b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
Size

1.1MB
MD5

62034d055873020490b1abf71d3231a0
SHA1

2b4ff7294dcbca3e3b97debf6106c6eaa57de907
SHA256

b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1
SHA512

8826e8464bbbc1b3481d8fcccc78f326361097d5d9f60ab7a25583a4d6ce5839bcee194b1bc238b837bb2befa571624cb1bafabbd02a6cd39be530cde5c419f9
SSDEEP

12288:2svd+JRdOeyuOI2alz+4RwXMknM6xZ9rUVXT55Lh2EvsULgkAW969bbB3w/:FvkjbOClz++wXMt6xZ9q5Lh2CtuPi

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 8 IoCs

pid	Process
4016	elevation_service.exe
2660	elevation_service.exe
256	maintenanceservice.exe
3740	OSE.EXE
3124	ssh-agent.exe
3856	AgentService.exe
4232	wbengine.exe
4016	TrustedInstaller.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-929662420-1054238289-2961194603-1000	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-929662420-1054238289-2961194603-1000\EnableNotifications = "0"	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\W:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\F:	OSE.EXE
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\H:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\L:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\N:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\Q:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\X:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\F:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\G:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\U:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\M:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\T:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\Z:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\R:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\S:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\K:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\E:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\V:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\O:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\Y:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\I:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened (read-only)	\??\J:	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\msdtc.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	\??\c:\windows\system32\hmgikdaj.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\vds.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\dllhost.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\vssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	\??\c:\windows\system32\noeejaih.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	\??\c:\windows\system32\openssh\kjjobmdq.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\lsass.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\dllhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\Appvclient.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\locator.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	\??\c:\windows\system32\mklfqebo.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	\??\c:\windows\system32\fmqkppfb.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\iigbpjkk.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\svchost.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	\??\c:\windows\system32\qobhnepk.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\vds.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	\??\c:\windows\SysWOW64\noiagknd.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	OSE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ighnagcm.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\nimidobm.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\gnciljmn.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	C:\Program Files\Microsoft Office\Office16\ogogbdbj.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\akaajeom.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\hpbanfjo.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\nnknaeep.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\kefbfhkg.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	C:\Program Files\7-Zip\pijiegfa.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\nlfifejp.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\qcogljfn.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\iibndipn.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\loheaimd.tmp	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	OSE.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	OSE.EXE
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4408	4016	WerFault.exe	84
4628	2660	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE
3740	OSE.EXE

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5108	b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
Token: SeAssignPrimaryTokenPrivilege	3856	AgentService.exe
Token: SeBackupPrivilege	4232	wbengine.exe
Token: SeRestorePrivilege	4232	wbengine.exe
Token: SeSecurityPrivilege	4232	wbengine.exe
Token: SeTakeOwnershipPrivilege	3740	OSE.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	OSE.EXE

C:\Users\Admin\AppData\Local\Temp\b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe
"C:\Users\Admin\AppData\Local\Temp\b92dba50ed58fa0c7637e0ee808086fc694aeac713bfe86caaacf779232574d1.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4016
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4016 -s 392
  2⤵
  - Program crash
  PID:4408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 4016 -ip 4016
1⤵
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2660
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2660 -s 116
  2⤵
  - Program crash
  PID:4628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 2660 -ip 2660
1⤵
PID:1084

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:256

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3740

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3124

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fd77bd46425f2928b7673da45393b3f4

SHA1
bb750397cdbb087424b85f6cdc8c351821ca61b7

SHA256
01d26bc69a35e783157c6ab63c47e07f7e866abcaa616abdd3e7a0723b64408d

SHA512
4de46e3594d21d31b91b1b84b95f2159d371b5227ed758c4f9d99a2407bf270c7b8aeeba923638d796ab7b2c70989eea79239b39c9472cc5c6ba928bd5588a83

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
784KB

MD5
381d48096374fc8338c9ee48a6707a92

SHA1
72b50ca138f753fc92bb015092dbd42e3de58f66

SHA256
e7bf453634b101d9fee63decf592f27f6926fd30c7d0cd6e7e5a8b2ab0dfc34a

SHA512
94cf73acd2002d63c3d5b7b93212915396d25bec28a5c6780190d881e07b09f8e0d73059656aaab41ad7cf1cf82aa676e9703938f2ed37b4b546819815907ecd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1014KB

MD5
ee17a9211ec17812f3b9dbea9ec8710e

SHA1
555d568eb8999766d466793a25e468c5124cf4d3

SHA256
d17bf33e6d652318ddc0f821d9576139251a83418f8b36529cccb904361c1278

SHA512
3ee0bf604bf43848b044728f49586c7e03c608522b7df7e4e4262e6a91601c251e29592d38fd763132767bba98cf68f9332845d3c3903539a31ed64b02bac095

