3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 17:32 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
Size

1.8MB
MD5

081eb50889093f0b10a83844e01560be
SHA1

4f34f297f81bc3b2ce80d8dcb1a2e734a2348588
SHA256

3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536
SHA512

dec5f0fa50a68727742679ea38ff355438c28f3847dd2829cc1b56a3246564f452f7e5c19ff570f78e842190fc35f3b6dc8a5020d339bb105291928e435c4c0f
SSDEEP

49152:Jx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA3B5LG83QtHHI/QW/e:JvbjVkjjCAzJYB5f3QhHMQW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1200	alg.exe
4012	DiagnosticsHub.StandardCollector.Service.exe
3088	fxssvc.exe
3336	elevation_service.exe
3744	elevation_service.exe
2576	maintenanceservice.exe
2276	msdtc.exe
1916	OSE.EXE
4324	PerceptionSimulationService.exe
3524	perfhost.exe
232	locator.exe
3584	SensorDataService.exe
2372	snmptrap.exe
4740	spectrum.exe
4124	ssh-agent.exe
3900	TieringEngineService.exe
2176	AgentService.exe
1440	vds.exe
3224	vssvc.exe
4388	wbengine.exe
1384	WmiApSrv.exe
3708	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5f18329366ec4f27.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\System32\vds.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\system32\locator.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM4EBC.tmp\goopdateres_pl.dll	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4EBC.tmp\goopdateres_is.dll	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4EBC.tmp\goopdateres_es-419.dll	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM4EBC.tmp\GoogleUpdateSetup.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4EBC.tmp\goopdateres_am.dll	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4EBC.tmp\goopdateres_bn.dll	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4EBC.tmp\goopdateres_kn.dll	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4EBC.tmp\GoogleUpdateSetup.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76234\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3fddbd94651da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c26bc7d84651da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002b713d94651da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbde1ad94651da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059a8a3d84651da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b7b18d94651da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ebc97d84651da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000aaeecd94651da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011b8f4d84651da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4012	DiagnosticsHub.StandardCollector.Service.exe
4012	DiagnosticsHub.StandardCollector.Service.exe
4012	DiagnosticsHub.StandardCollector.Service.exe
4012	DiagnosticsHub.StandardCollector.Service.exe
4012	DiagnosticsHub.StandardCollector.Service.exe
4012	DiagnosticsHub.StandardCollector.Service.exe
4012	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4904	3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
Token: SeAuditPrivilege	3088	fxssvc.exe
Token: SeRestorePrivilege	3900	TieringEngineService.exe
Token: SeManageVolumePrivilege	3900	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2176	AgentService.exe
Token: SeBackupPrivilege	3224	vssvc.exe
Token: SeRestorePrivilege	3224	vssvc.exe
Token: SeAuditPrivilege	3224	vssvc.exe
Token: SeBackupPrivilege	4388	wbengine.exe
Token: SeRestorePrivilege	4388	wbengine.exe
Token: SeSecurityPrivilege	4388	wbengine.exe
Token: 33	3708	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeDebugPrivilege	1200	alg.exe
Token: SeDebugPrivilege	1200	alg.exe
Token: SeDebugPrivilege	1200	alg.exe
Token: SeDebugPrivilege	4012	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 1792	3708	SearchIndexer.exe	115
PID 3708 wrote to memory of 1792	3708	SearchIndexer.exe	115
PID 3708 wrote to memory of 1636	3708	SearchIndexer.exe	116
PID 3708 wrote to memory of 1636	3708	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe
"C:\Users\Admin\AppData\Local\Temp\3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4180

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3336

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3744

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2576

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3524

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:232

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2276

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1384

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1792
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1636

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1440

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4760

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4740

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3584

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

Network

DNS

pywolwnvd.biz

alg.exe

Remote address:

8.8.8.8:53

Request

pywolwnvd.biz

IN A

Response

pywolwnvd.biz

IN A

34.41.229.245
DNS

pywolwnvd.biz

alg.exe

Remote address:

8.8.8.8:53

Request

pywolwnvd.biz

IN A

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

179.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

179.178.17.96.in-addr.arpa

IN PTR

Response

179.178.17.96.in-addr.arpa

IN PTR

a96-17-178-179deploystaticakamaitechnologiescom
POST

http://pywolwnvd.biz/ylqylwcfhb

3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe

Remote address:

34.41.229.245:80

Request

POST /ylqylwcfhb HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: pywolwnvd.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 936

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 27 Jan 2024 17:32:44 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=fc9a059ccc7bf33ba8fae6d513dbb782|89.149.23.59|1706376764|1706376764|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
POST

http://pywolwnvd.biz/ylqylwcfhb

alg.exe

Remote address:

34.41.229.245:80

Request

POST /ylqylwcfhb HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: pywolwnvd.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 27 Jan 2024 17:32:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=d98f2c200665e074d6baa958fa669636|89.149.23.59|1706376767|1706376767|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

136.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.32.126.40.in-addr.arpa

IN PTR

Response
DNS

81.171.91.138.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.171.91.138.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

245.229.41.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

245.229.41.34.in-addr.arpa

IN PTR

Response

245.229.41.34.in-addr.arpa

IN PTR

2452294134bcgoogleusercontentcom
DNS

ssbzmoy.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ssbzmoy.biz

IN A

Response

ssbzmoy.biz

IN A

34.128.82.12
POST

http://ssbzmoy.biz/wb

3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe

Remote address:

