agenttesla | 17e830b83777a992e960ef8c25d2df1c22f52dcd393d99a2307ad2c2377f2db8

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ_PO_BQG7983972_ORDER_DETAILS.scr
Size

3.4MB
MD5

af498abc4ddaa9750675a9a60038b973
SHA1

e67ad73234839334ed89f8615e5786739a0a340d
SHA256

17e830b83777a992e960ef8c25d2df1c22f52dcd393d99a2307ad2c2377f2db8
SHA512

a27f0fcb79cc3d195c381d25bce1c4544c4f961e41dc59c2e54e4eef1fb6b13db82d9a6a67b6d049d40b5127b773b072ba49c8e093d6828b1b22364b116b13e9
SSDEEP

98304:7trbTA1dfGgdxRj86BjvE0uroNpuTRdyf7p:hc1d+gdxlVTED6uTryfN

Score

10^/10

agenttesla redline foz credential_access discovery execution infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
s82.gocheapweb.com
Port:
587
Username:
[email protected]
Password:
london@1759
Email To:
[email protected]

Extracted

Family

redline

Botnet

FOZ

212.162.149.53:2049

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000001754e-33.dat	family_redline
behavioral1/memory/2832-57-0x0000000000360000-0x00000000003B2000-memory.dmp	family_redline

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2312	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk	server_BTC.exe

Executes dropped EXE 38 IoCs

pid	Process
744	server_BTC.exe
2588	neworigin.exe
2832	build.exe
460	Process not Found
2612	alg.exe
428	aspnet_state.exe
1512	mscorsvw.exe
2900	mscorsvw.exe
2792	elevation_service.exe
324	GROOVE.EXE
1852	maintenanceservice.exe
1424	TrojanAIbot.exe
1736	OSE.EXE
2188	mscorsvw.exe
2592	mscorsvw.exe
2968	mscorsvw.exe
1128	mscorsvw.exe
848	mscorsvw.exe
2316	mscorsvw.exe
920	mscorsvw.exe
2840	mscorsvw.exe
2452	mscorsvw.exe
2964	mscorsvw.exe
2864	mscorsvw.exe
2928	mscorsvw.exe
2256	mscorsvw.exe
2008	mscorsvw.exe
1908	mscorsvw.exe
1556	mscorsvw.exe
1680	mscorsvw.exe
2872	mscorsvw.exe
2840	mscorsvw.exe
1624	mscorsvw.exe
1596	mscorsvw.exe
2928	mscorsvw.exe
2256	mscorsvw.exe
2172	mscorsvw.exe
2668	mscorsvw.exe

Loads dropped DLL 10 IoCs

pid	Process
2808	svchost.exe
2808	svchost.exe
2808	svchost.exe
460	Process not Found
744	server_BTC.exe
744	server_BTC.exe
2832	build.exe
2832	build.exe
2832	build.exe
2832	build.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	api.ipify.org
24	api.ipify.org

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\da7870c6f1301b95.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 2808	2708	RFQ_PO_BQG7983972_ORDER_DETAILS.scr	30

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TrojanAIbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RFQ_PO_BQG7983972_ORDER_DETAILS.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server_BTC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neworigin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2488	timeout.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1380	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1424	TrojanAIbot.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2588	neworigin.exe
2588	neworigin.exe
2312	powershell.exe
2832	build.exe
2832	build.exe
2832	build.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2708	RFQ_PO_BQG7983972_ORDER_DETAILS.scr

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2808	svchost.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeDebugPrivilege	2588	neworigin.exe
Token: SeDebugPrivilege	744	server_BTC.exe
Token: SeDebugPrivilege	1424	TrojanAIbot.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeDebugPrivilege	2832	build.exe
Token: SeDebugPrivilege	2612	alg.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe
Token: SeDebugPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	1512	mscorsvw.exe
Token: SeShutdownPrivilege	2900	mscorsvw.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2708	RFQ_PO_BQG7983972_ORDER_DETAILS.scr
2708	RFQ_PO_BQG7983972_ORDER_DETAILS.scr

