d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d

Analysis

max time kernel
187s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
Size

656KB
MD5

584a78233a7a25afcff64c131e8a92f0
SHA1

7f487305bc3f83f4348ba4cdb85e07ff20ee52a0
SHA256

d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d
SHA512

eb2d7fd65c3781dd63434152e3b0a7d99f45acce03150ea3dcf3e3dbcdd97c0c3a0fc13e2d3ebef1b23a06343acc63a8d131020410c3b9fa2e2dbcb2c50b25c6
SSDEEP

12288:Zg+VMI/O4to6nVKnbGTzpq+7zkMNTMyRJgkdYLCjxbPginXynxuqKnJ:Z5Omo6VI6JpRJgkdY2jJIinXWxuqKnJ

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 5 IoCs

pid	Process
3084	elevation_service.exe
2736	elevation_service.exe
2136	maintenanceservice.exe
4948	OSE.EXE
664	ssh-agent.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2629973501-4017243118-3254762364-1000	elevation_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2629973501-4017243118-3254762364-1000\EnableNotifications = "0"	elevation_service.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	elevation_service.exe
File opened (read-only)	\??\U:	elevation_service.exe
File opened (read-only)	\??\N:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\S:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\Y:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\F:	elevation_service.exe
File opened (read-only)	\??\I:	elevation_service.exe
File opened (read-only)	\??\L:	elevation_service.exe
File opened (read-only)	\??\Z:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\W:	elevation_service.exe
File opened (read-only)	\??\J:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\Q:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\X:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\J:	elevation_service.exe
File opened (read-only)	\??\N:	elevation_service.exe
File opened (read-only)	\??\Y:	elevation_service.exe
File opened (read-only)	\??\F:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\P:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\R:	elevation_service.exe
File opened (read-only)	\??\S:	elevation_service.exe
File opened (read-only)	\??\V:	elevation_service.exe
File opened (read-only)	\??\X:	elevation_service.exe
File opened (read-only)	\??\G:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\H:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\K:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\M:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\W:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\G:	elevation_service.exe
File opened (read-only)	\??\H:	elevation_service.exe
File opened (read-only)	\??\Z:	elevation_service.exe
File opened (read-only)	\??\E:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\I:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\L:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\O:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\K:	elevation_service.exe
File opened (read-only)	\??\T:	elevation_service.exe
File opened (read-only)	\??\O:	elevation_service.exe
File opened (read-only)	\??\P:	elevation_service.exe
File opened (read-only)	\??\R:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\T:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\U:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\V:	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened (read-only)	\??\E:	elevation_service.exe
File opened (read-only)	\??\M:	elevation_service.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\alg.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\alg.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\locator.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\system32\edmecpgb.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	elevation_service.exe
File created	\??\c:\windows\system32\openssh\cgeflnif.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\mmcchbnf.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\system32\emkohhmo.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\system32\gieehdli.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\donldmhl.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\system32\neqboqpa.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\locator.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\vds.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\SysWOW64\bchkhknk.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\windows\system32\ojqleobp.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\iibndipn.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\eqiodbdg.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\hjagfgcg.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File created	C:\Program Files\Internet Explorer\niqndbei.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\nnknaeep.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\akaajeom.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\gdaoemja.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\poomniif.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\dklkkafp.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	elevation_service.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\onakajab.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\jiianoje.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	elevation_service.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\klonohhl.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\qdeolcdh.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\program files\windows media player\miaadmjc.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\7-Zip\pijiegfa.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\7-Zip\amhadgcp.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\nimidobm.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\7-Zip\afaqkaok.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ighnagcm.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\7-Zip\nklemblo.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\gakpqfhp.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\fbhjigkf.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\jnliglnm.tmp	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	elevation_service.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe
3084	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5036	d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
Token: SeTakeOwnershipPrivilege	3084	elevation_service.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	elevation_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	elevation_service.exe

C:\Users\Admin\AppData\Local\Temp\d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe
"C:\Users\Admin\AppData\Local\Temp\d47ddab01df5261b9c9e35a56e9780e23cb032bdb54ea9a1049ef2e022b8d28d.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2736

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2136

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4ec134581cdc242672a44ba31206efe3

SHA1
a620958b9e129c094b2eb31a34e6a53b874c9cd0

SHA256
9fd4f15fb32224263642d9f8f0c05d5c1b1bd8357ca85e87f123471d01b1cefc

SHA512
50a6e4241e0d2aacd162286774cd4b866a84879fae30c27ade0b4a7cc9296aea5449427d31abe79d24fee2a03aee6e3f9da6dabae0d5b2ab635d24ea02a4cede

