asyncrat | 9bf84c84913c184dd681aba7e537b4f07aa016787249059a7de076d594776b87

Analysis

max time kernel
63s
max time network
90s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18/03/2025, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Swift_Message_Notification_MTC-U27635728_03-2025.exe
Size

1.9MB
MD5

d18a7c52ddb2548776af2ffecd92862f
SHA1

eeac7cf04fa8da67dde3046fe4aa5edc4d6e49da
SHA256

4d693b4dd287f3aba462951d56f00aac4432794d3b489dfa93ffd17dbf40edc3
SHA512

db1155d3c373f8c4b93712b218e2500d7da835a557220261f605c90926e2674668415cbe2ff89621b94771a7a9adc71bdbb86d44aba34a7576e734e0c982b2a1
SSDEEP

49152:TR0c++OCvkGs9FaktzIuPkpYeDmg27RnWGj:1B3vkJ9HIuPYzD527BWG

Score

10^/10

asyncrat redline venomrat xworm default success discovery execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

success

204.10.161.147:7082

Extracted

Family

xworm

Version

5.0

204.10.161.147:7081

Mutex

XoFHv1TT4hWErxRo

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

204.10.161.147:4955

Mutex

kngiyjiutrymnhbuzit

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000500000001975a-266.dat	family_xworm
behavioral1/memory/1784-278-0x0000000000870000-0x0000000000880000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019643-240.dat	family_redline
behavioral1/memory/1504-259-0x0000000000910000-0x0000000000962000-memory.dmp	family_redline

Redline family
redline

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/memory/1784-2042-0x0000000002110000-0x0000000002128000-memory.dmp	VenomRAT

Venomrat family
venomrat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1784-2042-0x0000000002110000-0x0000000002128000-memory.dmp	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2148	powershell.exe
2240	powershell.exe
1772	powershell.exe
1732	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brontothere.vbs	brontothere.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsFixedSize.vbs	XClient.exe

Executes dropped EXE 38 IoCs

pid	Process
464	Process not Found
2752	alg.exe
2620	brontothere.exe
2372	aspnet_state.exe
428	mscorsvw.exe
2320	mscorsvw.exe
1968	elevation_service.exe
1868	brontothere.exe
1572	GROOVE.EXE
1944	maintenanceservice.exe
1328	OSE.EXE
1688	mscorsvw.exe
2404	mscorsvw.exe
1504	build.exe
1784	XClient.exe
1648	mscorsvw.exe
2224	mscorsvw.exe
2024	mscorsvw.exe
1292	mscorsvw.exe
1012	mscorsvw.exe
2220	mscorsvw.exe
772	mscorsvw.exe
2380	mscorsvw.exe
1664	mscorsvw.exe
796	mscorsvw.exe
1488	mscorsvw.exe
2556	mscorsvw.exe
1648	mscorsvw.exe
1148	mscorsvw.exe
2292	mscorsvw.exe
2800	mscorsvw.exe
2604	mscorsvw.exe
2124	mscorsvw.exe
3060	mscorsvw.exe
892	mscorsvw.exe
460	mscorsvw.exe
2052	mscorsvw.exe
3012	mscorsvw.exe

Loads dropped DLL 8 IoCs

pid	Process
2092	Swift_Message_Notification_MTC-U27635728_03-2025.exe
464	Process not Found
1616	RegSvcs.exe
1616	RegSvcs.exe
1504	build.exe
1504	build.exe
1504	build.exe
1504	build.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2092-0-0x0000000000400000-0x00000000005F1000-memory.dmp	autoit_exe
behavioral1/files/0x00060000000186bb-34.dat	autoit_exe
behavioral1/memory/2092-40-0x0000000000400000-0x00000000005F1000-memory.dmp	autoit_exe
behavioral1/memory/2620-107-0x0000000000400000-0x00000000005F1000-memory.dmp	autoit_exe
behavioral1/memory/1868-116-0x0000000000400000-0x00000000005F1000-memory.dmp	autoit_exe
behavioral1/memory/1868-154-0x0000000000400000-0x00000000005F1000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	Swift_Message_Notification_MTC-U27635728_03-2025.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\260b8e325f6c6349.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1868 set thread context of 1616	1868	brontothere.exe	40