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2708	RFQ_PO_BQG7983972_ORDER_DETAILS.scr
2708	RFQ_PO_BQG7983972_ORDER_DETAILS.scr

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2588	neworigin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2808	2708	RFQ_PO_BQG7983972_ORDER_DETAILS.scr	30
PID 2708 wrote to memory of 2808	2708	RFQ_PO_BQG7983972_ORDER_DETAILS.scr	30
PID 2708 wrote to memory of 2808	2708	RFQ_PO_BQG7983972_ORDER_DETAILS.scr	30
PID 2708 wrote to memory of 2808	2708	RFQ_PO_BQG7983972_ORDER_DETAILS.scr	30
PID 2708 wrote to memory of 2808	2708	RFQ_PO_BQG7983972_ORDER_DETAILS.scr	30
PID 2808 wrote to memory of 744	2808	svchost.exe	31
PID 2808 wrote to memory of 744	2808	svchost.exe	31
PID 2808 wrote to memory of 744	2808	svchost.exe	31
PID 2808 wrote to memory of 744	2808	svchost.exe	31
PID 2808 wrote to memory of 2588	2808	svchost.exe	32
PID 2808 wrote to memory of 2588	2808	svchost.exe	32
PID 2808 wrote to memory of 2588	2808	svchost.exe	32
PID 2808 wrote to memory of 2588	2808	svchost.exe	32
PID 2808 wrote to memory of 2832	2808	svchost.exe	33
PID 2808 wrote to memory of 2832	2808	svchost.exe	33
PID 2808 wrote to memory of 2832	2808	svchost.exe	33
PID 2808 wrote to memory of 2832	2808	svchost.exe	33
PID 744 wrote to memory of 2312	744	server_BTC.exe	41
PID 744 wrote to memory of 2312	744	server_BTC.exe	41
PID 744 wrote to memory of 2312	744	server_BTC.exe	41
PID 744 wrote to memory of 2312	744	server_BTC.exe	41
PID 744 wrote to memory of 1380	744	server_BTC.exe	42
PID 744 wrote to memory of 1380	744	server_BTC.exe	42
PID 744 wrote to memory of 1380	744	server_BTC.exe	42
PID 744 wrote to memory of 1380	744	server_BTC.exe	42
PID 744 wrote to memory of 1424	744	server_BTC.exe	46
PID 744 wrote to memory of 1424	744	server_BTC.exe	46
PID 744 wrote to memory of 1424	744	server_BTC.exe	46
PID 744 wrote to memory of 1424	744	server_BTC.exe	46
PID 744 wrote to memory of 2452	744	server_BTC.exe	59
PID 744 wrote to memory of 2452	744	server_BTC.exe	59
PID 744 wrote to memory of 2452	744	server_BTC.exe	59
PID 744 wrote to memory of 2452	744	server_BTC.exe	59
PID 2452 wrote to memory of 2488	2452	cmd.exe	50
PID 2452 wrote to memory of 2488	2452	cmd.exe	50
PID 2452 wrote to memory of 2488	2452	cmd.exe	50
PID 2452 wrote to memory of 2488	2452	cmd.exe	50
PID 1512 wrote to memory of 2188	1512	mscorsvw.exe	51
PID 1512 wrote to memory of 2188	1512	mscorsvw.exe	51
PID 1512 wrote to memory of 2188	1512	mscorsvw.exe	51
PID 1512 wrote to memory of 2188	1512	mscorsvw.exe	51
PID 1512 wrote to memory of 2592	1512	mscorsvw.exe	52
PID 1512 wrote to memory of 2592	1512	mscorsvw.exe	52
PID 1512 wrote to memory of 2592	1512	mscorsvw.exe	52
PID 1512 wrote to memory of 2592	1512	mscorsvw.exe	52
PID 1512 wrote to memory of 2968	1512	mscorsvw.exe	53
PID 1512 wrote to memory of 2968	1512	mscorsvw.exe	53
PID 1512 wrote to memory of 2968	1512	mscorsvw.exe	53
PID 1512 wrote to memory of 2968	1512	mscorsvw.exe	53
PID 1512 wrote to memory of 1128	1512	mscorsvw.exe	54
PID 1512 wrote to memory of 1128	1512	mscorsvw.exe	54
PID 1512 wrote to memory of 1128	1512	mscorsvw.exe	54
PID 1512 wrote to memory of 1128	1512	mscorsvw.exe	54
PID 1512 wrote to memory of 848	1512	mscorsvw.exe	55
PID 1512 wrote to memory of 848	1512	mscorsvw.exe	55
PID 1512 wrote to memory of 848	1512	mscorsvw.exe	55
PID 1512 wrote to memory of 848	1512	mscorsvw.exe	55
PID 1512 wrote to memory of 2316	1512	mscorsvw.exe	56
PID 1512 wrote to memory of 2316	1512	mscorsvw.exe	56
PID 1512 wrote to memory of 2316	1512	mscorsvw.exe	56
PID 1512 wrote to memory of 2316	1512	mscorsvw.exe	56
PID 1512 wrote to memory of 920	1512	mscorsvw.exe	57
PID 1512 wrote to memory of 920	1512	mscorsvw.exe	57
PID 1512 wrote to memory of 920	1512	mscorsvw.exe	57

