ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112

Analysis

max time kernel
151s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
Size

584KB
MD5

6a116c97067f0e3a3d6fad6a570791d0
SHA1

cbd703e02f076528e23782e9414779888ab70e60
SHA256

ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112
SHA512

60da70b6282b1a546ddd0cc1a2d4884441616746c9bd5e1360d81aa280ea7f20af83ef35532f62b3a2710461a8ca719c99120a07250518393ab4ab73e9c5d6ee
SSDEEP

12288:5zasWWBnUvtoThEkQOSxpqL13q8W9DGLoc8mHrfCbsEs31RepsLM4:EsB3mkDspqLg8WtGLdJrKYEuoX4

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 5 IoCs

pid	Process
4932	elevation_service.exe
4584	elevation_service.exe
4812	maintenanceservice.exe
1632	OSE.EXE
2796	ssh-agent.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-929662420-1054238289-2961194603-1000\EnableNotifications = "0"	elevation_service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-929662420-1054238289-2961194603-1000	elevation_service.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	elevation_service.exe
File opened (read-only)	\??\G:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\H:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\T:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\J:	elevation_service.exe
File opened (read-only)	\??\L:	elevation_service.exe
File opened (read-only)	\??\E:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\K:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\O:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\Z:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\O:	elevation_service.exe
File opened (read-only)	\??\Q:	elevation_service.exe
File opened (read-only)	\??\R:	elevation_service.exe
File opened (read-only)	\??\I:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\J:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\M:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\N:	elevation_service.exe
File opened (read-only)	\??\N:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\V:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\G:	elevation_service.exe
File opened (read-only)	\??\K:	elevation_service.exe
File opened (read-only)	\??\P:	elevation_service.exe
File opened (read-only)	\??\U:	elevation_service.exe
File opened (read-only)	\??\P:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\W:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\X:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\Y:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\V:	elevation_service.exe
File opened (read-only)	\??\Y:	elevation_service.exe
File opened (read-only)	\??\F:	elevation_service.exe
File opened (read-only)	\??\I:	elevation_service.exe
File opened (read-only)	\??\M:	elevation_service.exe
File opened (read-only)	\??\X:	elevation_service.exe
File opened (read-only)	\??\F:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\Q:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\S:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\U:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\L:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\T:	elevation_service.exe
File opened (read-only)	\??\Z:	elevation_service.exe
File opened (read-only)	\??\R:	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened (read-only)	\??\E:	elevation_service.exe
File opened (read-only)	\??\H:	elevation_service.exe
File opened (read-only)	\??\W:	elevation_service.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\locator.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	elevation_service.exe
File created	\??\c:\windows\system32\ojbgdnfo.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\vds.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\idpinild.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	\??\c:\windows\system32\adjdinkd.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\locator.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	\??\c:\windows\system32\pdjnfceq.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\vds.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	\??\c:\windows\system32\plbnoipm.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\alg.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\alg.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	\??\c:\windows\SysWOW64\icgneobm.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	\??\c:\windows\system32\gjommkpn.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dgilkpmn.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\lmmpfcii.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\dhgncdqb.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	C:\Program Files\Internet Explorer\onnmbqjl.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\cgakfigd.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\khigbmnb.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\dlpilfnb.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\qcogljfn.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	elevation_service.exe
File created	C:\Program Files\7-Zip\amhadgcp.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	C:\Program Files\Internet Explorer\bhlnifll.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\jgedcica.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\nlfifejp.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\fadcmdcc.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\iibndipn.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\qfemblig.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File created	C:\Program Files\7-Zip\nklemblo.tmp	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	elevation_service.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe
4932	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1400	ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
Token: SeTakeOwnershipPrivilege	4932	elevation_service.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	elevation_service.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	elevation_service.exe

C:\Users\Admin\AppData\Local\Temp\ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe
"C:\Users\Admin\AppData\Local\Temp\ca9066a31add0ac03dbfc8ff735bc433152c2d2f932cfdb604d3f357d3ccd112.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4584

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4812

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1632

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
35f80e2997a3b6041a6209ec917753c5

SHA1
caad114250f6023df7f4bcbabbd43667905e70d2

SHA256
6a2302c53d58da6fc73a3874d3e1d3dbb1c8a2f1d46ddd7da405cd3b17723881

SHA512
f6792bc2cc526e4d6fecdfbcebf091f0ab9266f2904974cefc925194d3af647233323251a58d4b771d1ab73cc95ec0363fcb3952895f4f9834760c166339b161