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C3A4D3BC-D67A-4D2A-B0ED-B4E62D27E02C}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Swift_Message_Notification_MTC-U27635728_03-2025.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brontothere.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brontothere.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Swift_Message_Notification_MTC-U27635728_03-2025.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2240	powershell.exe
1772	powershell.exe
1732	powershell.exe
2148	powershell.exe
1784	XClient.exe
1504	build.exe
1784	XClient.exe
1784	XClient.exe
1784	XClient.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2620	brontothere.exe
1868	brontothere.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2092	Swift_Message_Notification_MTC-U27635728_03-2025.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeDebugPrivilege	1616	RegSvcs.exe
Token: SeDebugPrivilege	1784	XClient.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeShutdownPrivilege	428	mscorsvw.exe
Token: SeShutdownPrivilege	2320	mscorsvw.exe
Token: SeDebugPrivilege	2752	alg.exe
Token: SeDebugPrivilege	1504	build.exe
Token: SeDebugPrivilege	1784	XClient.exe
Token: SeDebugPrivilege	1784	XClient.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2092	Swift_Message_Notification_MTC-U27635728_03-2025.exe
2092	Swift_Message_Notification_MTC-U27635728_03-2025.exe
2620	brontothere.exe
2620	brontothere.exe
1868	brontothere.exe
1868	brontothere.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2092	Swift_Message_Notification_MTC-U27635728_03-2025.exe
2092	Swift_Message_Notification_MTC-U27635728_03-2025.exe
2620	brontothere.exe
2620	brontothere.exe
1868	brontothere.exe
1868	brontothere.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1784	XClient.exe
1784	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2620	2092	Swift_Message_Notification_MTC-U27635728_03-2025.exe	31
PID 2092 wrote to memory of 2620	2092	Swift_Message_Notification_MTC-U27635728_03-2025.exe	31
PID 2092 wrote to memory of 2620	2092	Swift_Message_Notification_MTC-U27635728_03-2025.exe	31
PID 2092 wrote to memory of 2620	2092	Swift_Message_Notification_MTC-U27635728_03-2025.exe	31
PID 2620 wrote to memory of 948	2620	brontothere.exe	35
PID 2620 wrote to memory of 948	2620	brontothere.exe	35
PID 2620 wrote to memory of 948	2620	brontothere.exe	35
PID 2620 wrote to memory of 948	2620	brontothere.exe	35
PID 2620 wrote to memory of 948	2620	brontothere.exe	35
PID 2620 wrote to memory of 948	2620	brontothere.exe	35
PID 2620 wrote to memory of 948	2620	brontothere.exe	35
PID 2620 wrote to memory of 1868	2620	brontothere.exe	37
PID 2620 wrote to memory of 1868	2620	brontothere.exe	37
PID 2620 wrote to memory of 1868	2620	brontothere.exe	37
PID 2620 wrote to memory of 1868	2620	brontothere.exe	37
PID 1868 wrote to memory of 1616	1868	brontothere.exe	40
PID 1868 wrote to memory of 1616	1868	brontothere.exe	40
PID 1868 wrote to memory of 1616	1868	brontothere.exe	40
PID 1868 wrote to memory of 1616	1868	brontothere.exe	40
PID 1868 wrote to memory of 1616	1868	brontothere.exe	40
PID 1868 wrote to memory of 1616	1868	brontothere.exe	40
PID 1868 wrote to memory of 1616	1868	brontothere.exe	40
PID 1868 wrote to memory of 1616	1868	brontothere.exe	40
PID 428 wrote to memory of 1688	428	mscorsvw.exe	42
PID 428 wrote to memory of 1688	428	mscorsvw.exe	42
PID 428 wrote to memory of 1688	428	mscorsvw.exe	42
PID 428 wrote to memory of 1688	428	mscorsvw.exe	42
PID 428 wrote to memory of 2404	428	mscorsvw.exe	44
PID 428 wrote to memory of 2404	428	mscorsvw.exe	44
PID 428 wrote to memory of 2404	428	mscorsvw.exe	44
PID 428 wrote to memory of 2404	428	mscorsvw.exe	44
PID 1616 wrote to memory of 1504	1616	RegSvcs.exe	43
PID 1616 wrote to memory of 1504	1616	RegSvcs.exe	43
PID 1616 wrote to memory of 1504	1616	RegSvcs.exe	43
PID 1616 wrote to memory of 1504	1616	RegSvcs.exe	43
PID 1616 wrote to memory of 1784	1616	RegSvcs.exe	45
PID 1616 wrote to memory of 1784	1616	RegSvcs.exe	45
PID 1616 wrote to memory of 1784	1616	RegSvcs.exe	45
PID 1616 wrote to memory of 1784	1616	RegSvcs.exe	45
PID 428 wrote to memory of 1648	428	mscorsvw.exe	60
PID 428 wrote to memory of 1648	428	mscorsvw.exe	60
PID 428 wrote to memory of 1648	428	mscorsvw.exe	60
PID 428 wrote to memory of 1648	428	mscorsvw.exe	60
PID 428 wrote to memory of 2224	428	mscorsvw.exe	47
PID 428 wrote to memory of 2224	428	mscorsvw.exe	47
PID 428 wrote to memory of 2224	428	mscorsvw.exe	47
PID 428 wrote to memory of 2224	428	mscorsvw.exe	47
PID 428 wrote to memory of 2024	428	mscorsvw.exe	48
PID 428 wrote to memory of 2024	428	mscorsvw.exe	48
PID 428 wrote to memory of 2024	428	mscorsvw.exe	48
PID 428 wrote to memory of 2024	428	mscorsvw.exe	48
PID 428 wrote to memory of 1292	428	mscorsvw.exe	49
PID 428 wrote to memory of 1292	428	mscorsvw.exe	49
PID 428 wrote to memory of 1292	428	mscorsvw.exe	49
PID 428 wrote to memory of 1292	428	mscorsvw.exe	49
PID 428 wrote to memory of 1012	428	mscorsvw.exe	50
PID 428 wrote to memory of 1012	428	mscorsvw.exe	50
PID 428 wrote to memory of 1012	428	mscorsvw.exe	50
PID 428 wrote to memory of 1012	428	mscorsvw.exe	50
PID 428 wrote to memory of 2220	428	mscorsvw.exe	51
PID 428 wrote to memory of 2220	428	mscorsvw.exe	51
PID 428 wrote to memory of 2220	428	mscorsvw.exe	51
PID 428 wrote to memory of 2220	428	mscorsvw.exe	51
PID 428 wrote to memory of 772	428	mscorsvw.exe	52

