3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
Size

589KB
MD5

7c3708d90d6c25f6e1dcc60f5031e030
SHA1

aab0514e8b1d0733a3c3272a9229e5d349ce8fbb
SHA256

3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76
SHA512

77b1578dfcf0678faaf7d54c7c5418f1b5bf1a78b66f98b5aa20469acf8d639a8bd0007019038c69031bb65d3450eaa62600645fa102ae755983b61f26bebda4
SSDEEP

12288:X6pcP0/Esll5uGLCfX7LtISVvptNlNn8l/4N6kBN7xckcBZeS8/RAeOo+xXZPF5J:KOPhwQGLCP7LtISVvpblNn8l/4N6kX7

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 6 IoCs

pid	Process
3220	elevation_service.exe
2548	elevation_service.exe
1752	maintenanceservice.exe
4412	OSE.EXE
2240	ssh-agent.exe
4620	TrustedInstaller.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-929662420-1054238289-2961194603-1000	elevation_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-929662420-1054238289-2961194603-1000\EnableNotifications = "0"	elevation_service.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\T:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\U:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\V:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\G:	elevation_service.exe
File opened (read-only)	\??\I:	elevation_service.exe
File opened (read-only)	\??\M:	elevation_service.exe
File opened (read-only)	\??\O:	elevation_service.exe
File opened (read-only)	\??\P:	elevation_service.exe
File opened (read-only)	\??\Q:	elevation_service.exe
File opened (read-only)	\??\T:	elevation_service.exe
File opened (read-only)	\??\H:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\N:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\P:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\Q:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\S:	elevation_service.exe
File opened (read-only)	\??\W:	elevation_service.exe
File opened (read-only)	\??\X:	elevation_service.exe
File opened (read-only)	\??\I:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\M:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\Z:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\R:	elevation_service.exe
File opened (read-only)	\??\V:	elevation_service.exe
File opened (read-only)	\??\K:	elevation_service.exe
File opened (read-only)	\??\K:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\L:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\R:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\F:	elevation_service.exe
File opened (read-only)	\??\U:	elevation_service.exe
File opened (read-only)	\??\E:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\G:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\W:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\Y:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\L:	elevation_service.exe
File opened (read-only)	\??\N:	elevation_service.exe
File opened (read-only)	\??\Z:	elevation_service.exe
File opened (read-only)	\??\F:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\J:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\O:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\X:	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened (read-only)	\??\E:	elevation_service.exe
File opened (read-only)	\??\H:	elevation_service.exe
File opened (read-only)	\??\J:	elevation_service.exe
File opened (read-only)	\??\Y:	elevation_service.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\pbocgiio.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	\??\c:\windows\SysWOW64\jgoiaqmq.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	\??\c:\windows\system32\onbqadlq.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\alg.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\locator.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\vds.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\locator.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\alg.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\vds.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	elevation_service.exe
File created	\??\c:\windows\system32\amogaobg.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\gcdjfhae.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	\??\c:\windows\system32\kniddghh.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	\??\c:\windows\system32\openssh\ogedfpli.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	elevation_service.exe
File created	\??\c:\windows\system32\jddajogm.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	\??\c:\windows\system32\ofplqfdg.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.8.0_66\bin\llopmkim.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\feqkbkgm.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\elmcbqaa.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\qfemblig.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\gkjggimm.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\gmoggjie.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\dklkkafp.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\jbcghalc.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\ekbcpnlc.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\khigbmnb.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	C:\Program Files\7-Zip\pijiegfa.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\eqiodbdg.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File created	C:\Program Files\Internet Explorer\bhlnifll.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	C:\Program Files\Microsoft Office\root\Client\ookbgdam.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\odadaonc.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	C:\Program Files\7-Zip\afaqkaok.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\klonohhl.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\hbifodpe.tmp	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	elevation_service.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	elevation_service.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe
2548	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4480	3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
Token: SeTakeOwnershipPrivilege	2548	elevation_service.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	elevation_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	elevation_service.exe

C:\Users\Admin\AppData\Local\Temp\3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe
"C:\Users\Admin\AppData\Local\Temp\3e414c7d6b1717197a2252ae3aceecfa0d06e11e7446f2db69188997ae014e76.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2548

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1752

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
42b07e85154301937d40c35dc3d48629

