1804c400058cbef1d5c67109a0f0fd36d28e8b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
731679419785927062d5d640d6535432

SHA1
04060ab11ffcd0ae3cafda69f58c98a46c19de63

SHA256
859abadcd8b88569b9af7d0d45a72ce863bd04f1bff65693a7df2e88cba9fa84

SHA512
7d995782f8fbc064098b74c6efa25f1d5f625574742b2241ac88121aac98fbf917eb626d842c4a02b77d74d53e28c94709a8b1943e82bad95773423ccea4ebfc

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBAA8.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

Filesize
85KB

MD5
5180107f98e16bdca63e67e7e3169d22

SHA1
dd2e82756dcda2f5a82125c4d743b4349955068d

SHA256
d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

SHA512
27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPBDD3.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

Filesize
298KB

MD5
5fd34a21f44ccbeda1bf502aa162a96a

SHA1
1f3b1286c01dea47be5e65cb72956a2355e1ae5e

SHA256
5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

SHA512
58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC18B.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
3d6987fc36386537669f2450761cdd9d

SHA1
7a35de593dce75d1cb6a50c68c96f200a93eb0c9

SHA256
34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

SHA512
1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC497.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

Filesize
58KB

MD5
a8b651d9ae89d5e790ab8357edebbffe

SHA1
500cff2ba14e4c86c25c045a51aec8aa6e62d796

SHA256
1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

SHA512
b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPC755.tmp\Microsoft.Office.Tools.v9.0.dll

Filesize
248KB

MD5
4bbf44ea6ee52d7af8e58ea9c0caa120

SHA1
f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

SHA256
c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

SHA512
c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

Download Submit
\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPCA03.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll

Filesize
87KB

MD5
ed5c3f3402e320a8b4c6a33245a687d1

SHA1
4da11c966616583a817e98f7ee6fce6cde381dae

SHA256
b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

SHA512
d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

Download Submit
memory/380-422-0x0000000002F90000-0x0000000002F9C000-memory.dmp

Filesize
48KB

Download
memory/380-424-0x000000001C540000-0x000000001C554000-memory.dmp

Filesize
80KB

Download
memory/380-419-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/380-423-0x000000001C490000-0x000000001C49C000-memory.dmp

Filesize
48KB

Download
memory/380-437-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/380-428-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/380-429-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/536-492-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/536-484-0x0000000000990000-0x00000000009A6000-memory.dmp

Filesize
88KB

Download
memory/556-364-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/556-361-0x000000001C540000-0x000000001C55E000-memory.dmp

Filesize
120KB

Download
memory/556-357-0x00000000007C0000-0x00000000007D8000-memory.dmp

Filesize
96KB

Download
memory/556-359-0x0000000002FA0000-0x0000000002FAE000-memory.dmp

Filesize
56KB

Download
memory/556-360-0x000000001C520000-0x000000001C53A000-memory.dmp

Filesize
104KB

Download
memory/556-352-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/620-198-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/620-167-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/912-335-0x0000000002F80000-0x0000000002F8C000-memory.dmp

Filesize
48KB

Download
memory/912-336-0x0000000003150000-0x0000000003198000-memory.dmp

Filesize
288KB

Download
memory/912-341-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/912-342-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/912-351-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/912-337-0x0000000002F90000-0x0000000002FA6000-memory.dmp

Filesize
88KB

Download
memory/912-334-0x00000000008C0000-0x00000000008CE000-memory.dmp

Filesize
56KB

Download
memory/912-331-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1052-91-0x0000000140000000-0x000000014041A000-memory.dmp

Filesize
4.1MB

Download
memory/1052-182-0x0000000140000000-0x000000014041A000-memory.dmp

Filesize
4.1MB

Download
memory/1492-444-0x0000000000970000-0x000000000098A000-memory.dmp

Filesize
104KB

Download
memory/1492-458-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1492-445-0x0000000000990000-0x00000000009A6000-memory.dmp

Filesize
88KB

Download
memory/1492-449-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/1492-441-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1492-450-0x000000001CCE0000-0x000000001CCFA000-memory.dmp

Filesize
104KB

Download
memory/1512-199-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1512-197-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1600-405-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/1600-414-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1600-400-0x000000001C540000-0x000000001C550000-memory.dmp

Filesize
64KB

Download
memory/1600-404-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/1600-396-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/1600-397-0x000000001C490000-0x000000001C49C000-memory.dmp

Filesize
48KB

Download
memory/1600-398-0x000000001C4A0000-0x000000001C4AE000-memory.dmp

Filesize
56KB

Download
memory/1600-399-0x000000001C4B0000-0x000000001C4C6000-memory.dmp

Filesize
88KB

Download
memory/1600-393-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1616-460-0x0000000000830000-0x000000000083E000-memory.dmp

Filesize
56KB

Download
memory/1616-462-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1660-321-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1796-394-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1796-391-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/1796-389-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/1796-388-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2068-56-0x0000000010000000-0x0000000010257000-memory.dmp

Filesize
2.3MB

Download
memory/2068-22-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2068-21-0x0000000010000000-0x0000000010257000-memory.dmp

Filesize
2.3MB

Download
memory/2088-326-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/2088-328-0x00000000030B0000-0x00000000030F8000-memory.dmp

Filesize
288KB

Download
memory/2088-332-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2088-329-0x0000000003100000-0x0000000003116000-memory.dmp

Filesize
88KB

Download
memory/2088-327-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2196-323-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2196-320-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2344-325-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2348-55-0x0000000010000000-0x000000001028A000-memory.dmp

Filesize
2.5MB

Download
memory/2348-36-0x0000000010000000-0x000000001028A000-memory.dmp

Filesize
2.5MB

Download
memory/2348-35-0x0000000010000000-0x000000001028A000-memory.dmp

Filesize
2.5MB

Download
memory/2416-442-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2416-438-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2416-439-0x00000000008C0000-0x00000000008DA000-memory.dmp

Filesize
104KB

Download
memory/2508-367-0x0000000000830000-0x000000000083E000-memory.dmp

Filesize
56KB

Download
memory/2508-366-0x00000000005A0000-0x00000000005B8000-memory.dmp

Filesize
96KB

Download
memory/2508-387-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2508-368-0x0000000000840000-0x0000000000856000-memory.dmp

Filesize
88KB

Download
memory/2508-369-0x0000000003040000-0x000000000305A000-memory.dmp

Filesize
104KB

Download
memory/2508-378-0x000000001D1C0000-0x000000001D1D8000-memory.dmp

Filesize
96KB

Download
memory/2508-377-0x000000001D1C0000-0x000000001D1D8000-memory.dmp

Filesize
96KB

Download
memory/2508-363-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2508-370-0x0000000003060000-0x000000000307E000-memory.dmp

Filesize
120KB

Download
memory/2572-166-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2572-62-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2572-64-0x0000000140001000-0x0000000140003000-memory.dmp

Filesize
8KB

Download
memory/2636-2-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/2636-0-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/2636-1-0x0000000000407000-0x0000000000408000-memory.dmp

Filesize
4KB

Download
memory/2736-415-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2736-416-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/2736-420-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2736-417-0x000000001C530000-0x000000001C544000-memory.dmp

Filesize
80KB

Download
memory/2740-481-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2740-476-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2800-475-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/2800-467-0x0000000003100000-0x000000000310E000-memory.dmp

Filesize
56KB

Download
memory/2800-464-0x00000000007C0000-0x00000000007CE000-memory.dmp

Filesize
56KB

Download
memory/3048-50-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/3048-49-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/3048-161-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/3048-162-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download