C:\Users\Admin\AppData\Local\Temp\Swift_Message_Notification_MTC-U27635728_03-2025.exe
"C:\Users\Admin\AppData\Local\Temp\Swift_Message_Notification_MTC-U27635728_03-2025.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\starbowlines\brontothere.exe
  "C:\Users\Admin\AppData\Local\Temp\Swift_Message_Notification_MTC-U27635728_03-2025.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\Swift_Message_Notification_MTC-U27635728_03-2025.exe"
    3⤵
    PID:948
- - C:\Users\Admin\AppData\Local\starbowlines\brontothere.exe
    "C:\Users\Admin\AppData\Local\starbowlines\brontothere.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\starbowlines\brontothere.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1784
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1784 -s 1560
        6⤵
        
        PID:5488

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 260 -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 268 -NGENProcess 1d8 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 270 -NGENProcess 1e8 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1d4 -NGENProcess 1e0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 24c -NGENProcess 270 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 278 -NGENProcess 1e0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 278 -NGENProcess 254 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 270 -NGENProcess 1e0 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1e0 -NGENProcess 260 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 274 -NGENProcess 280 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 288 -NGENProcess 278 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1e0 -NGENProcess 290 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 284 -NGENProcess 278 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 28c -NGENProcess 298 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 288 -NGENProcess 29c -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 2a0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 260 -NGENProcess 2a4 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 298 -NGENProcess 2a8 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 284 -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:460

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:3012

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1968

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1572

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1944

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2032665795787735806161897277819740215511067366051660049073-1669738984-1676055487"
1⤵
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.2MB

