expiro | 9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2025, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
Size

610KB
MD5

0972faadc9af1807c3e66cb01aef5c76
SHA1

4e1cb9444397bf64f8c8118104e3573b63b703fd
SHA256

9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb
SHA512

a7000602df6358ddfaf7c67166010e0d98f80dd3957188baee624ace4eeea1ed1eda1e296ee8ceaf0e61b1bbdec3f157c89cf621e2e137941468e2eddb359e25
SSDEEP

12288:BPrneXCtwpxa5ICfznTODkiRrZ3VpWCDy7Frd34:BPr4CmpxayCfznTkhVpN6rdo

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/memory/552-2-0x0000000000400000-0x0000000000656000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 5 IoCs

pid	Process
3692	elevation_service.exe
2500	elevation_service.exe
4912	maintenanceservice.exe
2400	OSE.EXE
1112	ssh-agent.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000\EnableNotifications = "0"	elevation_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000	elevation_service.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	elevation_service.exe
File opened (read-only)	\??\U:	elevation_service.exe
File opened (read-only)	\??\Q:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\U:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\L:	elevation_service.exe
File opened (read-only)	\??\V:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\W:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\H:	elevation_service.exe
File opened (read-only)	\??\M:	elevation_service.exe
File opened (read-only)	\??\E:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\Y:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\Z:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\N:	elevation_service.exe
File opened (read-only)	\??\X:	elevation_service.exe
File opened (read-only)	\??\Y:	elevation_service.exe
File opened (read-only)	\??\P:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\T:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\K:	elevation_service.exe
File opened (read-only)	\??\O:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\S:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\X:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\I:	elevation_service.exe
File opened (read-only)	\??\V:	elevation_service.exe
File opened (read-only)	\??\H:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\L:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\N:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\G:	elevation_service.exe
File opened (read-only)	\??\P:	elevation_service.exe
File opened (read-only)	\??\R:	elevation_service.exe
File opened (read-only)	\??\T:	elevation_service.exe
File opened (read-only)	\??\W:	elevation_service.exe
File opened (read-only)	\??\I:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\M:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\E:	elevation_service.exe
File opened (read-only)	\??\K:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\O:	elevation_service.exe
File opened (read-only)	\??\Z:	elevation_service.exe
File opened (read-only)	\??\J:	elevation_service.exe
File opened (read-only)	\??\S:	elevation_service.exe
File opened (read-only)	\??\G:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\J:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened (read-only)	\??\R:	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\hqmopdcp.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\system32\openssh\dqaoadjf.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	elevation_service.exe
File created	\??\c:\windows\system32\bigjknkh.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\locator.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\SysWOW64\keohnajc.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\vds.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	elevation_service.exe
File created	\??\c:\windows\system32\lndjhikj.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\system32\ekiljbdc.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\system32\pbhcinqe.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\system32\nfllccmg.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\system32\nghkppgl.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ocjenkdj.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\iebqjclg.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\locator.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\iibndipn.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\eqiodbdg.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\7-Zip\ncjookla.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\amhadgcp.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\akaajeom.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jeoonppk.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\7-Zip\afaqkaok.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Java\jdk-1.8\bin\qcogljfn.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\bkmlabqk.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Java\jdk-1.8\bin\elmcbqaa.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\edifekgj.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\knjpmnmh.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File created	C:\Program Files\Java\jdk-1.8\bin\icjaoghm.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\bhlnifll.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\dotnet\gakpqfhp.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Java\jdk-1.8\bin\bklbclai.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Java\jdk-1.8\bin\qqlagjep.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dmkcmlkj.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kfefgkli.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cgakfigd.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\jqhpbaho.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Internet Explorer\dlgmfona.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\nnknaeep.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Java\jdk-1.8\bin\feqkbkgm.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Java\jdk-1.8\bin\clkaboje.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\nklemblo.tmp	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	elevation_service.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe
3692	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	552	9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
Token: SeTakeOwnershipPrivilege	3692	elevation_service.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	elevation_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	elevation_service.exe

C:\Users\Admin\AppData\Local\Temp\9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe
"C:\Users\Admin\AppData\Local\Temp\9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3692

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2500

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4912

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2400

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
47532c55887e9b8d5019eafa956d8525

SHA1
dce2ea962dacf6247f1e342771bce48e7afb3f82

SHA256
f3a757159daf1ced8fe981761cff19b3a1a07b00b091e25f118a822de3275dae

SHA512
5f4e4af83e39d7769b720720a61274fd44ae01e60cfdcb23069fc9285f8d5ef6d04c8a51b118062a56b669760aeddde2efaf26c9d0e0e2f62e8ba2ec61022d54