SHA1
f1d5eac57968bb285deb74b8ac3de8978f2ef2a4

SHA256
0dadcdb64b4bf4878e8557b72064d9087955a6b59f1827bd2b76c80ca46cfb7a

SHA512
25ab6f784f4fba3f32a54b55ffd9a8d879f6fc23a8e3e1cef906aa013cd554fd56a2ae8e807df7abd3edd8fb29f48b4059c14eb78b8c66102406cbbd4198e025

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
788KB

MD5
b61d02a3c13a9426fcd7c2e5443fd137

SHA1
c3171e0d0f144d7860affb14bfbb5f63e4830474

SHA256
3ae906326377453a57e486c3189ef77d33f0f0c2dc6d1f7f3315c56c50caa780

SHA512
c4c622dd574618c32e3df4d7e6e7296f06906b2e18f6fdec07e6043fc423ba712da4c4bad7c1174d5adfaccf6423c955dc9565735ec53ea3db977de057c8bec7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1014KB

MD5
6836b58985ad515a48b63bc4eafb14ce

SHA1
b65c63fa6361aaadfc5a2e014212f464a1ff0301

SHA256
b87ad01fb403e37d8b43077a7e843d7bb62e342a3c39c22fcd14261b5f6d7b1c

SHA512
d213937c3bebc52b4fad4eaed8efe59d38cffeb2a3850ec6c8f99b3e5fba4ee3f2c152374dffd5ad60ab3c2d58ee45aab15f2e123202a3211e404fcb1fa628db

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
9f222659a562079f4ad6d33aa7c84625

SHA1
8ff0f864ad0c8c12183d117947e8d60419ab51a3

SHA256
918558629515e61d4251205b105bea1ed6b99fdc3512b1c174981e720810614b

SHA512
9cd9bd073db55b999d5d91b5be812775d0942e727463976afc2593c01b4472c4200ee8848f48b317cec137ad73834e7d6c23f4149316c4257730fcedfb1872cd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
35a4fa85cfe8269c7fecfa56a3ec5ad4

SHA1
29e80bb79e44e64998b4353b28b74552f37ed5ae

SHA256
8ec63fc7d5cf8a6b36888810e35323b81d9b14fbc5acd8fba0f5b46e1c90248f

SHA512
5179b9b7dcaa2e4fae2d986188e4a9a663b39045f6f84f9c7b421ff6987eb85b6b1cda533723a721a988f78559819c0dffe4acbbc899b0d1299eec48e80e8c93

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
571KB

MD5
968d2050db4a8fa0572b1072322a67ae

SHA1
9460a7a50d0a875ab549f951b8f306223b061937

SHA256
bc9db08f226c48cfb67c45bf2710960c9ba01a463fe19999c881329e1212644b

SHA512
542e328b23e3240a0a0aec8872399811a91b7118a481de83b9c0bb9eae8597474684ffa20940126cf1786064fee64167946a3fd1602e5fd947e666d64650dffd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
832KB

MD5
a977ccea481274d49f1814a3767af3e0

SHA1
34f905546d0c3f7d51b817d8dfc90e3b9762ee21

SHA256
5af19d71195e7737e05c1a438aaa51f57ec2bc0d8bcd55f6a90bd0c0a722dadf

SHA512
0055d288ed57b38ab32cebc7e1737d99448902e8f1fa7a2de2fa6503e39fa3ef7b588f89158193aa0280b1e047838c651862243f85cfba40cf7fe9e76660b2ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e95ccdfb58e156ba105c3954f743dfcf

SHA1
77a4208ebd33be17d3e2551ac7178b8bf05115b4

SHA256
9eb3d82ef5409ba1979b45f431cc41a1b4ee141389fa3450e75d0ce265f3fdde

SHA512
a78bb97cecfdca9b64eab779d31d998a5238019598080f8a47092c98c1fb02550f8b130b1fc0736177008778efcaf84a5653d04ff8fec7469759185417731e72

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
898KB

MD5
9ccb2e6b61fc5aaaa59576835cd73e0b

SHA1
c44f3b2aa3d3603359927d55126b31d4041a18b7

SHA256
34beab09df9f7e33897a1ebde2361d2fd8570fe7225963640bcb613029754a72

SHA512
1e896936ecdb494b9c2e81692ea482b434d577b1577a05c6726f9e33a5d468611033d987b5fedce0ee2f3db78493413273f24b590663d179cfb9973b253ed3ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
de7351f50f02bcf03c194a146e01d56f