MD5
7ba5ec87e0a4083e8d3cc63162c4cf8b

SHA1
9235775015c674e9a24fc18db52e766250c1d2db

SHA256
810aaeb78525d563a98cebf19f425ae495d76c6fc6916ad5c378ecf58db3e94a

SHA512
0d1b6a2bf6dc39d82ebf288b19d2122a0b27b0569c0c4edfd67ec205a26dbb4303a180ea13fd6e814e0ad8af51d58a555c7efc00affb9fe11398523e2fc439c2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
8dc79601819932bca4f052690db72730

SHA1
f4523e71876afb77fe65812d18a85809a16144d6

SHA256
61bb763fc236b4eb025dc0bb4fc95e41447ed776f58834e275b12db8ee0aeb09

SHA512
37dcf7f4d57a47c93433b2272a875095dd1594583613c6bb3a2a065ec4699802cf017688b4062c4e612646358a74e5bdc1db754aca9f1b7ed1a33c88da7ef038

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
9b756340aed3d53d7b896ffa2d53be87

SHA1
ebe3b0fdeee405e54e7b5364a32338cb6b228ee4

SHA256
83380f0b7e0fcc7e0be7e4e8b35796347be6c62350f33cd48eb333a0d63e2fe5

SHA512
d5805a0a19361b92ec2faf058daf3b50bfb84a7b991e1455f5b65c8f6d36627346fd5e5ea36163df4375d368eb238cd6d04e8ded99db75ef53b33b81504486c4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
5d78ea3fe7cbb22b88c94abab97aab81

SHA1
dc755005e3bdafe8f68032d71a0416dd7bb16923

SHA256
23854082a02c54457dbc5e193709d1221e9c69c35636337327e3cafc02c05309

SHA512
af1bf44a60e76cadb1c5b53648590f205cc77c0471ac396c43dc2f36afd827b622e98c27e5eb2a1f50583649b507f44a0511f4e2a42ac2772474df4ddc299f51

Download Submit
C:\Program Files\Mozilla Firefox\firefox.exe

Filesize
1.2MB

MD5
ba9e31931d148480926950b7b278a208

SHA1
9cea5cab7318eefb7ea290535e4537bab68ebb3f

SHA256
7206adb629cad4ee1a48a615e9f1dd6dad06cbd3474909cccd7210e9988aba3f

SHA512
f641eaee82196f9bbce3cc71f0a2ea7727addf4212aa5860b436831859b3ab4820967332a36369fdacf564d1994317e1409e493d70b5b09868a2d29b51ee9b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
37KB

MD5
f298510c3c663fe4ee5dfb82ea0f6e7e

SHA1
9a47a552e16c2e5b965c7c481cfc85618f35cc4a

SHA256
58018602d0ad31538a4c4926ec8b79cd9c4951bf0f1b4aafd07a785ac13d55be

SHA512
b3d8d1501e61ab1f98b0e03194542725dbe25292a803cc440c9b24f75cd4357e55e6e15f4a9cf8831d0b0219cddd135f9c9f5f59e165e0f5c9ac6f962e636a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\resharpen

Filesize
510KB

MD5
7724d3a48629ccc218c6e2a559a425ff

SHA1
84829f1f0fd6c12c3139fa320d8f9cde019e594b

SHA256
3eed99bf613db905a4848e17986c00a4d15a211015d0ad59a9f74cba191ad9f1

SHA512
585aaee51a4404edc022ecb8ce97399c76306fdc9fbd3102579f6fc92596c5d6f319b85a57c33e83d04f58528147789d3794450ba74e2e5af1da18ffa52db7cb

Download Submit
C:\Users\Admin\AppData\Roaming\260b8e325f6c6349.bin

Filesize
12KB

MD5
0e67f030f8574766b5aedca6fe3b232b

SHA1
7d5742c449ce596a150ac1aa264ca5088dcccc57

SHA256
9cb0920f6bf0864bdbedbc44d634738c5c77b872e42804b8cfaf0599863ff5d8

SHA512
4683ab19edd53e26d8294ffe9e33927fdaa22cac3bd26e1652c3d80e22d92d893a4f00337ff13300a0e50c0da9732eecc90ff2864c06a151cfd8c2f6f82b0f00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d0c2cf77832d01a97477bf169e46036e