C:\Users\Admin\AppData\Local\Temp\RFQ_PO_BQG7983972_ORDER_DETAILS.scr
"C:\Users\Admin\AppData\Local\Temp\RFQ_PO_BQG7983972_ORDER_DETAILS.scr" /S
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ_PO_BQG7983972_ORDER_DETAILS.scr" /S
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\server_BTC.exe
    "C:\Users\Admin\AppData\Local\Temp\server_BTC.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2312
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 13:23 /du 23:59 /sc daily /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1380
  - - C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
      "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      PID:1424
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4F68.tmp.cmd""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 6
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2488
- - C:\Users\Admin\AppData\Local\Temp\neworigin.exe
    "C:\Users\Admin\AppData\Local\Temp\neworigin.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2588
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2832

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 258 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 240 -NGENProcess 238 -Pipe 1ec -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 260 -NGENProcess 24c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 258 -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 26c -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 254 -NGENProcess 264 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 26c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 278 -NGENProcess 268 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 24c -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1d4 -NGENProcess 248 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 260 -NGENProcess 254 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 284 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 268 -NGENProcess 27c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1d4 -NGENProcess 284 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 290 -NGENProcess 260 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 298 -NGENProcess 290 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 280 -NGENProcess 268 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 264 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 29c -NGENProcess 298 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 260 -NGENProcess 264 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 284 -NGENProcess 2a8 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2256

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2668

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2792

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:324

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1852

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
1.2MB

MD5
7c8c63df8ba8d3e57f04cb56e1ec0ec6

SHA1
5cc3dd2751c1ecbecc723d46cd70f273f2fa1b8a

SHA256
939228e9d9b229ea971777d1b825a7f32fa28ff19e19c04ba6fea835af0ab244

SHA512
3602aedbd73e233dbdc97e3b4442746d72738d541dec126b018c06b1e4cff7514336f5252abdfd2fd90cacac63a5d683c39316447b275f5b334e08bcd4ff87ef

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
9a01644471c7963aa1bbcf596f8dc7a3

SHA1
788155f0e9981abaf81893834fee1dec1ade966a

SHA256
32ce9a468da281984125055eeedc141f803c079c996ff42bbe45a7107a3bf618

SHA512
e9781a62664d24bb54d7b2f793960a17915b2d504bc20d7a76e2f23e821c0e371a809224a39a65ce22a29ae4792077d418a26e47fe98e612599c762f03aeeb09

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
1.3MB

MD5
90ec70899fb34fc67e9abeeaba9e7242

SHA1
b97f85ae603179db85b505d2e0c1ac51f36febc5

SHA256
a025583ee982be055ced35aa86e3e5a493b9d39304b19f187fef9f95580a6ea6

SHA512
4fced63cf440e80396f25abf7c189bfaab2d86d99e1ae5503f61709e00ff3788d3805b85278040a1ea96f65e5bf8368a31487d58aeccc97df9fad56397a96127