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
9cf4c779138274ef317f3f342c7eb2cf

SHA1
0f594c3b300a64bad5280854ba4355fb71cb1a3f

SHA256
8846117193a8bb73c2aac32bb4a5371924a957f93f216a0a9754e6cc071bb233

SHA512
13673fb1ab7ac101965b40793a42512c67aac9813c7c93530a4adbb18b703083d01eb19019cb198c2ebf5730550c7ef0c867a974c1751a68027ccdaa1c16e78a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
d269e8fa12557254bbb7bdc0cd207ac5

SHA1
4b5d97b66f88e5d77e9a0297d2ad2ec1b88f77d2

SHA256
b5018a64ad88ce44f61252c3a8a4baf915dfc231d40e48a677f53bd98d445ac6

SHA512
28deed02e87e3586bf61f7ed8ba43d868181e5cf01dc92316db6bda797b53f50c8dfe67196f5fcc2a1d65d2020580d7e52f16b745273e440196f4024c03a129f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
571KB

MD5
a34e7036cbb179d5da4a7aa051ed1e2f

SHA1
5ad0d9ec3401cf5b389b506101611afee5ecf270

SHA256
09cf4e9a396f4c9636683a7bd83390a39b2f54e5e83502caa7a3298d058a88b5

SHA512
0c1beeac94ef1f1f491711d62e585f19ce58aed24d0ec418dc68a19bd8789d751c157bdd3f0350a09b1664f6da8f48a24f4879d4857ccf6cc1095633369b4aea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
832KB

MD5
c8605f7d6a67f58babba164f5d6697d1

SHA1
b1508798a7f72786c9e6245a553312550cc9aa3a

SHA256
b583da083a2086a4a72348f721225e33acb24e3d996a01f07ab4fd765d0256ea

SHA512
cf5ec77762af617ab9c8f941796a69c378af06c9d9f1c473b44465365288d46d15b892b23124df42efc9343c1c97ea64fb5f046f7668aa49e985a3f3af575209

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1c3a94172bd2d9ac7b59250b2ae5ecc8

SHA1
65f7fdee00dc4edec1be16c0c27f7d3d631e9742

SHA256
0ed084905eebd58432f6ac4b02b4d9bf908e5013f7caa7a81e1447f241e26fb3

SHA512
a7ef6302ae815ecc62187f196ca65418e28dca1a1a4932849de195329ac5d8ffc6ef0dbbbeb609fdca7de21896bfb0c530581a82a0dc48a94162838570065145

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
898KB

MD5
9a6bb34fac9b43afe7b221dff564f61a

SHA1
039002a2cdc0e448f9018042ca8674ea98aad992

SHA256
5606554ce948432a5f0f4891145d0b8cc5fbce125579977a82c123e4bb359ca9

SHA512
38fd75025d120eb0ccb8ac2d23a3633e1205576de55fc2fae15bf7ff27ce8b15b93052a245710ebcbda2c1f79dd7f608214f279869747e0dba2ff6282b1be7f8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
fc2a6774ac6783adb8df29d4a89eb6ba

SHA1
53ac57b9e70c4bb5a00b92c146947a38e2100ffa

SHA256
738b74787c3b7d3f9ae2424609fc8f7869eb86d263a4a06d90868983844225b1

SHA512
2cfdd96fda700df9e092c8ae3b5bb3a1e749049b90bb327e8e0f07defddb5ed529645d935c252451613f193aa2925f56a922702a9a5bbe5c5077ff5d1224f82f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
649e66a90490738b14cae07557c64e69

SHA1
cb10a5ad0c0154af6403665522308828e4209804

SHA256
99f14b95f1b1ca9a4386c965718c9d4f6bf42219c4a251c69d0811798fdd9baf

SHA512
6c6d4eafff69e433739ff5540c986eeb32de78a3feff203bdbd88d4ff7717b23fe861970286b3253831b8b49d2918ecea5964b599217c8b5b06a996608696e7b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
797KB

MD5
339adee3473c085bea161e549f67b75d

SHA1
c7f3d9a13427b2a30a538e7de84e3d1880c0a1f9

SHA256
d603580cb6e4596868ba260f6a4ecea53e506f370fdd4933aaac226a36cc18e4

SHA512
e698e412bb097ae2989e23b019ace1069927a912c7ff345029556b3ce858952517bd29ce65b9e174b737c55812d7861ed7c8d79b79939f6fab94aae49f313185

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
c9d3e7df576374f4ea7fb00eb881b0a4

SHA1
5a951ec9cbe8a341533c9436a7bcb768d7bdc896

SHA256
aa2d5235a36ec8e546eb8b6c7cff92acafa0d79b242aba394ba9f23bfd58329f

SHA512
ee1f236af6ff0d0c12e536ab2cc0dc409ff80d3c9ac970dc27b49e7dd636aaf9f9bcb19d4794affc83132021b4dcf1d913c14e2c9ae604ae8cf99d3dc0056eb9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
90256d883228dacd011956cae29738e9