SHA1
1f7b3f5b1b02c9719ead76082db3da52c781ede0

SHA256
56a02ebf94389cee82b53a80c4f8f6db03d994f72ea3f1355af774102e4f0220

SHA512
e8da633ed8d9c2062f17472362c1912c13218ddcda10b5914df275c1942b217ee197edcfa55546104c4ae3097448ebfa4853fbe076e15aa479b2e4de47ec2507

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
cbab93401371fd8577187c2dc495f89f

SHA1
12b87247d1b03e2bc4e05966833b939f56a82b9b

SHA256
3678282b5ccf6d502002687a48770ba6a67c0208a009428ebd4016989dbaca4c

SHA512
24734d68135b5feb989b18431f4ac759c39ac0a90775d504a0fec60d7d10addac4f67298fdc5c048cca773b7572b438c2879072bb7e15deee0fb20949945b412

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.2MB

MD5
9186943442b507ec7dd399da56e8416b

SHA1
22707da8066efc6c5355bf19c3f7ba59a1e63392

SHA256
2dc773cbb9242973f9683b4196be07504cfc85cd919faf64f68b9458ff14d4eb

SHA512
314a9152221aaa8fd8f75ec3b46bdc62930255b831f2ca422070e0417ee16d28236c1bc1c373548324edfe579859f5215f77706f0a76efb79cb0802c6aab5c55

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe

Filesize
300KB

MD5
209b15fade618af5831e6e2528a4fedc

SHA1
2efc49db01f3df2c1cd0a528c75e466a9478b698

SHA256
f07a706c0554ed9363bd396dd49f788a0df232caf0af01161d831a12b95d964d

SHA512
3431efa0cfe6c2262ed07a9fe084567d9548e586efcfa752e0cec455e07f8a3e6b3acacacef77317881a0682358cf92d37abad80730560c33cb1e2d564afa8be

Download Submit
\Users\Admin\AppData\Local\starbowlines\brontothere.exe

Filesize
1.9MB

MD5
d18a7c52ddb2548776af2ffecd92862f

SHA1
eeac7cf04fa8da67dde3046fe4aa5edc4d6e49da

SHA256
4d693b4dd287f3aba462951d56f00aac4432794d3b489dfa93ffd17dbf40edc3

SHA512
db1155d3c373f8c4b93712b218e2500d7da835a557220261f605c90926e2674668415cbe2ff89621b94771a7a9adc71bdbb86d44aba34a7576e734e0c982b2a1

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.1MB

MD5
b1684731150cba7709abb6757992500e

SHA1
9f5471db84aec9a799b730afcf498adc71469f18

SHA256
d515f816365afef40a20db545e04db722a48739bd71e3555b110c4e4a9ee29ac

SHA512
24f157301a7ce01c806779649a2de71cc34a4832969029a18fc6a0fb8d226cfcf7d0a3fe43d06a47bcdd3ce37b1b1519f613535417d93fe9decc17ecfc597818

Download Submit
\Windows\System32\alg.exe

Filesize
1.2MB

MD5
312cd67df826114a6f1e1d239cadd758

SHA1
7ea5131edc94a007804ffc89ce32cb1941c5e4fc

SHA256
7f796ea55f6ec7899fc57b48f76f2dce7e7e243cfde6eba3391b5561ab835db5

SHA512
ea8b044ab23c18fe2dc0a162259714390cbc5273335b057039321663a3883a55774abe549ff4183989d80b6053cee24b39f88b71dafb893b60b874a6bebf0592

Download Submit
memory/428-56-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/428-57-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/428-62-0x0000000000360000-0x00000000003C7000-memory.dmp

Filesize
412KB

Download
memory/428-180-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/460-665-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/460-646-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/772-420-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/772-416-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/796-488-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/892-649-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1012-384-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1012-373-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1148-567-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1292-374-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1328-156-0x000000002E000000-0x000000002E13B000-memory.dmp