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
788KB

MD5
ecb56951195ca45a4317f27399e005b3

SHA1
4567c735ed73c9e3e7609d30dd9efb0c22f40767

SHA256
04e5cdaacb7fef503ee9af95a521b8ccb14d0664e181e6949134e97cba778b56

SHA512
955b585d8831812262f4006403738495f0c62d9180ec9e9ed33a62e19a84ad86f573dd8a29e24d860f7e58893078f00fad92bf010aa20397679f252ede15998b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1014KB

MD5
41b9860c8c42eeeac7f1c484ca7b55b1

SHA1
517779e6245f91cfeae9d161e3c79b24aac058ef

SHA256
f8ef00ff978a5234f1f245f7b6cb117263eb3da5b8b9f31ec94397adb9c4787a

SHA512
0e28552ed28ef5c64e297cfa97e23df9cb95dacab4aceb13725fdf97be8aa4fc924b2776cadd21a030f49ee88e93323d78ec61046fc9ad8efa126f62ca0f52d8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
6a3a47a396cc6cfccd40af0bc76b0364

SHA1
bc1ab275d22b43a4cb149c96f2a0358a33badb3e

SHA256
6b6bf627aa1f92f9e7a907712314e8a14de3248210d7cd45a55d72936327d39b

SHA512
5baf33de59ecfaa4b2d6e11342af49660ba890dd4b92a1d987bbdd14a5279342942512ae078d414b42f2403bcad6b0e313fa8b041da628adced3670ef1f76be9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
0d9c48ebef1e3b174fa7020d209dfc73

SHA1
3b84f792b5cdef13a6735dd7d36f9e9f76e6d4c9

SHA256
be6d2ccf3d58b79f8529c7c3b77e92a93c2f5219f2c6bd606f6f43d463d9505a

SHA512
3df9354d03616f64aeaa5d0f24a254bd0ff9ccd8906f1cb0d3dd30a84d9daf1b7281091d651f607870be39389cb9cc4af5f7dd91cd3d7f575c4be078f8b4bc34

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
571KB

MD5
26a5d0c7adda89e24f8ad1411db64511

SHA1
d68e0522189317957f8f2fd54fe7f1bfe91ad9c2

SHA256
eb64197c864e7cb5d6cfde5f53690d0b83a1a69ad781e426dfa0b8bec0af6105

SHA512
e24850197f7b24c5ce4f728f4156cf86c6df94b52880904915af3e6be4a8506e41b421d5bbb96588d898a77d8d8f898fd9a868065b0b0c42764ab777e70c36db

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
832KB

MD5
c7c2e02ac6d22a431cdf5ae9b0e9adf5

SHA1
78e8918def0f316df6296ff7e7031c107320c9b1

SHA256
7986c1e26d01f59b4cac0f443f3e6d29a889000fdcc735044ed2be6e029098c3

SHA512
7b463ccb17f9dc471b787a9d045a83e14087ac92cc07d0bb835a1fc71466f8a2fb244bc80494b6e36d6289566aa44f2c0faefd63b5218de9182e6cc3ad73c729

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
56f9658e99101481700ee540e12294fc

SHA1
83966061cdd6515348bb4069480044ffda5c4181

SHA256
aa69937c47ae9e8edb8ee39c9889cdefa6ea1725de83b62526aa6650f78eec21

SHA512
a1d333e8c950b97751449b4cb0c788ddeef9ed78a594ae493f2bef8be2e2fee132a0c082a2cb2d870fa23f23f9b2e5a0f5a176ce652b535a5ddcc90c7cb8c4a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
898KB

MD5
c28acca874964070799df7847b4a807b

SHA1
d2055729724e15eeedbb5235fc14ba69d9f96b81

SHA256
2538f6b5eb876972418cc20c7cbeb345e970e70bfbe9748489e063a3cb084ce1

SHA512
d4a74fd8e0c8f1e3930a204e6f28aa3f838bde7ee0a4e0f7a5e1b9a90a23cf2d75bdcf185b63bc93ace648988a2442fdaf7221c59de73d3e709de446ccadbc84

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
aac2746957379a29b4b92e75055d0822

SHA1
6bfc2ce8bd0a6adc11d2fe7a03ad47b181a79f2f

SHA256
3981f4bb2c28a77f74aae3b753a5937068a55c4442e017649f89f66268c18af0

SHA512
ec363f10c4191bc83119137fe8573a11d8b5672f5bf9df8d339f3bbc30743949f6497cdb3c55e3e0dbb96ddc1eb8316ef280c5680e37add6a20a52e2f179ba12