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
1.6MB

MD5
1f72671dacd1b4453d813c3681329ffd

SHA1
6d6d7584d1fb6f143581f97bd124c615665c8f79

SHA256
dce980d9ef5569a548695c42ef18eb1c42a713e8fa9eeff5fbf3d598f66df49c

SHA512
48d68da0896260049a8a4d9f3507e9aa6ca519ef219bb8d312bfaf89ba96a86c93069dabbac698171b9c5bd3a06e9c72463afaba12170bf85c48ae2356426846

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.2MB

MD5
70bd248333bdf69273f859355298121f

SHA1
1f14446f25da2d9e3a2ae2e3912c336ecea44164

SHA256
5e9cf08cc81c84d98302f6c0a25c7ddf3f022fd6db6888a738811aa98d9f164c

SHA512
3574e1f97fc577b4da291daffcd3f85c777fae0c3cc3e7bf767a5db5b3366f80100dc527a63dbf39b79fe4e7eaff2da72f84dcf00143da40c1c0c4e1c8dc7b8d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
a68b10cbe3551b1178710a7a7c8cf79e

SHA1
0e208204c1ea1c3fbbeb00e70b565961a03decad

SHA256
4dbd5e0a8266e18a8a1971a9f09fef8882fc1ee97998999f9104279db2a6690b

SHA512
ad63e0ea02a4b680155dae0b40e2b46d520100a452b6b97254f1dc2c15cf9ca674101d6ebfff922ca8c27761bdd1b3b16664bf44d36649abeef9b6bc49d079d6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
768e9c445af9c344112106e0d73baf1c

SHA1
266f62226d8786d4158d15988f87faaf87e75e78

SHA256
3cd198cb6ca5883ccc590b6e6209d3c1e7f4442f371c02670aa79e520d9f9c03

SHA512
5f5f702d8f23aa761d41c1d4e5959d14dbd8ac04c4ad7babbfc6e33d8d80aa84dbe0612efb68ccb1cd7b24908833da3ef2fcd123f7b79ef4ac6d55a98bee671b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
022173644282d90b38b21b4eb635bb58

SHA1
75efdad88af5506b66cdc6be3d4dfa91df8b9632

SHA256
3e312228147b1b75a1d77703407af428f67afe032f3214ea35efcd4282515746

SHA512
25b6f80e640c4600e25535ca7e21df775f89b97338735c74e8720a128b302f643544a3de906d80df3b1e74055e361d34da8a0b687ced56120b78d6a5fe3d7d2b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b262456ebf84caa3b5ac0171cb1c05d3

SHA1
56359df7ab350993185adfb0ddbeb5c0b120f6bc

SHA256
c1c87f649c172c1d9047f44df2d2d9ad34be323e4a425215fbf0f98b48f8c780

SHA512
0d169e66ffa6f662f77045e8573d1ce9e0a7f66231ffeda836720632dd1788fc170b16103c832481209d70b1cb473c744070c7106c0c22b199e206243480917f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f92c01898e88cf84fa82f5dbc257addc

SHA1
5b1872691fc44e35ed56d503d0a9dd1a50e22d66

SHA256
c5751d7912aa6231d23e15ce1b96962d5723ae0472d2fcdfb46709e107526b46

SHA512
263d074c534bb1b93de16465ca1212bce3cfebadac84269b77d7e267a23cf2b171d73251d84dcb5ad415d1c6e13f5d3936227200d4adc9719098bdfe72afd4e4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
ba99ce8c807dd651477720ef63b6a2e2

SHA1
b7f80984faef2cc87db776897420c77f2bba96a4

SHA256
5ad9f6b82fb49c5ef0f7ac1bd7c5ebf959fb86ba71fd5dd18e455699c5ccc006

SHA512
9b84ad9112264326a116aaf91387a3e6caf0b632a87a6d39a8296e214811702f0bae5ce578bb9d2e485e5fd17114d52dd2f3fb6af4a894d19cf811ca8a28e53c