SHA1
0f87c078bfae99a8217a835472aad6df1f2f8aff

SHA256
9706d6e508e241f7d5f98bfa3411edb9e610daf78b186cb2fe6d672f5d1dd8fb

SHA512
59fc7cb5608acd57ee51350f4a4032c1f27acf89ad656db7b748457383f6b43449436e2f1269baede7696c4f89301deea064263b7e319cc384b1cc938f1d05ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
00456e4eb217467266db6063c5a10f5f

SHA1
eb44badb34d01542c184504eaca345b7004f1033

SHA256
98f2a9df2e73866dde817810602eb209d2ca76f251f0a154d69670b42454f0ca

SHA512
01afbdda6f31d89c19887619d64df52e04090882175a8b313beb7a36330a0ddb90a222122581b6ba9dfd8ca02baa954c5fedc4b0fa38acde5217a3e26aabc868

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
797KB

MD5
4571dfaaf9dad3985a9c0047838fae7d

SHA1
a7984f85f7d35d306e889050bfa4919bfc7f4c57

SHA256
4d0a184d80ac2f68ca7d03a278089d14fc90c9f067d0ed1dcda847799efa20f1

SHA512
910834d79ce07f425ae3b94d08d659698e856f44b0959344d6fca5f6a4e08a90acfbc879b6f030da33deda73c3ea3060b057d7c95a439296a899658383b27979

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
cac415e7c5412f815e50c7e38feb2948

SHA1
390538e36d997df3f8b1cb9adbf6143a2d3a9214

SHA256
ecab8988bfc8f57119ec14fa72c9497d29604ca0608afbab1586d5d9dcde2e34

SHA512
3b794492369b044510a9fb1144e37210f15fa0bb010c596099e643ba2ec25b867be629f4dca46f0bb907cfc27f5046d0da3e39987f470986364ba735f3ba5578

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
932KB

MD5
36e615ffc3513fe6c3990a4152b6a454

SHA1
6f23c9e73f3413bb016964d2ecc902232f4711c1

SHA256
9003ed29aa0eadd8f1f461a84f9d8dacc3273f43e1b99bffba8453de37540a62

SHA512
db3139c23fb4715155adf222202025b33d1876e0b31e5539dfe05fd0a9e0b3aa8a5908f81c637acb06452ee27ab8903a58db4893165e1da86dff7967435ef91d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
932KB

MD5
36e615ffc3513fe6c3990a4152b6a454

SHA1
6f23c9e73f3413bb016964d2ecc902232f4711c1

SHA256
9003ed29aa0eadd8f1f461a84f9d8dacc3273f43e1b99bffba8453de37540a62

SHA512
db3139c23fb4715155adf222202025b33d1876e0b31e5539dfe05fd0a9e0b3aa8a5908f81c637acb06452ee27ab8903a58db4893165e1da86dff7967435ef91d

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
203355f9bec8d31642501fe5f37eacc1

SHA1
604cae117f1f6b511506167885831d5cc9d1d84d

SHA256
0b6a2906ba2730b8e177db83045fc6782e31a9974b70ca257d7c05068351615a

SHA512
dcaee240672d8471f670501e96185604e18ebfe772f89a58babd403447a51a721acbbdb7e557406974e8893137c4f357fab68c3864f505319ecf25dfc689d490

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
788KB

MD5
b61d02a3c13a9426fcd7c2e5443fd137

SHA1
c3171e0d0f144d7860affb14bfbb5f63e4830474

SHA256
3ae906326377453a57e486c3189ef77d33f0f0c2dc6d1f7f3315c56c50caa780

SHA512
c4c622dd574618c32e3df4d7e6e7296f06906b2e18f6fdec07e6043fc423ba712da4c4bad7c1174d5adfaccf6423c955dc9565735ec53ea3db977de057c8bec7

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
1.5MB

MD5
3f6c08e3b12b2a9d3bcd8c00b941f8cc

SHA1
88a88e35ee9df043ca3b8454fc97927a8eeb9487

SHA256
8fc580c863bf22ed3793d5d995322bb7ad24afcd3608450accf2fd71642f592c

SHA512
1f02155dc02978e4101571b70efa62d685488f722026ac277ebeb110fd842ea0f9f1c9a3830ee49d2ea3f709ce53808150fdad1fd805f4b1b4cd9afeb665907a