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a9739a471fcebf24139052f150849ec3

SHA1
d6232006fda4783070edc37239cde7bd17aeeea4

SHA256
63bb74a126bd913e17ffece791a135c8a5c50590977dc334c727904cb1750d6a

SHA512
8bfd7a2afae983eb11c8b8b65f06a7b99f5e7f9fd703afcc6baa9f18bc1a084f78c3ae93be70bd55c51a77a9bfbb6edd2d7264baeef87af3412c93e28cb35c72

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
797KB

MD5
5aabbfdc9dc71a16ed34b7815412813e

SHA1
ebf23bedee2569bb4369ce5a9a7557d90e68e40b

SHA256
652db6b012a00149f6b4870b9caa1a66fa96c21f08e3c2324e26015c6f0fab4f

SHA512
9611ae036a670c081c4c886231ca66e08310bf9ecccb8fdf177fd42b4e87ed567fc5cd18ca4e28fdc44c57abe10d237b33aa2b0a81417f4c1ecba8f80cae604a

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
819ee114cfddf80881d1ad375ff8fd1e

SHA1
6b5f5bac90d751930bd81196fe569738cf6d8bba

SHA256
5415afb22632d134bd072e0a63856ed9d1226cd92e867b50adfb54adeec589c0

SHA512
4164aace95d4566aa73b8bee9a1203da6e378576ba7b05e38dbdea1437c5fd2bee39cade80584c56ac42c782515e1d5a4feee077d7e9914d33281ce4c2af8f97

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
932KB

MD5
83a8cedf60bb39469d562a799494135e

SHA1
5c19da514cfa6c37e9c2bb33c837ef829fec0acf

SHA256
a963446dca4ae382b36cc7fb6f3d0ba37fdf09365873b8a34d30789c81ede6b9

SHA512
c00df5e43f518a6a9de5762c83dc1baa50629365c8e3817f1a73fe20409d9d8765415844e93633b8cce5faeb7d7c764133bc1015e6eef112dda501699478a0b7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
932KB

MD5
83a8cedf60bb39469d562a799494135e

SHA1
5c19da514cfa6c37e9c2bb33c837ef829fec0acf

SHA256
a963446dca4ae382b36cc7fb6f3d0ba37fdf09365873b8a34d30789c81ede6b9

SHA512
c00df5e43f518a6a9de5762c83dc1baa50629365c8e3817f1a73fe20409d9d8765415844e93633b8cce5faeb7d7c764133bc1015e6eef112dda501699478a0b7

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
4583acf4464ef22f5cfcbec0116a9fbe

SHA1
99ee0b31137cb7c62e57720a0c9028ae022787e6

SHA256
8f5d8bb9876ce2ef8e935ee4f31f9e2d2cbdd8074486a91713e847c673efea59

SHA512
3a54e31d5f543b64b308ac40393d52c5f32c42056b703875c9ba863ad1a28e406e007f648f36ba206151ecdf2b83a0dfaa81dc91e1e314757f623b0692c779b0

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
788KB

MD5
ecb56951195ca45a4317f27399e005b3

SHA1
4567c735ed73c9e3e7609d30dd9efb0c22f40767

SHA256
04e5cdaacb7fef503ee9af95a521b8ccb14d0664e181e6949134e97cba778b56

SHA512
955b585d8831812262f4006403738495f0c62d9180ec9e9ed33a62e19a84ad86f573dd8a29e24d860f7e58893078f00fad92bf010aa20397679f252ede15998b

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
1.5MB

MD5
b736aa24a81bf6e6270bb491ffc04c35

SHA1
929911b275fdf060d060f5370534d782ccd80703

SHA256
4f4a8d0b1e94b822ec646d181d361ff6457e346fa9139d969ada36c548863ae8

SHA512
212dfea2fe96328f1d4e7f5d26e21bcb405647dfd8d003813f799258a62986fdbaaf24f5545bc5441cc5a7072619c02c0b3ee04f30f69ca5942f0b0275a0c82a

Download Submit
\??\c:\windows\system32\Agentservice.exe

Filesize
1.7MB

MD5
04c12b7989f192010697b514fd809da1

SHA1
4205e3477e1379c6dd760345866a7ba22ef013de

SHA256
9730843904ee4c5431cf1cef2c2b5dd545f1f90c26353a1b62260ed6a310ffa6

SHA512
1adfdf8fd47d0b771777555736d4a91613dd560f09d73f47bae93718ac7a05f1f399e1959b8663d59d2a686536e68e41990156f23f73c2e3faf91b482f9bc04b