34.128.82.12:80

Request

POST /wb HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ssbzmoy.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 936

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 27 Jan 2024 17:32:45 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=207a666e5bacf818f111046dc3c01877|89.149.23.59|1706376765|1706376765|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

12.82.128.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

12.82.128.34.in-addr.arpa

IN PTR

Response

12.82.128.34.in-addr.arpa

IN PTR

128212834bcgoogleusercontentcom
DNS

cvgrf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

cvgrf.biz

IN A

Response

cvgrf.biz

IN A

104.198.2.251
POST

http://cvgrf.biz/atk

3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe

Remote address:

104.198.2.251:80

Request

POST /atk HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: cvgrf.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 936

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 27 Jan 2024 17:32:46 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=eb505718f06dc3b7062cc4db9fff4136|89.149.23.59|1706376766|1706376766|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

npukfztj.biz

alg.exe

Remote address:

8.8.8.8:53

Request

npukfztj.biz

IN A

Response

npukfztj.biz

IN A

34.174.61.199
DNS

251.2.198.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

251.2.198.104.in-addr.arpa

IN PTR

Response

251.2.198.104.in-addr.arpa

IN PTR

2512198104bcgoogleusercontentcom
POST

http://npukfztj.biz/cofrlxvdvasoq

3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe

Remote address:

34.174.61.199:80

Request

POST /cofrlxvdvasoq HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: npukfztj.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 936

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 27 Jan 2024 17:32:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=eb4e536f653d012751672e6a71889c07|89.149.23.59|1706376767|1706376767|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

przvgke.biz

alg.exe

Remote address:

8.8.8.8:53

Request

przvgke.biz

IN A

Response

przvgke.biz

IN CNAME

77980.bodis.com

77980.bodis.com

IN A

199.59.243.225
DNS

ssbzmoy.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ssbzmoy.biz

IN A

Response

ssbzmoy.biz

IN A

34.128.82.12
POST

http://ssbzmoy.biz/xexuyyuaparw

alg.exe

Remote address:

34.128.82.12:80

Request

POST /xexuyyuaparw HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ssbzmoy.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 27 Jan 2024 17:32:48 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=cfe72de21f55831dedb39ae0acbea005|89.149.23.59|1706376768|1706376768|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

199.61.174.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

199.61.174.34.in-addr.arpa

IN PTR

Response

199.61.174.34.in-addr.arpa

IN PTR

1996117434bcgoogleusercontentcom
DNS

cvgrf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

cvgrf.biz

IN A

Response

cvgrf.biz

IN A

104.198.2.251
POST

http://cvgrf.biz/cyk

alg.exe

Remote address:

104.198.2.251:80

Request

POST /cyk HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: cvgrf.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 27 Jan 2024 17:32:48 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=dcb3bc1c123b46baf5c0c1061f657ed6|89.149.23.59|1706376768|1706376768|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

npukfztj.biz

alg.exe

Remote address:

8.8.8.8:53

Request

npukfztj.biz

IN A

Response

npukfztj.biz

IN A

34.174.61.199
POST

http://npukfztj.biz/qmghobsfgkpghs

alg.exe

Remote address:

34.174.61.199:80

Request

POST /qmghobsfgkpghs HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: npukfztj.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 27 Jan 2024 17:32:49 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=3452ad7d0c48084ceeb669888807fba1|89.149.23.59|1706376769|1706376769|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

przvgke.biz

alg.exe

Remote address:

8.8.8.8:53

Request

przvgke.biz

IN A

Response

przvgke.biz

IN CNAME

77980.bodis.com

77980.bodis.com

IN A

199.59.243.225
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

178.223.142.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

178.223.142.52.in-addr.arpa

IN PTR

Response
DNS

zlenh.biz

alg.exe

Remote address:

8.8.8.8:53

Request

zlenh.biz

IN A

Response
DNS

knjghuig.biz

alg.exe

Remote address:

8.8.8.8:53

Request

knjghuig.biz

IN A

Response

knjghuig.biz

IN A

34.128.82.12
POST

http://knjghuig.biz/rk

alg.exe

Remote address:

34.128.82.12:80

Request

POST /rk HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: knjghuig.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 27 Jan 2024 17:33:32 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=4e4783b364a240aa2d3b7c9bb25c167d|89.149.23.59|1706376812|1706376812|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

uhxqin.biz

alg.exe

Remote address:

8.8.8.8:53

Request

uhxqin.biz

IN A

Response
DNS

anpmnmxo.biz

alg.exe

Remote address:

8.8.8.8:53

Request

anpmnmxo.biz

IN A

Response
DNS

lpuegx.biz

alg.exe

Remote address:

8.8.8.8:53

Request

lpuegx.biz

IN A

Response

lpuegx.biz

IN A

82.112.184.197
DNS

193.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

193.178.17.96.in-addr.arpa

IN PTR

Response

193.178.17.96.in-addr.arpa

IN PTR

a96-17-178-193deploystaticakamaitechnologiescom
DNS

193.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

193.178.17.96.in-addr.arpa

IN PTR

Response

193.178.17.96.in-addr.arpa

IN PTR

a96-17-178-193deploystaticakamaitechnologiescom
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
DNS

vjaxhpbji.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vjaxhpbji.biz

IN A

Response

vjaxhpbji.biz

IN A

82.112.184.197
DNS

vjaxhpbji.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vjaxhpbji.biz

IN A

Response

vjaxhpbji.biz

IN A

82.112.184.197
DNS

xlfhhhm.biz

alg.exe

Remote address:

8.8.8.8:53

Request

xlfhhhm.biz

IN A

Response

xlfhhhm.biz

IN A

34.29.71.138
DNS

xlfhhhm.biz

alg.exe

Remote address:

8.8.8.8:53

Request

xlfhhhm.biz

IN A

Response
POST

http://xlfhhhm.biz/kitclkmx

alg.exe

Remote address:

34.29.71.138:80

Request

POST /kitclkmx HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: xlfhhhm.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 27 Jan 2024 17:34:57 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=4afed9d0aed7feef11813d81ef70a50b|89.149.23.59|1706376897|1706376897|0|1|0; path=/; domain=.xlfhhhm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

ifsaia.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ifsaia.biz

IN A

Response

ifsaia.biz

IN A

34.143.166.163
DNS

ifsaia.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ifsaia.biz

IN A

Response
POST

http://ifsaia.biz/rv

alg.exe

Remote address:

34.143.166.163:80

Request

POST /rv HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ifsaia.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 27 Jan 2024 17:34:58 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=9eed6a3d9bfae661c513d86f7fa1b972|89.149.23.59|1706376898|1706376898|0|1|0; path=/; domain=.ifsaia.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

138.71.29.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.71.29.34.in-addr.arpa

IN PTR

Response

138.71.29.34.in-addr.arpa

IN PTR

138712934bcgoogleusercontentcom
DNS

138.71.29.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.71.29.34.in-addr.arpa

IN PTR

Response

138.71.29.34.in-addr.arpa

IN PTR

138712934bcgoogleusercontentcom
DNS

saytjshyf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

saytjshyf.biz

IN A

Response

saytjshyf.biz

IN A

34.67.9.172
DNS

saytjshyf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

saytjshyf.biz

IN A

Response
POST

http://saytjshyf.biz/rlkjblwvsqyi

alg.exe

Remote address:

34.67.9.172:80

Request

POST /rlkjblwvsqyi HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: saytjshyf.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 27 Jan 2024 17:34:58 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=7751bbb3cc64d14dd4276d3f3d50c1a6|89.149.23.59|1706376898|1706376898|0|1|0; path=/; domain=.saytjshyf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

vcddkls.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vcddkls.biz

IN A

Response

vcddkls.biz

IN A

34.128.82.12
DNS

vcddkls.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vcddkls.biz

IN A

Response

vcddkls.biz

IN A

34.128.82.12
POST

http://vcddkls.biz/psatgonhn

alg.exe

Remote address:

34.128.82.12:80

Request

POST /psatgonhn HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: vcddkls.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 27 Jan 2024 17:34:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=7a266bc3c27e99fc58d27ac6a5833bab|89.149.23.59|1706376899|1706376899|0|1|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

163.166.143.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

163.166.143.34.in-addr.arpa

IN PTR

Response

163.166.143.34.in-addr.arpa

IN PTR

16316614334bcgoogleusercontentcom
DNS

163.166.143.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

163.166.143.34.in-addr.arpa

IN PTR

Response

163.166.143.34.in-addr.arpa

IN PTR

16316614334bcgoogleusercontentcom
DNS

fwiwk.biz

alg.exe

Remote address:

8.8.8.8:53

Request

fwiwk.biz

IN A

Response

fwiwk.biz

IN A

67.225.218.6
DNS

fwiwk.biz

alg.exe

Remote address:

8.8.8.8:53

Request

fwiwk.biz

IN A

Response

fwiwk.biz

IN A

67.225.218.6
POST

http://fwiwk.biz/m

alg.exe

Remote address:

67.225.218.6:80

Request

POST /m HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: fwiwk.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782
DNS

172.9.67.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.9.67.34.in-addr.arpa

IN PTR

Response

172.9.67.34.in-addr.arpa

IN PTR

17296734bcgoogleusercontentcom
DNS

172.9.67.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.9.67.34.in-addr.arpa

IN PTR

Response

172.9.67.34.in-addr.arpa

IN PTR

17296734bcgoogleusercontentcom
POST

http://fwiwk.biz/jjdccwe

alg.exe

Remote address:

67.225.218.6:80

Request

POST /jjdccwe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: fwiwk.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782
DNS

tbjrpv.biz

alg.exe

Remote address:

8.8.8.8:53

Request

tbjrpv.biz

IN A

Response

tbjrpv.biz

IN A

34.91.32.224
DNS

tbjrpv.biz

alg.exe

Remote address:

8.8.8.8:53

Request

tbjrpv.biz

IN A

Response

tbjrpv.biz

IN A

34.91.32.224
POST

http://tbjrpv.biz/rlhdrx

alg.exe

Remote address:

34.91.32.224:80

Request

POST /rlhdrx HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: tbjrpv.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 27 Jan 2024 17:35:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=5dabc6a74fe649db3327c0c43ee6cfc1|89.149.23.59|1706376900|1706376900|0|1|0; path=/; domain=.tbjrpv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

deoci.biz

alg.exe

Remote address:

8.8.8.8:53

Request

deoci.biz

IN A

Response

deoci.biz

IN A

34.174.78.212
DNS

deoci.biz

alg.exe

Remote address:

8.8.8.8:53

Request

deoci.biz

IN A

Response

deoci.biz

IN A

34.174.78.212
POST

http://deoci.biz/hscb

alg.exe

Remote address:

34.174.78.212:80

Request

POST /hscb HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: deoci.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 27 Jan 2024 17:35:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=ac2eb28f1bf84558c6e73fc1ab7ed1a1|89.149.23.59|1706376900|1706376900|0|1|0; path=/; domain=.deoci.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

6.218.225.67.in-addr.arpa

Remote address:

8.8.8.8:53

Request

6.218.225.67.in-addr.arpa

IN PTR

Response

6.218.225.67.in-addr.arpa

IN PTR

lb06 parklogiccom
DNS

6.218.225.67.in-addr.arpa

Remote address:

8.8.8.8:53

Request

6.218.225.67.in-addr.arpa

IN PTR

Response

6.218.225.67.in-addr.arpa

IN PTR

lb06 parklogiccom
DNS

224.32.91.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

224.32.91.34.in-addr.arpa

IN PTR

Response

224.32.91.34.in-addr.arpa

IN PTR

224329134bcgoogleusercontentcom
DNS

224.32.91.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

224.32.91.34.in-addr.arpa

IN PTR

Response

224.32.91.34.in-addr.arpa

IN PTR

224329134bcgoogleusercontentcom
DNS

gytujflc.biz

alg.exe

Remote address:

8.8.8.8:53

Request

gytujflc.biz

IN A

Response
DNS

gytujflc.biz

alg.exe

Remote address:

8.8.8.8:53

Request

gytujflc.biz

IN A

Response
DNS

qaynky.biz

alg.exe

Remote address:

8.8.8.8:53

Request

qaynky.biz

IN A

Response

qaynky.biz

IN A

34.143.166.163
DNS

qaynky.biz

alg.exe

Remote address:

8.8.8.8:53

Request

qaynky.biz

IN A

Response

qaynky.biz

IN A

34.143.166.163
POST

http://qaynky.biz/droemwlacai

alg.exe

Remote address:

34.143.166.163:80

Request

POST /droemwlacai HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: qaynky.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 27 Jan 2024 17:35:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=0f9922d54018292affecbcf241313a04|89.149.23.59|1706376901|1706376901|0|1|0; path=/; domain=.qaynky.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

212.78.174.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.78.174.34.in-addr.arpa

IN PTR

Response

212.78.174.34.in-addr.arpa

IN PTR

2127817434bcgoogleusercontentcom
DNS

212.78.174.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.78.174.34.in-addr.arpa

IN PTR

Response

212.78.174.34.in-addr.arpa

IN PTR

2127817434bcgoogleusercontentcom
DNS

bumxkqgxu.biz

alg.exe

Remote address:

8.8.8.8:53

Request

bumxkqgxu.biz

IN A

Response

bumxkqgxu.biz

IN A

34.174.61.199
DNS

bumxkqgxu.biz

alg.exe

Remote address:

8.8.8.8:53

Request

bumxkqgxu.biz

IN A

Response
POST

http://bumxkqgxu.biz/nohdkeiant

alg.exe

Remote address:

34.174.61.199:80

Request

POST /nohdkeiant HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: bumxkqgxu.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 27 Jan 2024 17:35:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=3a88359ad523ce58d70fabe83176f7ee|89.149.23.59|1706376902|1706376902|0|1|0; path=/; domain=.bumxkqgxu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

dwrqljrr.biz

alg.exe

Remote address:

8.8.8.8:53

Request

dwrqljrr.biz

IN A

Response

dwrqljrr.biz

IN A

34.41.229.245
DNS

dwrqljrr.biz

alg.exe

Remote address:

8.8.8.8:53

Request

dwrqljrr.biz

IN A

Response

dwrqljrr.biz

IN A

34.41.229.245
DNS

dwrqljrr.biz

alg.exe

Remote address:

8.8.8.8:53

Request

dwrqljrr.biz

IN A

Response

dwrqljrr.biz

IN A

34.41.229.245
POST

http://dwrqljrr.biz/qqeorfjsqwbjca

alg.exe

Remote address:

34.41.229.245:80

Request

POST /qqeorfjsqwbjca HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: dwrqljrr.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

