2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
Size

576KB
MD5

445cc9b92186b89305a42467400caa30
SHA1

08ce21ff1111657749918e988b54da6e74223d2b
SHA256

2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63
SHA512

256e971b3f49cc128379d18b1f654cbc932e0bb35313877c5cd5e2809bb8eafe0a577042e4cec416fd6d99a2fe00166cda87f6c7edfde44863537b0180d1aabd
SSDEEP

12288:3oXMafq2LgHE8G5Hg2US0igmmfoj1CJdP0XA54QHw:OfOHE84XUS0RrL0XA54QQ

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion
Executes dropped EXE 6 IoCs

Processes:

elevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEssh-agent.exeTrustedInstaller.exe

pid process

4192 elevation_service.exe
1224 elevation_service.exe
4788 maintenanceservice.exe
1352 OSE.EXE
1812 ssh-agent.exe
4208 TrustedInstaller.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4192	elevation_service.exe
1224	elevation_service.exe
4788	maintenanceservice.exe
1352	OSE.EXE
1812	ssh-agent.exe
4208	TrustedInstaller.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ssh-agent.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4060001867-1434967833-2212371794-1000	ssh-agent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4060001867-1434967833-2212371794-1000\EnableNotifications = "0"	ssh-agent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

Processes:

2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ssh-agent.exe2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe

description	ioc	process
File opened (read-only)	\??\X:	ssh-agent.exe
File opened (read-only)	\??\Q:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\U:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\N:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\R:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\G:	ssh-agent.exe
File opened (read-only)	\??\H:	ssh-agent.exe
File opened (read-only)	\??\N:	ssh-agent.exe
File opened (read-only)	\??\Z:	ssh-agent.exe
File opened (read-only)	\??\H:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\K:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\O:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\S:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\T:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\Z:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\G:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\M:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\P:	ssh-agent.exe
File opened (read-only)	\??\R:	ssh-agent.exe
File opened (read-only)	\??\T:	ssh-agent.exe
File opened (read-only)	\??\P:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\I:	ssh-agent.exe
File opened (read-only)	\??\V:	ssh-agent.exe
File opened (read-only)	\??\E:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\L:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\W:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\F:	ssh-agent.exe
File opened (read-only)	\??\K:	ssh-agent.exe
File opened (read-only)	\??\M:	ssh-agent.exe
File opened (read-only)	\??\O:	ssh-agent.exe
File opened (read-only)	\??\Q:	ssh-agent.exe
File opened (read-only)	\??\I:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\V:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\W:	ssh-agent.exe
File opened (read-only)	\??\S:	ssh-agent.exe
File opened (read-only)	\??\U:	ssh-agent.exe
File opened (read-only)	\??\Y:	ssh-agent.exe
File opened (read-only)	\??\Y:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\E:	ssh-agent.exe
File opened (read-only)	\??\X:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\J:	ssh-agent.exe
File opened (read-only)	\??\L:	ssh-agent.exe
File opened (read-only)	\??\F:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\J:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe

Drops file in System32 directory 64 IoCs

Processes:

2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exessh-agent.exe

description	ioc	process
File opened for modification	\??\c:\windows\system32\Appvclient.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	ssh-agent.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\system32\mcnomhio.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\locator.exe	ssh-agent.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	ssh-agent.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\system32\openssh\eekclogo.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	ssh-agent.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\system32\ellngnma.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\system32\blbafhog.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\SysWOW64\cboamqlm.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	ssh-agent.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\locator.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\system32\hbnpqdle.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	ssh-agent.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	ssh-agent.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\kdobpmdc.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\alg.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\system32\gjpimijp.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	ssh-agent.exe
File opened for modification	\??\c:\windows\system32\alg.exe	ssh-agent.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	ssh-agent.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	ssh-agent.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	ssh-agent.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	ssh-agent.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	ssh-agent.exe
File opened for modification	\??\c:\windows\system32\vds.exe	ssh-agent.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe

Drops file in Program Files directory 64 IoCs

Processes:

2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exessh-agent.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\dklkkafp.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\gakpqfhp.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\ckibimnp.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\Internet Explorer\jmhqcaam.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\ijlomoif.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\gdaoemja.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\7-Zip\nklemblo.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\nnknaeep.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	ssh-agent.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\onakajab.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\7-Zip\afaqkaok.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\nimidobm.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	ssh-agent.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	ssh-agent.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	ssh-agent.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\gmoggjie.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\eqeeoonh.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\kelcgfhi.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\Google\Chrome\Application\cpkcoelj.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	ssh-agent.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	ssh-agent.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\odadaonc.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	ssh-agent.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\emdpmifb.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\program files\windows media player\kcfelqce.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\jiianoje.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\knqknjlo.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\Internet Explorer\onnmbqjl.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\akaajeom.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	ssh-agent.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	ssh-agent.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\kdbcaljo.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	ssh-agent.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\iibndipn.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\eqiodbdg.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\klonohhl.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	ssh-agent.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	ssh-agent.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\Internet Explorer\aglddoil.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe

Drops file in Windows directory 6 IoCs

Processes:

2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exessh-agent.exeTrustedInstaller.exe

description	ioc	process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	ssh-agent.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	ssh-agent.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

ssh-agent.exe

pid	process
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe
1812	ssh-agent.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exessh-agent.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4428	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
Token: SeTakeOwnershipPrivilege	1812	ssh-agent.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe

pid	process
4428	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
4428	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ssh-agent.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	ssh-agent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	ssh-agent.exe

C:\Users\Admin\AppData\Local\Temp\2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
"C:\Users\Admin\AppData\Local\Temp\2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4428

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1224

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4788

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1352

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1812

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
efd6418312d769924d4d5797a18214eb

SHA1
af5c108263fd68b2de2a515d147fc382a641bb48

SHA256
0c408ea9dd03596f2e99b90d140957c69b3162cf5ecc4f9ca268be6fcad91abd

SHA512
cf47cf74c17dbceb778e11cb9466cdb4c2da169334add29543ce50dd14d9de5bdd5c6fd84a355a3bee2242dacae2c39fa22bb3e24d3ddc05bc6a9498eda4f59a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
788KB

MD5
cef07f53fba893d430a19c4bc0509402

SHA1
fe3fa29de64b47c0efe346ce896e787c8d640491

SHA256
ba7b09a93078cb4970c6a318d4571b1568626bebfe542bad396eb4e3b04a972e

SHA512
1a453178500a9efc1266fcf589b05e49bdad8e7c394c116d7e3bb36e0a5142d40eadf32b894afa1bd7ed6206d0350babde717766f16286ecf5b1fe39b07503bd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1014KB

MD5
332165c7ccd66111a18a29387b8dbdbe

SHA1
5e1a207ceff65782e0ed1b39c2840bfd68ff47f7

SHA256
199cf84cd2a029a9d0612855b61d48d1abe16931de3f4e45c1fb4c79317fba8d

SHA512
7a33633472426f7f23e5889adb5ebb42132ae71c0fd39238fdaae638f2b0c09d10673657fb3aa746ac7e31d1a60a8849076d1e90585d2908ba35e86f957282af

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
e848378751b3a36581408a54f7d75733

SHA1
2d2dfdb322ae7634a2e4d527500ac5613b4dd032

SHA256
8edfe0358e23fe40f04d3928a079d138b9397042aeb14a04bc75c48376a41bdf

SHA512
6d646063183402d469813a697dd11b54caa29025345c72404a46c24b4606e8856c902adbed64bbe99a9d88535f0fc9d2310b9f272710e6677ea4590ba509ea44

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
9d0874ad165db2722f03e16acaf19fbd

SHA1
c0a7ed13a4953c3467ec1389ea50e3f6300f9d30

SHA256
e088c2ce1bbc5f7444dbbe2826944c9e7d443148217463728340b6bef69437b7

SHA512
26e3fedd27f8d44a6f01670fc19f7745b6d10d38b293072e44dc86ccb8d43a38261763fa0c222dac12605f61e9e981c86c4016db533f5bda4498bda5e4caa493

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
571KB

MD5
3c516ce1700cf3bd3de6901573214111

SHA1
0a8bc4aef91ddc6d21376dc48219f6f7ca9e276b

SHA256
9b78e74c20975435f5eddc8f93d78a89ecf6e0eb4ba1133e899839dffc44a60c

SHA512
98f9a994f934cf6a9cf3fb92e1ab11ba9854acd8dde12525ce30682e713ed0aabcd864013b3b475c9d601c7fbb303903608ddcfb9db0b45d57c0301ee91be10b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
832KB

MD5
e1a761a7d07f9d9fe72a97942ecae78a

SHA1
94cefeaa4f6271305cf2036661ddf4036663e0ad

SHA256
521aededa387180e49af73d27b6e259a53db44fd4bed970033e6d0b4b8b55645

SHA512
dfa4d1f5ffd74a678ee83c7cc7f7ceea9b60113d7a7b3a7ec6bab68ff50d16dda1a8466dfb603212ae5c7ddcba70921f359789f6eaa3b34383245e9eed3ee6f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b2e03cee41b762c15cc25d3d9c5b355f

SHA1
f6198e7ab2e236d9b47a16321d2ec0f86b2b3cef

SHA256
ce07bff1af6583b8fdca7c92c1407ec7b22de7e428656d629bbba14e6962cc27

SHA512
5dec6260f23ebd4c297bb2559d7c5a1bae57b436af7c703f8d02600e8d89e32c3ed747859018e8eb512639f402db086a244804520b7be57b71a4c8d2fbbbbe9e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
898KB