SHA1
892cd105d5bb5f0f9f694b38a3d51d9ee2367a06

SHA256
933b04152f8967ae0c686fff5284f8bc641229dd81fdd81c171796d8ea0c22a2

SHA512
54ed636e87717a63679a3856b63c21d1fa17047b34f4ea0c8866fc4e013bc34711c7935fd87ee065634877bf74af0efc476fe215a6b3203cac0a52173bfb6fb5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
928KB

MD5
69401a6ad483d0b4bb9fafbab479d4c8

SHA1
7815fd1d714addad08083993c39f2f55281b95c3

SHA256
51719ce93a573114fd66d52ac6ebf495df04fdd227221fb75eba38f258514715

SHA512
24235735230b259f1fa5cdc022af9d951c120f8acf38b57332b6b0751da06fc3598083b8498e03511580efab8cadf5e5af23801d67ba88cc950b4a87f32b0f28

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
928KB

MD5
69401a6ad483d0b4bb9fafbab479d4c8

SHA1
7815fd1d714addad08083993c39f2f55281b95c3

SHA256
51719ce93a573114fd66d52ac6ebf495df04fdd227221fb75eba38f258514715

SHA512
24235735230b259f1fa5cdc022af9d951c120f8acf38b57332b6b0751da06fc3598083b8498e03511580efab8cadf5e5af23801d67ba88cc950b4a87f32b0f28

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a9a8d6d7f23718a410891d7a4a2b3649

SHA1
8d7f7705f1bd7694bdbaf191f2b4f67cbe63aaac

SHA256
96aaeeb5f732695cc56d7670bab084eb872e3f5a993fbf9e3a2ffd3d4883ab8f

SHA512
18d9b93fdaa8b4d04ee5e5b9b22c2064d3d2bdc45aae200adf537e0ca8e208be86d0a166eaf1266a4e454cb69f065a0594b6ec5dd03795ba1d15937b96dabc4a

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
57c7609e02b6e97efda8d6d1cf8225b2

SHA1
c635f88590df5eb76bffaf8dc43df135a3d7fac1

SHA256
67ee7d615e1ecfe0e9a9f43dc3accc97fdecf9d57f2cbe3bf8848df2607c1c04

SHA512
277b7506ff2b2d300562a58855c06b857be23f94ad2544746a64dcbbee43990ecc5137619654c3f82952c0b3a7caa7d3b13e9eb0e92f5638d3554fba26a2492f

Download Submit
\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fd77bd46425f2928b7673da45393b3f4

SHA1
bb750397cdbb087424b85f6cdc8c351821ca61b7

SHA256
01d26bc69a35e783157c6ab63c47e07f7e866abcaa616abdd3e7a0723b64408d

SHA512
4de46e3594d21d31b91b1b84b95f2159d371b5227ed758c4f9d99a2407bf270c7b8aeeba923638d796ab7b2c70989eea79239b39c9472cc5c6ba928bd5588a83

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
784KB

MD5
381d48096374fc8338c9ee48a6707a92

SHA1
72b50ca138f753fc92bb015092dbd42e3de58f66

SHA256
e7bf453634b101d9fee63decf592f27f6926fd30c7d0cd6e7e5a8b2ab0dfc34a

SHA512
94cf73acd2002d63c3d5b7b93212915396d25bec28a5c6780190d881e07b09f8e0d73059656aaab41ad7cf1cf82aa676e9703938f2ed37b4b546819815907ecd

Download Submit
\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
c9d3e7df576374f4ea7fb00eb881b0a4

SHA1
5a951ec9cbe8a341533c9436a7bcb768d7bdc896

SHA256
aa2d5235a36ec8e546eb8b6c7cff92acafa0d79b242aba394ba9f23bfd58329f

SHA512
ee1f236af6ff0d0c12e536ab2cc0dc409ff80d3c9ac970dc27b49e7dd636aaf9f9bcb19d4794affc83132021b4dcf1d913c14e2c9ae604ae8cf99d3dc0056eb9

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
1.5MB

MD5
baecd2315423ea039aaec2414ff7ebed

SHA1
707a15beb540d31dde2101d2170b9b47f5b8b3e1

SHA256
b40c4b4576c0c0fd283ea124b7b0ac1066482201776830f5fdceff58b782e7c1

SHA512
539f5d14a6983efd050125c3b59156351e49b13a2a4ba3606908f7a74061e01ac60d8507f15efbeb47cf7d2727ce469fdd3eb076e8cbcf83b9934f2082f6109f