23.44.234.16:80

276 B
6
34.41.229.245:80

http://pywolwnvd.biz/ylqylwcfhb

http

3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe

2.9kB
617 B
8
5

HTTP Request

POST http://pywolwnvd.biz/ylqylwcfhb

HTTP Response

200
34.41.229.245:80

http://pywolwnvd.biz/ylqylwcfhb

http

alg.exe

1.5kB
657 B
8
6

HTTP Request

POST http://pywolwnvd.biz/ylqylwcfhb

HTTP Response

200
34.128.82.12:80

http://ssbzmoy.biz/wb

http

3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe

1.6kB
663 B
6
6

HTTP Request

POST http://ssbzmoy.biz/wb

HTTP Response

200
104.198.2.251:80

http://cvgrf.biz/atk

http

3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe

1.6kB
661 B
6
6

HTTP Request

POST http://cvgrf.biz/atk

HTTP Response

200
34.174.61.199:80

http://npukfztj.biz/cofrlxvdvasoq

http

3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe

1.6kB
656 B
6
6

HTTP Request

POST http://npukfztj.biz/cofrlxvdvasoq

HTTP Response

200
32.49.156.0:80

3134e4e72112e321b2f42db3808315436b04653126118a8754ec44e72696b536.exe

104 B
2
34.128.82.12:80

http://ssbzmoy.biz/xexuyyuaparw

http

alg.exe

1.4kB
663 B
6
6

HTTP Request

POST http://ssbzmoy.biz/xexuyyuaparw

HTTP Response

200
104.198.2.251:80

http://cvgrf.biz/cyk

http

alg.exe

1.4kB
653 B
6
6

HTTP Request

POST http://cvgrf.biz/cyk

HTTP Response

200
34.174.61.199:80

http://npukfztj.biz/qmghobsfgkpghs

http

alg.exe

1.4kB
656 B
6
6

HTTP Request

POST http://npukfztj.biz/qmghobsfgkpghs

HTTP Response

200
138.91.171.81:80

260 B
5
144.0.93.0:80

alg.exe

260 B
5
144.0.93.0:80

alg.exe

260 B
5
34.128.82.12:80

http://knjghuig.biz/rk

http

alg.exe

1.4kB
656 B
6
6

HTTP Request

POST http://knjghuig.biz/rk

HTTP Response

200
82.112.184.197:80

lpuegx.biz

alg.exe

260 B
5
82.112.184.197:80

lpuegx.biz

alg.exe

260 B
5
82.112.184.197:80

vjaxhpbji.biz

alg.exe

260 B
5
82.112.184.197:80

vjaxhpbji.biz

alg.exe

260 B
5
34.29.71.138:80

http://xlfhhhm.biz/kitclkmx

http

alg.exe

1.4kB
655 B
6
6

HTTP Request

POST http://xlfhhhm.biz/kitclkmx

HTTP Response

200
34.143.166.163:80

http://ifsaia.biz/rv

http

alg.exe

1.4kB
654 B
6
6

HTTP Request

POST http://ifsaia.biz/rv

HTTP Response

200
34.67.9.172:80

http://saytjshyf.biz/rlkjblwvsqyi

http

alg.exe

1.4kB
657 B
6
6

HTTP Request

POST http://saytjshyf.biz/rlkjblwvsqyi

HTTP Response

200
34.128.82.12:80

http://vcddkls.biz/psatgonhn

http

alg.exe

1.4kB
655 B
6
6

HTTP Request

POST http://vcddkls.biz/psatgonhn

HTTP Response

200
67.225.218.6:80

http://fwiwk.biz/m

http

alg.exe

1.4kB
252 B
6
6

HTTP Request

POST http://fwiwk.biz/m
67.225.218.6:80

http://fwiwk.biz/jjdccwe

http

alg.exe

1.3kB
172 B
4
4

HTTP Request

POST http://fwiwk.biz/jjdccwe
34.91.32.224:80

http://tbjrpv.biz/rlhdrx

http

alg.exe

1.4kB
654 B
6
6

HTTP Request

POST http://tbjrpv.biz/rlhdrx

HTTP Response

200
34.174.78.212:80

http://deoci.biz/hscb

http

alg.exe

1.4kB
653 B
6
6

HTTP Request

POST http://deoci.biz/hscb

HTTP Response

200
34.143.166.163:80

http://qaynky.biz/droemwlacai

http

alg.exe

1.4kB
654 B
6
6

HTTP Request

POST http://qaynky.biz/droemwlacai

HTTP Response

200
34.174.61.199:80

http://bumxkqgxu.biz/nohdkeiant

http

alg.exe

1.4kB
665 B
6
6

HTTP Request

POST http://bumxkqgxu.biz/nohdkeiant

HTTP Response

200
34.41.229.245:80

http://dwrqljrr.biz/qqeorfjsqwbjca

http

alg.exe

2.5kB
44 B
6
1

HTTP Request

POST http://dwrqljrr.biz/qqeorfjsqwbjca
34.94.245.237:80

alg.exe

8.8.8.8:53

pywolwnvd.biz

dns

alg.exe

118 B
134 B
2
2

DNS Request

pywolwnvd.biz

DNS Request

pywolwnvd.biz

DNS Response

34.41.229.245
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

179.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

179.178.17.96.in-addr.arpa
8.8.8.8:53

136.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

136.32.126.40.in-addr.arpa
8.8.8.8:53

81.171.91.138.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

81.171.91.138.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

245.229.41.34.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

245.229.41.34.in-addr.arpa
8.8.8.8:53

ssbzmoy.biz

dns

alg.exe

57 B
73 B
1
1

DNS Request

ssbzmoy.biz

DNS Response

34.128.82.12
8.8.8.8:53

12.82.128.34.in-addr.arpa

dns

71 B
122 B
1
1

DNS Request

12.82.128.34.in-addr.arpa
8.8.8.8:53

cvgrf.biz

dns

alg.exe

55 B
71 B
1
1

DNS Request

cvgrf.biz

DNS Response

104.198.2.251
8.8.8.8:53

npukfztj.biz

dns

alg.exe

58 B
74 B
1
1

DNS Request

npukfztj.biz

DNS Response

34.174.61.199
8.8.8.8:53

251.2.198.104.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

251.2.198.104.in-addr.arpa
8.8.8.8:53