Filesize
1.2MB

Download
memory/1328-323-0x000000002E000000-0x000000002E13B000-memory.dmp

Filesize
1.2MB

Download
memory/1488-500-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1488-485-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1504-690-0x0000000005BA0000-0x0000000005CD7000-memory.dmp

Filesize
1.2MB

Download
memory/1504-697-0x00000000058A0000-0x00000000059D7000-memory.dmp

Filesize
1.2MB

Download
memory/1504-685-0x00000000058A0000-0x00000000059D7000-memory.dmp

Filesize
1.2MB

Download
memory/1504-691-0x0000000005BA0000-0x0000000005CD7000-memory.dmp

Filesize
1.2MB

Download
memory/1504-700-0x0000000005BA0000-0x0000000005CD7000-memory.dmp

Filesize
1.2MB

Download
memory/1504-259-0x0000000000910000-0x0000000000962000-memory.dmp

Filesize
328KB

Download
memory/1504-686-0x00000000058A0000-0x00000000059D7000-memory.dmp

Filesize
1.2MB

Download
memory/1504-698-0x00000000058A0000-0x00000000059D7000-memory.dmp

Filesize
1.2MB

Download
memory/1504-699-0x0000000005BA0000-0x0000000005CD7000-memory.dmp

Filesize
1.2MB

Download
memory/1572-123-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/1572-134-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1572-270-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1572-118-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/1616-170-0x0000000000E10000-0x0000000000E7C000-memory.dmp

Filesize
432KB

Download
memory/1616-181-0x0000000000F20000-0x0000000000F8A000-memory.dmp

Filesize
424KB

Download
memory/1648-524-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1648-336-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1648-292-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1648-534-0x0000000001A70000-0x0000000001B2A000-memory.dmp

Filesize
744KB

Download
memory/1648-538-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1664-453-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1664-448-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1688-195-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1688-275-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1732-585-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/1732-584-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/1772-540-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/1772-547-0x0000000001D30000-0x0000000001D38000-memory.dmp

Filesize
32KB

Download
memory/1784-702-0x000000001CFF0000-0x000000001D104000-memory.dmp

Filesize
1.1MB

Download
memory/1784-2040-0x000000001B7D0000-0x000000001B83A000-memory.dmp

Filesize
424KB

Download
memory/1784-701-0x000000001CDB0000-0x000000001CEC8000-memory.dmp

Filesize
1.1MB

Download
memory/1784-2044-0x000000001B670000-0x000000001B6C4000-memory.dmp

Filesize
336KB

Download
memory/1784-2042-0x0000000002110000-0x0000000002128000-memory.dmp

Filesize
96KB

Download
memory/1784-2039-0x000000001B3B0000-0x000000001B41C000-memory.dmp

Filesize
432KB

Download
memory/1784-2041-0x00000000021C0000-0x000000000220C000-memory.dmp

Filesize
304KB

Download
memory/1784-278-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/1868-154-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1868-108-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/1868-116-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1868-114-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/1944-148-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1944-136-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/1944-144-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1968-94-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1968-228-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1968-100-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1968-102-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2024-353-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2024-341-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2052-678-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2052-662-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2092-0-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2092-40-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2092-30-0x0000000000A20000-0x0000000000E20000-memory.dmp

Filesize
4.0MB

Download
memory/2092-1-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2092-8-0x0000000000380000-0x00000000003E7000-memory.dmp

Filesize
412KB

Download
memory/2124-624-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2220-417-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2224-342-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2240-493-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2240-492-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download
memory/2292-564-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2292-583-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2320-79-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2320-85-0x00000000001F0000-0x0000000000250000-memory.dmp

Filesize
384KB

Download
memory/2320-78-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2320-192-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2372-44-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/2372-173-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/2380-449-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2404-297-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2404-272-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2556-528-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2604-613-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2620-107-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2620-45-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/2620-50-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/2620-51-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/2752-29-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2752-20-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2752-28-0x0000000100000000-0x000000010012A000-memory.dmp

Filesize
1.2MB

Download
memory/2752-113-0x0000000100000000-0x000000010012A000-memory.dmp

Filesize
1.2MB

Download
memory/2800-596-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3012-667-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3012-681-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3060-635-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download