Download Submit
C:\Program Files\Mozilla Firefox\firefox.exe

Filesize
1.2MB

MD5
95bc2ae684af48372af15c82f80699ff

SHA1
9253a5ca8f72a6583226b9810b7dad68c33b87cb

SHA256
bcc826c734a5e6ba470b7cbc76319a60e74bb9f701c8b6908c2eca2e57c86448

SHA512
f3364f7d97b2ddcec1325f593fa09ad56931d387fc4092f6cd23e2f7731015f55a5a906ceb52cb930b1e2006d4e986ef60344f556c3090c643ce24ac1a33d598

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4F68.tmp.cmd

Filesize
162B

MD5
5dbad18de9c6534d8d7815e7bb385a32

SHA1
4130f958c4afff333b5958b4fe6924639716aea3

SHA256
ead41762933d0994e0fc5803f6b909fef6ca8846c0331237d214ca87bed55ed9

SHA512
69c710ea9e3a9e6f9b900cd3a1217eb9136523f5254e24da61b16036111bc09439bcf7f1bf17acef1e753f02aef8b8c69e6c86e66c1e218e3a081e755ebf6735

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
1f5b023212ad68901b11c4a93a77573b

SHA1
baa05a83a72eca924f581fb90336878bd1edce81

SHA256
a3b4e6a38f88e61fb99d77761f2b61b88d53d3c3f9b5726dc080e40f9f6f069b

SHA512
c505637500be1a6f098bd125790a5b52a4478acc6f3174aed56b90fed30acd432995a8314a55533794d7f8f88dbc4753244d5b3e10ef5055be3e6efba4e82caf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
a4204d6d4d3e164ebd6b5a9fa2b3e72d

SHA1
fe1dad803beaf5fe97d459488685060fe258d25f

SHA256
b5c5059f0c558a3114636bf72f3cf1609aee0c82deedaf303a3c91a15ec6acf1

SHA512
dccb4941c432f2740adf0608ad2101b1277b266320da4d583fb90131095a005019243a62fd1d33a7ded8c3bdf2784d3815c27acac2d2a01fd8cefab818327163

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe

Filesize
300KB

MD5
3b6501feef6196f24163313a9f27dbfd

SHA1
20d60478d3c161c3cacb870aac06be1b43719228

SHA256
0576191c50a1b6afbcaa5cb0512df5b6a8b9bef9739e5308f8e2e965bf9b0fc5

SHA512
338e2c450a0b1c5dfea3cd3662051ce231a53388bc2a6097347f14d3a59257ce3734d934db1992676882b5f4f6a102c7e15b142434575b8970658b4833d23676

Download Submit
\Users\Admin\AppData\Local\Temp\neworigin.exe

Filesize
244KB

MD5
d6a4cf0966d24c1ea836ba9a899751e5

SHA1
392d68c000137b8039155df6bb331d643909e7e7

SHA256
dc441006cb45c2cfac6c521f6cd4c16860615d21081563bd9e368de6f7e8ab6b

SHA512
9fa7aa65b4a0414596d8fd3e7d75a09740a5a6c3db8262f00cb66cd4c8b43d17658c42179422ae0127913deb854db7ed02621d0eeb8ddff1fac221a8e0d1ca35

Download Submit
\Users\Admin\AppData\Local\Temp\server_BTC.exe

Filesize
226KB

MD5
50d015016f20da0905fd5b37d7834823

SHA1
6c39c84acf3616a12ae179715a3369c4e3543541

SHA256
36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5

SHA512
55f639006a137732b2fa0527cd1be24b58f5df387ce6aa6b8dd47d1419566f87c95fc1a6b99383e8bd0bcba06cc39ad7b32556496e46d7220c6a7b6d8390f7fc

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
88983c6a4f989fd063848029453b4348