przvgke.biz

dns

alg.exe

57 B
102 B
1
1

DNS Request

przvgke.biz

DNS Response

199.59.243.225
8.8.8.8:53

ssbzmoy.biz

dns

alg.exe

57 B
73 B
1
1

DNS Request

ssbzmoy.biz

DNS Response

34.128.82.12
8.8.8.8:53

199.61.174.34.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

199.61.174.34.in-addr.arpa
8.8.8.8:53

cvgrf.biz

dns

alg.exe

55 B
71 B
1
1

DNS Request

cvgrf.biz

DNS Response

104.198.2.251
8.8.8.8:53

npukfztj.biz

dns

alg.exe

58 B
74 B
1
1

DNS Request

npukfztj.biz

DNS Response

34.174.61.199
8.8.8.8:53

przvgke.biz

dns

alg.exe

57 B
102 B
1
1

DNS Request

przvgke.biz

DNS Response

199.59.243.225
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

178.223.142.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

178.223.142.52.in-addr.arpa
8.8.8.8:53

zlenh.biz

dns

alg.exe

55 B
117 B
1
1

DNS Request

zlenh.biz
8.8.8.8:53

knjghuig.biz

dns

alg.exe

58 B
74 B
1
1

DNS Request

knjghuig.biz

DNS Response

34.128.82.12
8.8.8.8:53

uhxqin.biz

dns

alg.exe

56 B
118 B
1
1

DNS Request

uhxqin.biz
8.8.8.8:53

anpmnmxo.biz

dns

alg.exe

58 B
120 B
1
1

DNS Request

anpmnmxo.biz
8.8.8.8:53

lpuegx.biz

dns

alg.exe

56 B
72 B
1
1

DNS Request

lpuegx.biz

DNS Response

82.112.184.197
8.8.8.8:53

193.178.17.96.in-addr.arpa

dns

144 B
274 B
2
2

DNS Request

193.178.17.96.in-addr.arpa

DNS Request

193.178.17.96.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

144 B
316 B
2
2

DNS Request

48.229.111.52.in-addr.arpa

DNS Request

48.229.111.52.in-addr.arpa
8.8.8.8:53

vjaxhpbji.biz

dns

alg.exe

118 B
150 B
2
2

DNS Request

vjaxhpbji.biz

DNS Request

vjaxhpbji.biz

DNS Response

82.112.184.197

DNS Response

82.112.184.197
8.8.8.8:53

xlfhhhm.biz

dns

alg.exe

114 B
130 B
2
2

DNS Request

xlfhhhm.biz

DNS Request

xlfhhhm.biz

DNS Response

34.29.71.138
8.8.8.8:53

ifsaia.biz

dns

alg.exe

112 B
128 B
2
2

DNS Request

ifsaia.biz

DNS Request

ifsaia.biz

DNS Response

34.143.166.163
8.8.8.8:53

138.71.29.34.in-addr.arpa

dns

142 B
244 B
2
2

DNS Request

138.71.29.34.in-addr.arpa

DNS Request

138.71.29.34.in-addr.arpa
8.8.8.8:53

saytjshyf.biz

dns

alg.exe

118 B
134 B
2
2

DNS Request

saytjshyf.biz

DNS Request

saytjshyf.biz

DNS Response

34.67.9.172
8.8.8.8:53

vcddkls.biz

dns

alg.exe

114 B
146 B
2
2

DNS Request

vcddkls.biz

DNS Request

vcddkls.biz

DNS Response

34.128.82.12

DNS Response

34.128.82.12
8.8.8.8:53

163.166.143.34.in-addr.arpa

dns

146 B
252 B
2
2

DNS Request

163.166.143.34.in-addr.arpa

DNS Request

163.166.143.34.in-addr.arpa
8.8.8.8:53

fwiwk.biz

dns

alg.exe

110 B
142 B
2
2

DNS Request

fwiwk.biz

DNS Request

fwiwk.biz

DNS Response

67.225.218.6

DNS Response

67.225.218.6
8.8.8.8:53

172.9.67.34.in-addr.arpa

dns

140 B
240 B
2
2

DNS Request

172.9.67.34.in-addr.arpa

DNS Request

172.9.67.34.in-addr.arpa
8.8.8.8:53

tbjrpv.biz

dns

alg.exe

112 B
144 B
2
2

DNS Request

tbjrpv.biz

DNS Request

tbjrpv.biz

DNS Response

34.91.32.224

DNS Response

34.91.32.224
8.8.8.8:53

deoci.biz

dns

alg.exe

110 B
142 B
2
2

DNS Request

deoci.biz

DNS Request

deoci.biz

DNS Response

34.174.78.212

DNS Response

34.174.78.212
8.8.8.8:53

6.218.225.67.in-addr.arpa

dns

142 B
206 B
2
2

DNS Request

6.218.225.67.in-addr.arpa

DNS Request

6.218.225.67.in-addr.arpa
8.8.8.8:53

224.32.91.34.in-addr.arpa

dns

142 B
244 B
2
2

DNS Request

224.32.91.34.in-addr.arpa

DNS Request

224.32.91.34.in-addr.arpa
8.8.8.8:53

gytujflc.biz

dns

alg.exe

116 B
240 B
2
2

DNS Request

gytujflc.biz

DNS Request

gytujflc.biz
8.8.8.8:53

qaynky.biz

dns

alg.exe

112 B
144 B
2
2

DNS Request

qaynky.biz

DNS Request

qaynky.biz

DNS Response

34.143.166.163

DNS Response

34.143.166.163
8.8.8.8:53

212.78.174.34.in-addr.arpa

dns

144 B
248 B
2
2

DNS Request

212.78.174.34.in-addr.arpa

DNS Request

212.78.174.34.in-addr.arpa
8.8.8.8:53

bumxkqgxu.biz

dns

alg.exe

118 B
134 B
2
2

DNS Request

bumxkqgxu.biz

DNS Request

bumxkqgxu.biz

DNS Response

34.174.61.199
8.8.8.8:53

dwrqljrr.biz

dns

alg.exe

174 B
222 B
3
3

DNS Request

dwrqljrr.biz

DNS Request

dwrqljrr.biz

DNS Request

dwrqljrr.biz

DNS Response

34.41.229.245

DNS Response

34.41.229.245

DNS Response

34.41.229.245
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1KB

MD5
afbd5c31962499ea6836fc8e202743f6

SHA1
b86f64cf78cd390db6afd82da082db1ab0d999ee

SHA256
c3edc7a7bc2ff823b9867bf28d96305069c9faa50ea32cbef864937b188889c3

SHA512
f845ddcd8a2e4fdc9327e76e33a76522d4bc5b3f3281543681fca3748cfbe8839911fa914473d8a6f8c543312bccc9bb1da4a9d199ce94399c160311651ed8e3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
57KB