Download Submit
\??\c:\windows\system32\Agentservice.exe

Filesize
1.7MB

MD5
536e3c605e46b33640a2632162a0dca8

SHA1
dff719759e09782dc71a9f1d8c7f79b35c984960

SHA256
9b9afbc9cb58a1aa1682fcedeb7a957ca7bf30de44ca6bee0d231ebaa828c6f9

SHA512
5aa78d825f0499f09394ac9d64f3e29bc4b46f7616e4db8a710030d604cf7927a11fc9d6b4c8c9c18ab0060f19eec55b933762b1b14b8ac78693e05af7354741

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.3MB

MD5
3a577da47c2a4a575b38ffa70b44dd09

SHA1
94e940920de33f862670596e9a888edbb7b28776

SHA256
4aee2db077059270030bec158aaa6fc2ebc6c250528bd1ecbcf961fc1ae62c33

SHA512
d6f1403cd3851c593e0fb8f521c198972c8ea773fa921cbbaea35a46392344e29f1ede02ce104a69afec7d9a37b644f0de393dc0b9349e5e77e9284ca2dda7f6

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
175f8a923c19d425fca46e20d36a0e9a

SHA1
88fda2f4429b90f432a704d89c82f6535e1056a2

SHA256
34ff0e9cec38a1bb87560eadadb2cbf12be45f65ed115985587d8842c52bc846

SHA512
7f91986377f092582981f679636b4112f60150641d903ff47f07f354049b70a41da61ed73f0673db905ab2cf263f2541f525a6c494dbf364d8213f245d4bc8fd

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
700KB

MD5
bf6cb2a8c9af4d40c2e87abc2747700a

SHA1
50b6bc3f5964c2a4be8989e5101582abfb66c8d8

SHA256
13decd4872eb4700169d6285e662c70530906a00513b75d139f400f578b8e603

SHA512
559c99d996c9276dde7d59f6d3a09734e001448dfcc656159f7c19f08ff46fe4394a6ad678b261d81d9ed6d8dfbc76601f677092e93b074713ecb36c961049fa

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
623KB

MD5
85b0a7b17c914ccee8a87ae9e1b8fa22

SHA1
99254aa545af801d6ea5416ddcc41e70628214ca

SHA256
6195fdc9e6df4a4ecb9e7ee45a958bf1deb88b49f7dd99bcc4fc228ec982e516

SHA512
41efd7711d85bec8a0ae4d4ba2825450113480caf6304ab45d45f58f406c39aaf358b416b3df0600e5bac29cdc9c039ec03fd66d8d85b387dc0ac24f4e7b89a4

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
572KB

MD5
f4b3781d603979a5fdf3eebc7c97fe5d

SHA1
5d49f237e7d1f5df8adabc25ffbe494a3c4101c0

SHA256
e63442d710a23a6fb5a4ab4ebf2f4e60d2059d21ae777eecc726595207ad0025

SHA512
4d854e3d66b4062e8eca7a9c4d2b9616c0ab52c3d072e2089e58fb2a4ec892bd9b752e50f7086c32019246020dc0d775a4825812b66577588fa245b070b2bd0a

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.1MB

MD5
ecfe5497fc0c8481089c67966539ef3a

SHA1
99d1513676b33616df2930048303da740c27117e

SHA256
f240fd2b5f9ea582b85f6bbdb729f429da9ad97706f1d49500eee341af81a7ae

SHA512
55623fb35c142802623b31b0bb82e1481884e3a775ff6dc680527f18906515f8a780b916ddebfa7fe897724b74302bb5a7b498e59fa91928f9a6419be8d627ea

Download Submit
memory/1752-138-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/2240-144-0x0000000140000000-0x00000001402E6000-memory.dmp

Filesize
2.9MB

Download
memory/2240-157-0x0000000140000000-0x00000001402E6000-memory.dmp

Filesize
2.9MB

Download
memory/2548-140-0x0000000140000000-0x000000014040F000-memory.dmp

Filesize
4.1MB

Download
memory/2548-154-0x0000000140000000-0x000000014040F000-memory.dmp

Filesize
4.1MB

Download
memory/3220-145-0x0000000140000000-0x00000001403F2000-memory.dmp

Filesize
3.9MB

Download
memory/3220-135-0x0000000140000000-0x00000001403F2000-memory.dmp

Filesize
3.9MB

Download
memory/4412-141-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/4412-156-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/4480-132-0x0000000001000000-0x0000000001253000-memory.dmp

Filesize
2.3MB

Download
memory/4480-133-0x0000000001000000-0x0000000001253000-memory.dmp

Filesize
2.3MB

Download