SHA1
0b694817a6833714f55237293d6aaeadf23259b8

SHA256
ddd1c168dd8d1918497a84e6f3e00c554e1536d5d8556ad015e3e6ab61ac0386

SHA512
df673a5ce295c2086016b5c6a98b2c76ab63dde99e609a6530fbf949311b4970ec75784097e58ec1cf349018e52718ceb55545957a6f17d9e68fa7be561486ea

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
fe4c98519e295d01d9d5217bc2fdb243

SHA1
5fec6ecd8469007f24de200c76cb2dd7d6197333

SHA256
b4ed5a20cc20d93577b1f1c2a67863971b3ff7957de647d4732b9a884df5927b

SHA512
445195cd009e8b7c7b6c64877373306edccf24b2e22f003493c2abdb1fd27892b00d754d9bf15f8b149b1389d0c1a1c0bbb6b5367bcd24a35c8b1b972482d27e

Download Submit
memory/324-106-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/324-101-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/324-110-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/324-278-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/428-172-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/428-55-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/744-58-0x0000000000960000-0x000000000099E000-memory.dmp

Filesize
248KB

Download
memory/848-318-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/848-294-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/920-361-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1128-291-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1128-304-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1424-136-0x0000000000FF0000-0x000000000102E000-memory.dmp

Filesize
248KB

Download
memory/1512-61-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/1512-67-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/1512-66-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1512-181-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1556-473-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1556-488-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1596-570-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1624-550-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1624-542-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1680-512-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1736-150-0x000000002E000000-0x000000002E13B000-memory.dmp

Filesize
1.2MB

Download
memory/1736-290-0x000000002E000000-0x000000002E13B000-memory.dmp

Filesize
1.2MB

Download
memory/1852-125-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1852-124-0x0000000001000000-0x0000000001060000-memory.dmp

Filesize
384KB

Download
memory/1852-121-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1852-113-0x0000000001000000-0x0000000001060000-memory.dmp

Filesize
384KB

Download
memory/1852-119-0x0000000001000000-0x0000000001060000-memory.dmp

Filesize
384KB

Download
memory/1908-462-0x0000000003CF0000-0x0000000003DAA000-memory.dmp

Filesize
744KB

Download
memory/1908-478-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2008-442-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2008-433-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2172-612-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2188-189-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2188-249-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2256-579-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2256-589-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2256-437-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2316-317-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2316-331-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2452-384-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2588-56-0x00000000011A0000-0x00000000011E4000-memory.dmp

Filesize
272KB

Download
memory/2592-266-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2592-246-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2612-42-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2612-48-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/2612-165-0x0000000100000000-0x000000010012A000-memory.dmp

Filesize
1.2MB

Download
memory/2612-50-0x0000000100000000-0x000000010012A000-memory.dmp

Filesize
1.2MB

Download
memory/2668-615-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2708-2-0x0000000004300000-0x0000000004B00000-memory.dmp

Filesize
8.0MB

Download
memory/2792-243-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2792-98-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2792-90-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2792-96-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2808-5-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2808-6-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2808-15-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2808-3-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2808-14-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2832-453-0x00000000057E0000-0x0000000005917000-memory.dmp

Filesize
1.2MB

Download
memory/2832-57-0x0000000000360000-0x00000000003B2000-memory.dmp

Filesize
328KB

Download
memory/2832-621-0x0000000006950000-0x0000000006A87000-memory.dmp

Filesize
1.2MB

Download
memory/2832-622-0x0000000006950000-0x0000000006A87000-memory.dmp

Filesize
1.2MB

Download
memory/2832-452-0x00000000057E0000-0x0000000005917000-memory.dmp

Filesize
1.2MB

Download
memory/2832-600-0x00000000057E0000-0x0000000005917000-memory.dmp

Filesize
1.2MB

Download
memory/2832-599-0x00000000057E0000-0x0000000005917000-memory.dmp

Filesize
1.2MB

Download
memory/2840-373-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2840-359-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2840-544-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2864-409-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2872-507-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2872-517-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2900-75-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2900-76-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2900-225-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2900-82-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2928-567-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2928-418-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2928-582-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2964-395-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2968-292-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2968-279-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download