MD5
ce378b57f2d47ea5c23667aeb5d97770

SHA1
6dbc75186f0efc5a54c28d70edf694f5b310f786

SHA256
6196c2a081eee4a515abd9e84a21dd59d9e874a354b9b937c00cb10d4bb5b834

SHA512
6be2a05c1a77071ea92379a4e5030e1f5c98a09c048f3c8c78989028d61dfb7fd373329104b93720b265f4caa653f06065d8e70dd7598700347d389c542f3eb3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
239KB

MD5
5905197def568b1bfa3f97ab4ceea77e

SHA1
fafc10f2d045480231b174ac419d5883c017ce7a

SHA256
5fc9d95fc8b09ecf0da1932f4334d725aaf494315ce3c1b0b8e3860230e22dc6

SHA512
53ea4ac642d1c7f4691e83611adf4093c5b774c47d6185de0591abb0a44476024cf7d5c39d496f81e3a54675cf3915337f1ad80e61f0d54d2c0158fe8453936a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
207KB

MD5
b045823ac39ef0eb7e53c064927830a8

SHA1
8af2b15bb59b717a83f675c8d81f5245d35d689a

SHA256
7236ff8cb04e8c18f0b720b8daba3ab70d6de41c61943af2a1c7ce920c9b4d43

SHA512
25d3c9a0fd6428620a7f84536528479205355bcae2379f2f67c1c86a3b43c6a2a282065fa4dfe7075349f85e583b73b1ac74d58b157ca3b1a6bd4fac3b50b56e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
335KB

MD5
afe0d77f27e3c389164e3be377532849

SHA1
0b96fc3b3e28d490e076d96a3c2249f078792cee

SHA256
1b695649ccf2e032a75e59407440414d4c9add672f0b9cad2b934a139acac4cd

SHA512
b38907a4c10ffc14487953c162521c05e077fd95f242d05078b8d3bcc2dd72853979cd36cc534d8264fcda6ebbd0d55bcf2a07219d81b83539d7286580df4aaa

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
303KB

MD5
03698cda248d0e8912c59e5c70aab896

SHA1
9d928c7b37c9826be4b2d3929e259d44789aaca6

SHA256
5f369a2374bb598dc1d000f4b580bd7626e7a5076713600d500e7c322235c184

SHA512
1aae35587217239c1fe9787fa9c09b43d63ce23365df9b0dbbfeaa228db0678bc493644b7846c32fc571b5d7450c5387a0b144fca7de317592c61f1b97becf02

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
150KB

MD5
4a3b3d11289bc0bf0e0e9bfe50239293

SHA1
3c1d8d2bcaa9d5325ab5044949a62007531a6f61

SHA256
134fdde4a4eb5818744576347838327e049de565a7c6b3f062e2d54481a5f7c5

SHA512
c162f8b04be6eb5cdd17b9eda8cff6094c38d33872d523ab620222d13a763db3aeada5cf569200b5664fea85109501c65c8647154a06df8ff35440511d387814

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
9KB

MD5
89b2e58fd4bd634de382ef53f9ee567c

SHA1
ad05ce306f6af6e679c9b0f7a81bc5525e01d671

SHA256
5a02cec9908f039aabe67edb2bac525334be20ca6f802b1b642ed6a6cbc44e45

SHA512
b330b0591ed8779fc02cbf68ed4c92127f1fa4b7cdeb296688fa9feae3fb247f475ed3c2548e69cb9092bf6fd30906b0dd88cc95376fd4a7c2d2dd86fa536a32

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
92KB

MD5
f8edab9f28e5883127e0c1155df1aa5d

SHA1
756e2dab716a939c79c632cc0f370e760e3fe7a2

SHA256
bc9e2fe881a771955518424c83849c37af860c66e7a6dde84d663b72321500c0

SHA512
bc6f755f71dd21b8f75b80ade5d17cd93e1d57f9e5bfbbbe26507cb9f8bcdc898be256a8f0ae1583d9fdb7964077ead0d51ab5b971f1cadc1fc3b29f873a7911

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
82KB

MD5
4c16384548e5b9a4dcfe02c2bda0c333

SHA1
1ca9605d958ccadb17aa618f2ccc871b8dd629df

SHA256
e4d32f61f5a186d737527867d0d8401ba9c3530f694e57e9a3b5a6b41a4964eb

SHA512
91b259fa70c1d217ed3ef842bb2cb32c75dad1d4e0edfd4eab5c6639b128fae51f3f8e965e63dfbde14bc4abb2ea5e25a89dfd958e380778374a51963ca4dbd4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
79KB