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
788KB

MD5
6a3f5506324bc6f14c68420eb370211d

SHA1
444e1236705c2848e927a18461746ea9cbd22622

SHA256
d84f63883c4dc4f7ea2534caabf907da7afa5f12693034b76e5a3dd11cf7c74b

SHA512
8237d28c18d6fb8d06ef4d18ea3a3208147971f21dd78f2296ef5b3eaa83c46c6a67cb627d7d5eb23579b85a22e096957c91ad342233b75b7307e61a2b479ade

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1014KB

MD5
701997035d89e30aac2f3200abb25763

SHA1
2e3c9f636ad52ffc8f676571a6effd5818c3667f

SHA256
52f54f5a5305a7046f3681798f8d1cae2459d760f1b9af076e5d2292a41b0311

SHA512
289d7a8eaed5eecca3a732d4384e2c288e506f56b86b5f11315402cde5a39f183255d5b2617e823041efb9ae150acc9a3d9acf5b5d56599be66bd2130ef86284

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
46c3ddce36b7d81dbae9483983165ced

SHA1
7d86309400cc57cacbd6df3b6d34c93e975756c4

SHA256
4677031dad2bce8b4db20f93adc8576bb1bd32aa3c770e79c9555acf4086ec92

SHA512
08a135ca57c4a585c65f989ff9159926a52c0fa87c9a780e42a4c819231784ecc363ce27db29f303ab8997023ce969c309d9742557c9d3d4842af87f5634639c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
5b017145ecbc72cbd36aed289debfb76

SHA1
848e6c52d6f2051de6134497c07a779900067911

SHA256
9d4e4dafbef419ca0a576deae3aeb06953c380e1853b9fde8f49070f5961f58f

SHA512
567dc4bdea089f5fe1b1e26aeb695f32511bde14f1cbcb636877f3ed841fdbb29bf012e5691ea156c6481eac76561fd598bf822497554981fa68239525929bb9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
571KB

MD5
7421f173fa319a6ea5a8382fc604712a

SHA1
b8ae8f3ec68fde403657eeeb0c538d229376b6d0

SHA256
ac8c142e0f3165cdf48b403f27ca9995fd5b1f39dd621c713264d017d6a66cbc

SHA512
4cf75e1d42bf709dacad9444c2aa69222688be7dc30afcf8bf273aca59db1c56f8735c4bcd1b47e3fc256fec8fe7a7897a5698bf50fbca19ede4c34a56b7b07f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
832KB

MD5
7a16079f2c5636f3ea064dc1e38ad7ca

SHA1
537012d3b598f120c916be8b202a70be27ec203b

SHA256
2dbdcdbf0753635e03c457a3e2d528bae0a3ee0287445d854921713635c6f835

SHA512
593413e344b6d1787cb7ed8eed376bd47e40ab83b6f709a8cbb16a0e6503470d3e14eb12145e0fb038b52adc04ae4fd239a1f7ba9b7e770cf19b6a561a3dc5f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
00c69453ca63fed7bd7f903a8d130627

SHA1
73514e7bfd3363c910e56648013fe69020db3381

SHA256
3fa2911a8bab4e710731251e2069af033a13e0f8564d91e6830ff4337584c121

SHA512
d35100e6ffc164c7ae13c27004682f11a55988b07a6089fa7c4694e23cef919d3c962e7fe7447fb889f44f199b59cdff016f3444709763ef61a7ae64214ea292

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
898KB

MD5
f2889b095dec5367e47fd6dc488eba44

SHA1
02c6b1b453ed998f1532e79c0bcc608805932a9b

SHA256
92bce4d5b8b481f3ac82cdebcbb100d06ff79a5d6e130fdb33a16285df286a7e

SHA512
76789d8f9464a03081040cd87ca3267781d4ad5bed789bcfd483293148c9cf55930fcd87103813bbe522378306b523f0a2fcd3fdf0c67d8d96eb0cd60bc4ac8c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2f4fccd580442c7dea52670d43ca3040