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
777KB

MD5
3da6a393c46f432e64ffe0fc642a838b

SHA1
65ac6102cd8ae89a34559156b8103d8e00d6e8e7

SHA256
b239c6edb15f9c3121e9b97a9649e8c0088d34fb8c0ec1b4f265fc074a70f8b8

SHA512
e4f17ad52f0c29ebfdb5ddce8e65755f56064fc6b754f66aa789be0d56f47196407637036367bd92e03040f841d74d3beab4d5abdaa54de0becff64bf3d5eced

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
95db16c85b0bb6718bf9569df8969f09

SHA1
e1592fe7bd1682a01b36bbfd3c7d71a4a3cb42df

SHA256
89ab1ec0e7a4015d2eb3db6947c3eb5fe2322e6bfda9e1ea5e3eccde04598fba

SHA512
314670aced7815379e74b02df75187638a9b577064b17d7da6e89a627a3257083d0a9525b73478a70767e9419e3692ce125baeadcdd35d77db162637c0a28401

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
2d13e583ea7ad2c9c7a30eec2d633404

SHA1
d37163075c3201a08ebf9b3843b58c92700ca949

SHA256
0d9d2b9c743e520d4395841d4c490946d37099f0ffda7c8b3c74c4e39bfff134

SHA512
0ffb60d2a1f031483d47c1ea2db1d98047e577d0364f59e88b641296267c47756f3e4c6d42dcdf91f4b9cf01abb6497d6d9ee8880d1e9b9a35ad25e296244a8e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6c0a7d0ea3efa25db93a916e2e530ecc

SHA1
f86d5f1cc9ce322795796a682ef13135a20f746f

SHA256
75d2d7f4211a7e35a14a2dcdfbf87e711e1ec570299d1e901c72382c6ef7a7dd

SHA512
ce7ecf25ce100e158783c8a2e80a3318ea7158d6d478d5e2dc7fc4ae0264e8f55db51460ca771066939117c0554c6b388c39e8f5a92d77b099006862ee504606

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
828KB

MD5
68b81589c4cc2d03122ecdfb435cca16

SHA1
fd4b8ad91dfa99237ca6dc5da5176ddc309e8f25

SHA256
c241f9f552c8d28407ba20026ce2f069228bc14682a97400774bde2dd8b5d652

SHA512
5ce478bf04531876d743693d57a4166b536cae97fc13235d1671d9de9abad5820648f0c3fe4d84d597bcbcc6094f94a410dfcafa6791a60ec8eb00f495d15496

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1f3d7a5ddf6726d606598c67c0778755

SHA1
8c9aa542337b9cd54493f67d516b095931b6c341

SHA256
d23d8d7243f32c9e46b4ee2a5ef4f5303781c00a1dd255051a4ae14e0b1b06bb

SHA512
ce340f3e8ed4521e61645c17a5f1c5cecb5a77e4ccf6220d2e4f6af304e67371c9376e94e997348518a950250d41df17b85ed1b194d4bc053c5aa44214f52872

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
898KB

MD5
80383b876ef1f10c6485202ae553a77d

SHA1
cf16c2743f12c48c86f3ed02e867395370e07e78

SHA256
2599dec6f8c6ae26a717615915edb0b18b164f02899b5806bc82bebc882a2d1c

SHA512
a5a16a7ffe79140693dbd43d22bbd5269c0b6bcc6bf26c278631da5af0ccd7543dc141b99f5a0f9f2d140553ac2949cbc4afdc177e5547f9dba3164e584bbe94

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0bbe23f9f76d64a9edb02ecc8f394e7f

SHA1
2980d4a3acf209fe2a3883065aaea06b862d0c41

SHA256
df2bba1b82e48a972945a69fadcd7681e6853f83c395f2166823349b4c458be6

SHA512
f1d1acbab4c0ff35b3fc36039c3ab70c80b121d61099db03219e208f9b84c5f3ac6098db337f7d3ea646502fbbfa58810ad25282f2bcd6161a1aff97fdfdb054

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
075454723cc43feb778729bfaf7d18f2

SHA1
6f9649a114bd5c59b219f5877ccb16b9a70df2a1

SHA256
d232ea9881898308be16d9bfae39a7ad6bae3a42902e2ce7dce9c97972da1968

SHA512
3899c2f592f4e72d72221d9cddb9216bc834233c7af2ef5659372b33ba898a526deb04b7d6cb9a2894d667a386fa9e62ae44c7671362d7229442b6cabc294017