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.3MB

MD5
cb4e441551244e32ec6202f2ec8f49c0

SHA1
c555e6a470ca8e0ddb19ed9bf6035633b17d2be0

SHA256
5fba8bc101697ff154e9989ff092b4f2ec458697dc52df196f081f9ce05376f4

SHA512
fd1f56dbd5fa339e88625311409bc5e0d9efbe7e8329d70b71f4a61db740e49db167f8b2bc3f4f67ca06ec936ffb6170abf412e1fb79f6817a3d10a58bad0044

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
be586b23dd147d7f052d8b4be78fa8cf

SHA1
0f1c997cbe1958b8c4cc6c3b7a8caba7e41497a2

SHA256
6abe35df4e1936a729296d8971aef77064fa65cbf34d36f656cfdcbda7efb529

SHA512
50f21ce899cff71d18d356ba5373c3e98d1aff3ba99eebd3046576ed77459eb3caefeb59840da95313578d3b982db29b6a544103ad8a716716fff6dff8b7b297

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
700KB

MD5
7699c3d5a701e959953b315390203562

SHA1
89703e2c5d4ac37bd914af2331f629a09fb533e5

SHA256
4af5709414f624c345221dc99f040ae757963e2e379b2bd7e4622d6776c7ed5f

SHA512
59cbe38904aeca1e1000aeed2cea5ba7f56e8dd2a8e6fdeafb330c4b1c8223b548d2d9429609fb2bb857086e82ed545d62ebdbd35c1bfffe933f79545ea54e69

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
623KB

MD5
49eccc0215a6c1a5bbb6bebeb77ca7ab

SHA1
09d1073754d1279ffcc7ddda0ebb0cf9a0940729

SHA256
3b7a3d36c12a164a7b59ae270cbc4575ce9dd3b01f5f2a8cb11336c8a0072191

SHA512
24810d1d7edb4174042a3c3a70d66356c4a406f11748ae3bc8d5968fe52c0b93175bd6ce370658ae2cabfa9a664c6cc1d6f32ea756a31f2c26cf18ae5759711d

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
572KB

MD5
0992b6a333cf9930b1c324dcf02e8158

SHA1
b471eae72ad170475ec3a138758c43f2a06ba1b1

SHA256
5f23bc5c6beea1dc7f9c92bb9a36d336c09b39a2a530ef0494f59c048b68d196

SHA512
b8d4e081551abe8af98026f1f72e86bff859cee9724b517448fe6437ca2ae7cd8135fa47717b56e67c972d480a938220158e605633132b934dbc7dbeb9731c1f

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.1MB

MD5
b3de3a808efe3365f46de6ef2d220078

SHA1
a9eb3a34f28b48c40d621026677398519495aeda

SHA256
b11b675684e934df8cf11fe6e649e1c4a7be07a23895df18c3a882ff48615e78

SHA512
92603dd75abeb801967cb2ea21ba883bc0e855522237d404173c6ee285a2d92292e4214478936ff0cadbfb4f84f127b48621970afc67bb2eef13882ff7e6825d

Download Submit
memory/1400-136-0x0000000001000000-0x0000000001251000-memory.dmp

Filesize
2.3MB

Download
memory/1400-134-0x0000000001000000-0x0000000001251000-memory.dmp

Filesize
2.3MB

Download
memory/1400-132-0x0000000001000000-0x0000000001251000-memory.dmp

Filesize
2.3MB

Download
memory/1400-133-0x0000000001000000-0x0000000001251000-memory.dmp

Filesize
2.3MB

Download
memory/1632-159-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/1632-146-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/2796-160-0x0000000140000000-0x00000001402E6000-memory.dmp

Filesize
2.9MB

Download
memory/2796-147-0x0000000140000000-0x00000001402E6000-memory.dmp

Filesize
2.9MB

Download
memory/4584-158-0x0000000140000000-0x000000014040F000-memory.dmp

Filesize
4.1MB

Download
memory/4584-140-0x0000000140000000-0x000000014040F000-memory.dmp

Filesize
4.1MB

Download
memory/4812-142-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/4812-141-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/4932-157-0x0000000140000000-0x00000001403F2000-memory.dmp

Filesize
3.9MB

Download
memory/4932-137-0x0000000140000000-0x00000001403F2000-memory.dmp

Filesize
3.9MB

Download