SHA1
971a2da43ec8ab046ef6765cd16cc92656b6b571

SHA256
5fbc5b8c899e272ee1bce28d8ae2394f6f2cd5af88956df72d1b698a2100a8bb

SHA512
64959b40396ae666655340849e1ebf6239c4d528f66276ce58d83b7f27db228f9ee1ee80f71288dc1c2f13b5c5aa406680e77a197a0466f878753ccb8095b661

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2e16b514ed9c06170611b07ceac3b5e9

SHA1
108b4caa273a582ea10889beaae499967074b4c3

SHA256
7cb61e861b35604dc0762fe14288f8f5948d6df69227d1bfaac33bed70154805

SHA512
d4a17ab396399a2e0455dc928a11bf165ca4f57d3ffb12116934b400fe801fef33f334f805ef5280225a42835620937daa5bd28e6cf26081447cf99fadb0174f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
797KB

MD5
7c3670b9a879891635e9675efb43ce0a

SHA1
28e201833b222f4c2ce1dcbe1f58730781162d66

SHA256
142d6f27e13307d616a8eda79c706e79a936fc2048e8a6d4ef2ab825f35b46d9

SHA512
031334cbc02ae0ce2326317fea0f9364db436924a590134163dc8ec857148804143d8e9014e0f5b27a201f11544ba499ebdd698e36855c6e4c00498743299557

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
b93f3455c7893148d300ea5a9362e63f

SHA1
9a888df7e867bbabff361a9b9b7278d922a7db03

SHA256
15849184dd3f0aa9ad9371405674ec4630a2bec399da7de13ee7c131a784c1ae

SHA512
9c9cc033ce19ba4cf447de20ccea8106a078f837d6cbf1d1900fce1fb562969403974ba0e9bbc3fadfa8eb87061b0e196328aff99589aead7d816712a755fa48

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
932KB

MD5
4a121d78793a561d595098fc71c5dcfb

SHA1
d6b6e5514c14f9918686cbf7bd06fce1586cf657

SHA256
5db88e01f11a873ed3f1ebab094266a83baff072fbdd3224f7e0b27fd66b5d2d

SHA512
d7e6b2fdf449d9bd862213288bfc1782081f6fd0a9ec3b11892be628fdd70ada54dde1e2f01135a005e6cb6ec4ec1106579c885fd64f01dff33fbfc2f580797d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
932KB

MD5
4a121d78793a561d595098fc71c5dcfb

SHA1
d6b6e5514c14f9918686cbf7bd06fce1586cf657

SHA256
5db88e01f11a873ed3f1ebab094266a83baff072fbdd3224f7e0b27fd66b5d2d

SHA512
d7e6b2fdf449d9bd862213288bfc1782081f6fd0a9ec3b11892be628fdd70ada54dde1e2f01135a005e6cb6ec4ec1106579c885fd64f01dff33fbfc2f580797d

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
7f710e274a63a6018b6db5f5c6f76309

SHA1
0796e37ce809a1b917b41b6a17d224174adb5885

SHA256
721e5bf0944fb12bb39b30473e2872337ccc11cec7e4d8067d23119bf7bf1cbd

SHA512
e14bd7fcde0780c710fdb88f5d84c180f2cdff9087f91a31e718f35d22425742bd9ca9386727a8911d1da1865cef2197b14722adcc2878f3bd750faec156f942

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
788KB

MD5
6a3f5506324bc6f14c68420eb370211d

SHA1
444e1236705c2848e927a18461746ea9cbd22622

SHA256
d84f63883c4dc4f7ea2534caabf907da7afa5f12693034b76e5a3dd11cf7c74b

SHA512
8237d28c18d6fb8d06ef4d18ea3a3208147971f21dd78f2296ef5b3eaa83c46c6a67cb627d7d5eb23579b85a22e096957c91ad342233b75b7307e61a2b479ade

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
1.5MB

MD5
7db30b4c550520e101dad277e3eb8194

SHA1
4b47ac0f23f51f87f4e47ce1d6e0a43171fb8084

SHA256
2b1386f004a6c0aa7ce0ef97a07ab189b953a9a58b58176aac319b4e3c78c975

SHA512
d8842fb51ac62c182df2d4be027a529eceae53106ca730e10e31b262105991f19344768e6b9dcddabcb73b8d82065486c5006766d2b1c26ebcfe42ddff672ea2