MD5
74392ad4ebd2165f4b1c979ae808641b

SHA1
1fe5fa1f837d5c6d9e051fdb4f4cdddc1e953b67

SHA256
c17f47ad208c41667e75d84fc5945b1b3bf8d88b60264b565a78cb8fd674e479

SHA512
5575f58c91ac5b1ef9e0b85a89dd80d05f6f731e22adf10e08bacef52c13852e9a5021933c3ba52929e7e18c1ed33d83cafb04495218d594ad03dd781fb593d1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c9726706d73d1b3b0af760a61aed648c

SHA1
b341c5bb4c407b5807de1d0ff584c14dce363b62

SHA256
72c4e9f5e0d1b75d94eedadbc70aee9f9ea6d4be1e01b6dc9d28d42a796bf0bc

SHA512
fb9a95384b7efe505befd334a495e3b9925218c0a32f9ac5fd06db723424aaaa8334d2a954c37ecdf9340ce8eb0384bbca1e12150cca047f56919ffb56349c51

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
518a4a1f51e9ad639a8fee8391e3b233

SHA1
1b56f66f6635fd93dd7b5748ed8d30dde72c31c4

SHA256
a3f135e2ebda20ce47c2e319167c6705ccaea71d0e28354de977d72211f8230a

SHA512
a0e7a2a76bbd9c2b79ba2cd4ee2700f38398c3e8a60242833e13bbc6e90b7306c19672a352f1c5ef8d4af1f3c3bd0b686e9b5d1df8f5559c67e09864cc27e703

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
797KB

MD5
12470e4c4e7bc6c621bc7221b621527b

SHA1
dca5a2be716b675835795e303861dc1d22167df7

SHA256
df85269b416352d14d785a39cb35b2f51f26b54edb61068c5990ef83700ea22e

SHA512
ff94325f05c4f807ce382701ce501059ffe6baa369c3352d869cec18f9b025d3e616cd027ddb84de80cb93d539bc5ebc4ca79fa46ce0127f0036a42139d65b75

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
6f4a8ce4ad98b4058a1ff680bdfabaa5

SHA1
97f49f01d30fa3801e378e14179375dfbb5d7782

SHA256
70eea1cb35f71d0e8214a24fa57f4c467aab8474b26fd9401c2e35a709450f4e

SHA512
bef4449f7bde1b220585a2b938c251d4a9132ff3f2a515a17194a7c476609c13435a34fcd59bd75ba7a29ccc56fe1a5c4e1a9c27c213973af40c1b11f17da0f0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
932KB

MD5
74bdd5b84c33c974f2088e83ddbf0c49

SHA1
0ca200b98d2b7cf407440870ee4167b7a1890043

SHA256
12a7d2f67966eaeae23f97d4a53ee308348780eba7f8979e68054f59fda99931

SHA512
ba7d505105969afa85b4888654b863405a1ae0d8326b58c6700ca60bf36ded7fad213b68614debbe5eb6013661de02e7f064d01c1d605521f36993c0488fafea

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
932KB

MD5
74bdd5b84c33c974f2088e83ddbf0c49

SHA1
0ca200b98d2b7cf407440870ee4167b7a1890043

SHA256
12a7d2f67966eaeae23f97d4a53ee308348780eba7f8979e68054f59fda99931

SHA512
ba7d505105969afa85b4888654b863405a1ae0d8326b58c6700ca60bf36ded7fad213b68614debbe5eb6013661de02e7f064d01c1d605521f36993c0488fafea

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
50f748e0a941f566c9dde61b1d952876

SHA1
36bba52cfc1c5a6973618c4bcd1980040bdc7044

SHA256
c07adf7375fcbabd471d9fcee7e9dde3deb99864fbc986f47509a0521e8b96d3

SHA512
c24acf520c5a8fe1db80e22b329c8eee89381fd305b87beb21e99feeecd390c0e2843720bcd87b966c0ea6ce10b82351ae202b207c6c86fa773864fbe4ff864b

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
788KB

MD5
cef07f53fba893d430a19c4bc0509402

SHA1
fe3fa29de64b47c0efe346ce896e787c8d640491

SHA256
ba7b09a93078cb4970c6a318d4571b1568626bebfe542bad396eb4e3b04a972e

SHA512
1a453178500a9efc1266fcf589b05e49bdad8e7c394c116d7e3bb36e0a5142d40eadf32b894afa1bd7ed6206d0350babde717766f16286ecf5b1fe39b07503bd