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
793KB

MD5
aa4d14f92c1064797142beacb879fe9d

SHA1
6e9f8329d4d9b44e09e6c588c8332eb0c2e9e348

SHA256
40410e57076306cced13a7c2664bfead17cc24c60ac2aec6c6afe28f9f1c13c2

SHA512
896911d2837d1e22a673a7a67c7d3ed4f366776c2a146353e06a882b68a36f98bb66e97b59a458c951ed35873c69515d5f6ad1dc6d2761e74baa5e35b4a7e731

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\cpkcoelj.tmp

Filesize
4.6MB

MD5
5d0d72c1705d8529937dc515a5cd98eb

SHA1
2e8483246a7bb3f1982abaa023fdfa914d7362b9

SHA256
e30b10abfa9a671ae056f05288f2c85a04f8d2b4db7a3cb54b4656e6a07c12d4

SHA512
ea406e6023146892db8796547f9324b858d78b38fe0ac91cb77427fd10ace6f935d9b30af26e922e27b0f227bc0660346fe5112c3345d761016a78da847e60d0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
f6475926f0ea2552d225cd04fd5de528

SHA1
65d86c206c056c16f9fb3bba8c53e8b6cb3e417d

SHA256
ad50f022f35e0413a583ea5340e94338cc8d05e75bd412f72dc0107e5832c781

SHA512
e4492c3230b6f9384b9fdc6bfa895f664a75b096e37dd0139644b6c9bb263f5dc0f58fe1fb8896e4f8235ad8016f75af7edb1e17c4a2b051feba93016e1d219c

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
a1db2afb0db50fc8a458d1a7743e3d52

SHA1
2a2514ac1c3abeecbd4adc6933ad9c1e3890be8d

SHA256
baa4e171d76f7416d6b69917775ac861cf20c14a1189bd79a824fa5b99f88f82

SHA512
18bc45e2dbc801a67b14dcfcabb39cc10f0ae0d046a8a639e8a9736a58bb4e938d65d79b377ff9029e50cb0ef989e236b78df72ce0ec498000c8654066d6b19a

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
978KB

MD5
8e894db0d9978e886ba325bb26d13dc5

SHA1
1f0aa8f86b31cc93aa9c4c6d75e1fd29b51c0ed7

SHA256
35a7d9d4f7e1514db1d3179281e4f9bb92a0d7f0bf93fd0dea107b49b2bdcdf6

SHA512
0ed9a7f8382b7fc04f864c1abb969dcf9cfec84eaf3e06f83c6f7c3ef674a6de33d2330065954b12f2ebac1db5c95053cd2e2548b77ba7d156b2d43e527c2749

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
928KB

MD5
c14dc28c75ef98adcf723cb7e52d094d

SHA1
6a03806badf66afbbed9b4e40e25cd4485ec39b7

SHA256
8c5f7458f694502a57ddc8bb2769a25884e62ad4666bd23444c14b3115a75aab

SHA512
53fcc8b77a07c771f628dbdfd4db8e051f4be93cb39580bf76c859eb967b9b3b1385a80b7d7c02df6b84efbcbfb90ffb89e68f4c5ed4792deeec39920ce9f281

Download Submit
C:\Windows\System32\hqmopdcp.tmp

Filesize
1.3MB

MD5
c7d91b5ce83d5b8ca23edcfa637e322c

SHA1
800268b7009384fea3375aab81fe4b9ea66d6afa

SHA256
9e3ea15cb2c00163ccc22eeea7dfc1c1e4e373ada19e5424b156ed8e06680377

SHA512
8355ea3f7384daecd3f51d622dec4a1e4ca2e9f7ec399832bf9dcdf4bdd641a9775a90cb969ad73351020938413a6f9bb42eca7d842fd878036040c5c9c42451

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
1.5MB

MD5
3e03a104831c4302e2e15e710fd2faba

SHA1
0372f795ea4f417e65afab7eff2cbdd8942be054

SHA256
3a02f69a598ec0a3987d6ce87e2dbe964c28e6e625b9c6fc6415b64768a29ae0

SHA512
9397a3ad8509a12126eaf9e24af2f7e45b31d947dee56981ee7b0c7521f8ece89e934262c2976e130c740e4ddfb76f7ef0c8f98e4f269c174e76e69bb0df0599

Download Submit
\??\c:\windows\system32\Agentservice.exe

Filesize
1.7MB

MD5
f6bffd30decea42a0badb319f2061576

SHA1
a436dc65fb0b9164d7949f8b8bd3370d456a066c

SHA256
3afeda33aafe5ce1e610ccc4e1072e45870da772d0705427b6c2e9ce414d0c06

SHA512
380f6ee9f84cf19f01a1694167876e635f7e7d2c4fdff4067923be1252788473e65d07c7a0f3fc3c4bbf7fff1efe75d9d21c9b1abb0bd08b763458fd9104155c