Download Submit
\??\c:\windows\system32\Agentservice.exe

Filesize
1.7MB

MD5
5b03d9211a07252f1e9af85e90b1be76

SHA1
e896b4f463ddd73bc451aca8fc060aa0921eab84

SHA256
43cc624a72cbcd629466d8a0fc91edec496334805dc755958cb5975ae1e498b8

SHA512
dd15b7be895d412d816114735d490cbb2bdfd72aab8b64f33fec268745094541de52bbed3b9a5d33eeef0885851f802c0a6205c4b224576af17e54823cc27562

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.3MB

MD5
93874bd58eb477c382a4aca211a533cb

SHA1
d02e74476949124fe4cd463bcc57e6a86c863382

SHA256
5cf9c61d7e4b820d2a994c7a0645dd3610d80d481430e9f4eedab1772c0455d2

SHA512
8fb0d74c49510a8518b90dd8899eec5be8184ef597a12fae1098c0f98234743e231c92d94b8f845ca8a56cf6ba501973583f4bd098ecd9c26582d30f1725403c

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
15e7bf044593e7d7a38b8f9a331c84f1

SHA1
ea8e22e4e9b618997f2ad02b33e2377acf1924cd

SHA256
2c6c3a3e0ad6cc3b1fb1b2ac36145d6f350d94abaf75f169f18b8bfe472f05bf

SHA512
66ff88f97feb48e9a09d509b1909176791e98236ce8f34fb0497b1c410b5bc4d43a8fd555e1ada877ab98549dffdd0387d539620fc960d399e7f7e04f57e4a3f

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
700KB

MD5
eb6b3d64043359fdbdab232be56afb96

SHA1
15681695e1bfc67103de3df4ec52087a1e7257b2

SHA256
b680477ff22cb075edd5fe7c45d7e4452b9f6ea4f89fadb07c040908ca27257b

SHA512
693a3f42c85a47dcb79ea98043401604702e4fa8235892e93b578259aa3a587758153d1652f929c0cc79a43677f5633a647bf04f7379a6b6bb71d0c154e0d577

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
623KB

MD5
5f1b513092a4c3d0aef5c3d779bf4a59

SHA1
20422973af1fb444ebcf67ea8ad05b7e0f761686

SHA256
22b920cd9226131aca7441516dcd5a1330bd848c172eec172ee63842febf75fd

SHA512
4e2ddd441e90a61992119a6cb430979a5fb9bcf03d735f0dc2d6245951e240be7b64c89c78fa4fe9ca32fff7b9bc81f107a680b6964d8aabd98fd3d1c4e27f6f

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
572KB

MD5
3e28cd477ce936452e70c997f79b9b64

SHA1
aec0b9a9d81abb6d3c7c2b88f3c573f4614c723a

SHA256
d243a1388bf293b568c1ab9b284f49aace4c66db0143dfc74dfdbd3173d2677e

SHA512
6b2f702b4a9f35dc8269226b634f7755199ba671f738b0585ae455b052dbb3348eeae507e3ce7d6ad5fb426016b7a768b135bff0761cf0280f1af8be6d20d86a

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.1MB

MD5
847fdda1ff4fb183405f898174dccad4

SHA1
69c7d47a03e149bca292cf1a5c837a4ba6d0ca42

SHA256
ba446108844b1a05581c68a2b95ff88c77b7accc75266a11e7d78f64bf159137

SHA512
76a037c53c0d19d64a9c5acbb322d12ac0a8185b13ab1c50542411a4bfa0e21e5bb09bedc42b4b8c8fc22273d9d6853bc78e9581c8cbdd2eaedf21c3654799af

Download Submit
memory/664-157-0x0000000140000000-0x00000001402E6000-memory.dmp

Filesize
2.9MB

Download
memory/664-144-0x0000000140000000-0x00000001402E6000-memory.dmp

Filesize
2.9MB

Download
memory/2136-138-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/2736-155-0x0000000140000000-0x000000014040F000-memory.dmp

Filesize
4.1MB

Download
memory/2736-139-0x0000000140000000-0x000000014040F000-memory.dmp

Filesize
4.1MB

Download
memory/3084-154-0x0000000140000000-0x00000001403F2000-memory.dmp

Filesize
3.9MB

Download
memory/3084-135-0x0000000140000000-0x00000001403F2000-memory.dmp

Filesize
3.9MB

Download
memory/4948-156-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/4948-141-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/5036-132-0x0000000001000000-0x0000000001264000-memory.dmp

Filesize
2.4MB

Download
memory/5036-133-0x0000000001000000-0x0000000001264000-memory.dmp

Filesize
2.4MB

Download