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
1.5MB

MD5
11078eb6e22d5905c9b8b8566a9a8582

SHA1
edb1dadd4991622c71ffec4b57912fef75460526

SHA256
3cf2ffa21f873ed7c57b281facb996b9eb7c810b93605801f997b7be7b107268

SHA512
1640e26caa0b11fde30bb77c150f382682cf38c37cffd7f3e6945a04176821219f29b78033dcb5d6388f74eb5d4d55b3e6126da3a578087bbddf88c4929ea22b

Download Submit
\??\c:\windows\system32\Agentservice.exe

Filesize
1.7MB

MD5
6f5d008b33d7e90f4978dcf3bf5e3406

SHA1
188a9a069737ac3c69d59f233357428d8ff09023

SHA256
d5f6017306ed0cbebb6e85720b70f1dbec22438030d6488a4a5a383de6844b3b

SHA512
56616c365ff35899c68db714a0a9ccbe62ccf82a2184573279e4db7fa3e720ca4a782a73e21a58fd0ace9ea1602f3f0b971707fb9acae7748e15c18966fbfe83

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.3MB

MD5
b353d69652d0b1a2505e6237d8bd5575

SHA1
d4ab747a7d004aadda36043420240f5cad2729b6

SHA256
9c16e472f6a8069444cae0481b78c883b50f3d104296a24a7178bdb646e7cd0c

SHA512
433811f848a38ab5690b7cc5ff7fe60171cf912c6167ed9a44fb22691a413ae46fac46f2b142a4190610f91a838e31fd4e285e22b422eaaff33896ecfeea1195

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
b447addbf8f299020c3d01bfcbc8adcb

SHA1
1485df3869ecbf44adaae904c02216c549002586

SHA256
bd236cdc1a21b59bdb58d0bd0088dedf3e84022ba5a68e7c595b7cd594dcd94c

SHA512
e98107201a9fe39c05da9208f29d94ff151d32930b702cbe8673f19810bf58b3ffd3fed18cd1178efe73f0628d8ca5a06741488ccae1f24e4731b45e1b45189a

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
700KB

MD5
78cfe334bdbd054c289dd670eaa20c95

SHA1
6c71142e968fa0e48c654f5f49bb4d975a29a08b

SHA256
5320d70d3a008a704649382bb753fa2f0de2f01deb754e152d50940d5d6f295b

SHA512
a422dd78880ced9d293a6b7b2376b1fc8c9c77b30c17d4a0867d906e752c8f0bd7fe6648dd13c4b4576410df958abb1f2a36cb28e94b8483d6a9fc9fbe864b88

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
623KB

MD5
bd76ee5c6d993a3904ef7e6a7ae6d136

SHA1
216ec5c3e840082635c7533db6419f32bd114149

SHA256
f5b507c63f6dcb759b85e5932f2098a34a41c277ada3a86ccb0900cea1728a82

SHA512
e08e58e25f9f678c4982d812fc6f9f8a8b8813c3a1108253a0100c013dd9992afb3ee0d546b6326f4ed03f85f72d44302fca5a00dfa21c69e72232b308f834c3

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
572KB

MD5
3b0001cc865b8cfbb45d1cfa2ff22e4a

SHA1
6abd07b6fe77835f4ad824978f8c0b989aac9a81

SHA256
11b1896dbba86da19f856d2cdcad4c4045f40c33375fe7ad243d5bf9fdec8d37

SHA512
0c68cb052486b60eed6513eb2fab79e3400022e1e06fd5270cf5221919d1b531d29006cc73cf60277e22c95d8ba660a2a983f83c57f4193861b748cd26bb90dd

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.1MB

MD5
60c82528d807d7acfb3fbe1f42d8aa46

SHA1
494ee2dee536e66cadf630b68744b90a390ed726

SHA256
a47fbe67e738853fe3cb0dff1329b96844dffc79f6b8b1b008eb515d04a06113

SHA512
50bd22042a7e8f962518b061e55ac8edd7f8a568de7d4048ed912cd8984a1d9a22f36aa78ae38697808cc094a036fd7475a78dd9bb4c739d9818ff3692e52594

Download Submit
memory/1224-139-0x0000000140000000-0x000000014040F000-memory.dmp

Filesize
4.1MB

Download
memory/1224-146-0x0000000140000000-0x000000014040F000-memory.dmp

Filesize
4.1MB

Download
memory/1352-148-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/1352-141-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/1812-144-0x0000000140000000-0x00000001402E6000-memory.dmp

Filesize
2.9MB

Download
memory/1812-157-0x0000000140000000-0x00000001402E6000-memory.dmp

Filesize
2.9MB

Download
memory/4192-145-0x0000000140000000-0x00000001403F2000-memory.dmp

Filesize
3.9MB

Download
memory/4192-137-0x0000000140000000-0x00000001403F2000-memory.dmp

Filesize
3.9MB

Download
memory/4428-132-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download
memory/4428-133-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download
memory/4788-138-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download