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
94b975f12e164ac54ab4763167d4ef55

SHA1
fd52595f43bbae757b73acc3f353fe694b0e27cf

SHA256
93319e17d6c1e3343dd0ef1a2496b3139dfc69bfcad9b9a1ccf01d9a1048f507

SHA512
3c8c63956042c7ebee5953d510bf4de32fd471faa8b00b1c4cb1ebc14e472d2c9ce5ce68df265e2a29f19085e776a68ccf2545c3eb6535db70125eaf02c00aa5

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
700KB

MD5
152947c0df139d3b57ce0c6d3d1a716a

SHA1
8b48d07587f5451747525e6066c3b9c6dfae29c0

SHA256
e28274dd3cee44af1043405b674168174c47172fad1fbec3741266035b8932ca

SHA512
3e9db5789480191e465109927dd7a48175c5438e71437f9383942cb2b82092a238f2a1e98451f11a91a5f900671bb47facc24ac667ba1eb8b14bbca36fd66b16

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
623KB

MD5
df4ae91c2c56a12b4ff0b9307238fffd

SHA1
917338f36d84ec0ab6813c1198f932cbf1db0dd6

SHA256
a4cff365449aff1bafdf003f43a75572dc355b3fb11b4c7035b94b1798392192

SHA512
4861de430848946e3977f7767627dfc08306414e2bf36fa9683a7a472090ccb158744c2ed6b5609e0ae1c4df42aa10e5afe2bcdfe596880696a2675ee39d9ab4

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
572KB

MD5
d58da585cbabf1fdadd5e0a697460c92

SHA1
46e5ffab42d82fe6caa9ce088312f71155160d82

SHA256
16f909725c56638289303794dba919e46c373b495cd0608cdf53c9c98b1ae62a

SHA512
0df341b208231dcc24929d52543d47b7cd5f2721074bf0d27c745d88bb9b9714f2756ad7d3e284a657211de66854eebd1678d911bc96f9c805e476d62ca0ef35

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.1MB

MD5
3a5e856b37b0e0f3a1489fb7042e60bf

SHA1
b1f062548c193e327d977676ff4292673156298e

SHA256
e272e959ec5bc95730b3afdfc2e94e450bc029a8d340fffb371a30d74ec6fe35

SHA512
94dcfa582f8b6cc540177b9d45f68d200babed65280d2b0e745edf15a1108fe4c4a8cfc9ab05f7a1cebe001c7531c4cdaca756b3ef6fe08311ae58f0a8ed6f2a

Download Submit
memory/552-2-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/552-0-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/552-1-0x0000000000407000-0x0000000000408000-memory.dmp

Filesize
4KB

Download
memory/1112-169-0x0000000140000000-0x00000001402E5000-memory.dmp

Filesize
2.9MB

Download
memory/1112-75-0x0000000140000000-0x00000001402E5000-memory.dmp

Filesize
2.9MB

Download
memory/2400-152-0x0000000140000000-0x00000001402B2000-memory.dmp

Filesize
2.7MB

Download
memory/2400-62-0x0000000140000000-0x00000001402B2000-memory.dmp

Filesize
2.7MB

Download
memory/2400-168-0x0000000140000000-0x00000001402B2000-memory.dmp

Filesize
2.7MB

Download
memory/2400-61-0x0000000140000000-0x00000001402B2000-memory.dmp

Filesize
2.7MB

Download
memory/2500-29-0x0000000140000000-0x000000014040E000-memory.dmp

Filesize
4.1MB

Download
memory/2500-116-0x0000000140000000-0x000000014040E000-memory.dmp

Filesize
4.1MB

Download
memory/2500-122-0x0000000140000000-0x000000014040E000-memory.dmp

Filesize
4.1MB

Download
memory/2500-28-0x0000000140000000-0x000000014040E000-memory.dmp

Filesize
4.1MB

Download
memory/3692-112-0x0000000140000000-0x0000000140417000-memory.dmp

Filesize
4.1MB

Download
memory/3692-21-0x00000001400B2000-0x00000001400B3000-memory.dmp

Filesize
4KB

Download
memory/3692-20-0x0000000140000000-0x0000000140417000-memory.dmp

Filesize
4.1MB

Download
memory/4912-59-0x0000000140000000-0x00000001402B2000-memory.dmp

Filesize
2.7MB

Download
memory/4912-37-0x0000000140000000-0x00000001402B2000-memory.dmp

Filesize
2.7MB

Download
memory/4912-36-0x0000000140000000-0x00000001402B2000-memory.dmp

Filesize
2.7MB

Download