Download Submit
\??\c:\windows\system32\Agentservice.exe

Filesize
1.7MB

MD5
90256d883228dacd011956cae29738e9

SHA1
892cd105d5bb5f0f9f694b38a3d51d9ee2367a06

SHA256
933b04152f8967ae0c686fff5284f8bc641229dd81fdd81c171796d8ea0c22a2

SHA512
54ed636e87717a63679a3856b63c21d1fa17047b34f4ea0c8866fc4e013bc34711c7935fd87ee065634877bf74af0efc476fe215a6b3203cac0a52173bfb6fb5

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.3MB

MD5
bfc43aa7c3d566cd87dd962e235cf755

SHA1
c32900c21edbf6ed1d14579cb920038ccc9113d7

SHA256
46eeba49daacb15cd566dfc9ee2943a9baf613c85963ad57702df7b8def7d166

SHA512
255489243a7ad27d6b41ca7930d97796b86120835f54864b7447b2780339dc33e198331fec6e97579858661579a74f642b04a4f317954e06de5d1f96c580d548

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
48e8467aa8e32529e3f0e16b0ee0273c

SHA1
6d8f30d75b18c7ad7fa2c01287f8c096ccb896e4

SHA256
d25272285fbf7012dd51b1b1c594de04eb96e74affba30911f26cd3cdc8f511a

SHA512
dfa941961b4a2f5130e70ebe953a95df5c9e62746caeced4fbfaacd80fd06e38338f5290f66a54aa7fe972bcc175e66eb7aae4559a90cef74817fceecef1cf97

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
700KB

MD5
04c560d9789915c4d112f2e63caaefff

SHA1
a7d84e38351812b44df98f5e6ebc07841b941527

SHA256
ebaf83b039785b4f04f734735d4ea119492f93f8f8a4fc47c8fe30942cc3cd8f

SHA512
62072f65a4a7d86ae773934fb238e3cb5107ca7eabeef73e4cdaf99c0eb13c6f6e732bb109c636c842eaad4b3f4d69cd7ccea94770dc8279225fba90bdbe8717

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
623KB

MD5
b41f78ce5e43b89ae4b411816f53abc3

SHA1
07f0a4aa6bd3e67649de5257094da1d51e9d8f25

SHA256
726100d4c903ca3fe799875577728c512dc31a22a70aee955ccaffc0221442d6

SHA512
3a700b2d7f62670355025397d70385b9860a75c325fcf9a5b97ea124da02afca2e45f83478afe4d0911fd202d18253aa250cd3379aa0a4f93031403b28b5c4b0

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
572KB

MD5
9afac93c2e6efa7c0210a074e7de4ddf

SHA1
e2cf6c1f3aac5d9bdf5d3bfce8f80978bb6e6efe

SHA256
7f1991cab32d7f6fb1e12499d1c8642509e7f0bdc809f79ed4a3e11869403fff

SHA512
467027bf266e7420c03d3f94549215bd0ec6125cde507bb41d5d84a0f8839fe120f0221dacf37b38d240b0dbfecb649359b8a2019d325ec30dcf5bb107b43298

Download Submit
memory/256-141-0x0000000140000000-0x0000000140228000-memory.dmp

Filesize
2.2MB

Download
memory/2660-138-0x0000000140000000-0x0000000140385000-memory.dmp

Filesize
3.5MB

Download
memory/2660-139-0x0000000140000000-0x0000000140385000-memory.dmp

Filesize
3.5MB

Download
memory/3124-147-0x0000000140000000-0x000000014025B000-memory.dmp

Filesize
2.4MB

Download
memory/3124-163-0x0000000140000000-0x000000014025B000-memory.dmp

Filesize
2.4MB

Download
memory/3740-161-0x0000000140000000-0x0000000140229000-memory.dmp

Filesize
2.2MB

Download
memory/3740-143-0x0000000140000000-0x0000000140229000-memory.dmp

Filesize
2.2MB

Download
memory/3856-149-0x0000000140000000-0x0000000140319000-memory.dmp

Filesize
3.1MB

Download
memory/3856-148-0x0000000140000000-0x0000000140319000-memory.dmp

Filesize
3.1MB

Download
memory/4016-136-0x0000000140000000-0x0000000140368000-memory.dmp

Filesize
3.4MB

Download
memory/4016-135-0x0000000140000000-0x0000000140368000-memory.dmp

Filesize
3.4MB

Download
memory/4232-151-0x0000000140000000-0x000000014036F000-memory.dmp

Filesize
3.4MB

Download
memory/4232-164-0x0000000140000000-0x000000014036F000-memory.dmp

Filesize
3.4MB

Download
memory/5108-132-0x0000000001000000-0x0000000001244000-memory.dmp

Filesize
2.3MB

Download
memory/5108-133-0x0000000001000000-0x0000000001244000-memory.dmp

Filesize
2.3MB

Download