MD5
63a0a050fb2f586c0e31af6359cdcb2a

SHA1
80b48d2054fc43cc7da66970c1bdf810c2aa74e1

SHA256
0d54d508a75936ff6e04d7a5a99ed26c52bfdbda50592310e989e68954072501

SHA512
a36fcccf4c070698c1e9351a3f006e59648b65989fcab03aa947b5466c52b73bfae9e4bf1d0be5f36a0563c3f8c4d0d167056b3e0323de53f556b13b0a9203cf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
40KB

MD5
a7f265b9d536ad14105c8da1d5ff909b

SHA1
678aaffcb114a37c0b7a812ed5dcea918e753252

SHA256
f7d32fc780060e69b13653c38dab92368a14ff2d41d83e838b682e0c979aae7a

SHA512
7fa2708f10e85489ef13de361e02c5bb8fadf8281f8010147473eed6ce308da8d0c4644759b6c258bef64e1517e48a0f6f758c2c21d499208ab912496cdc4bd9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
37KB

MD5
de2a19c201ce7dd2bf08c6ddcd2cff73

SHA1
b280375550f4c3cea578d2837a580385f6015d4d

SHA256
15ffaba3d15b8af0761ab629de10142323b02849cbb6337484b08ef157c4a7b0

SHA512
9df6b658fc197742d3b0882c61f496aa81862a8d0bf534f92fd52b5e244ceea1985178e784518a63cd98d86bcbd41708a730cd864c67e1ce8392ea1445b1aa9e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
141KB

MD5
812e2dfc5a088ac8c139f219a218604b

SHA1
7fff08c5a3b8da80c37d962d68aa687759ca32e8

SHA256
bd9272b56c24e445f079991c401a868ec2549521740f0862a73cf5aa07f5575e

SHA512
541abc891d2f20b0fa9e05671a8b2a55bd76329fdfb9e0ddc845701a56b3180d5b09d5c864939c869379331ec1a616c63dc7224cae523282a57157ce255a03c9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1KB

MD5
8763cde32c5137d644e3e276f5020fef

SHA1
dd339ff158eef11a446ec16cf9747626b9ceea32

SHA256
395d9d34de0482d6b68ceb2a55a684c29598c970bd38504c66fd8c141874d4fb

SHA512
920b0786c165649574ac2f8087e1393488ff77d0dcae6152b0a923a20e4a82dcc4c636e3e0601ad42c6c7530836b9625604d0c61f56309f6f90fd374d4002a06

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
73KB

MD5
69abbdbf9d88a7aca56fa06601891f49

SHA1
9a2719dc8f6dcff6e275b70d0dd9196a8b3c7fa3

SHA256
3e53d65cce62548a1143395be2fdc46b829411276d6043e46534a55f2a4fa80a

SHA512
e82ee831c90013b8059e958b43980769d6a8f1d352945d9b19e707cd35f4308871f6b9b6b4c9745085f32552887f5f5677f94a6132c281ce2f84a84a750c58d8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
22KB

MD5
48575bc2bd83e7d5d18729f003d9a7d4

SHA1
562738aecab1babe56f5e5f720f37189e80f8e9a

SHA256
9044cb1ba52b48f27febd6f5546ab692395470031d0cbcf29d90d486b8ad9fa3

SHA512
7c7945e3b19069129d2d3a6d8119751872ad645b769999c5eea08971c5a3cfc4cdd5568df5413868fe88ed8c692d7805ff2c01ab4eadd297b5200ce08633ef99

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
80KB

MD5
5ef69e511fb6c58dc409f9e7acb5a14b

SHA1
63f55433d69d07e9ca20caf576e9f8ab92511c6b

SHA256
5242d96c46befc88c10d025e7290dc7db3ec6a0a2badc8410b85e4f60be5e0f7

SHA512
e12c98197eb711360eba5a5bef8c0ac88c95e635606a731a38371f4a1def839fc06c1cbba0da7d1e6bc8ec60ef5f0e3c4dd8a2841087a56fd0221ca873ab3d73

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
57KB

MD5
865d655b1b2c7de4f1e37efed8ab8475

SHA1
b4c2a50f912c9ec6a841e152edf15ac5e14dcfb2

SHA256
2e480ec6cc179ca7452be2e298762b025d1da269ca8d10e1c6a5c03a967cf9b8

SHA512
aa73b23babb401feff4cbd2967703adc5b4cede8ae8b4b47f725e2a1d6dd9617dfa193324e60af96401d4859dee322a6551ae1a35b3006d3ae857fc9c32edb07

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
96KB

MD5
21594f27b6adff7ae5402605dc75cdd3

SHA1
2931cd98b5ee55d8540aed864d764127807404cd

SHA256
009a85f6e006175b9fc7f0a27cfb3dbab2cdb32844add0730294ff069b0e0244

SHA512
ccfdf19ef46b06d48b518a09bc8bfb6e55653ef1a9d1abda6aba50ffe5c28d8458f9fb92f6632918fabdd10549a124d06048900cabe87a2527f5b662ad8d47d4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
41KB

MD5
860e40ef8537a296979ddadbe7a68a0d

SHA1
b47da41f7ad30fc59f3fb44da556321f85bd20de

SHA256
68a2ee2767c5cad8e8711649d1fb7e0af01429326b938017006873a55d35b8cf

SHA512
5c77e641d58f26a11e60cc1ccb93dc7737b9e99d45a18b0540c89ca55f24b1a33114bc0e1fd9440dee3fb093c7252e6917282bcef00634e2894f2cbc54709a9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
81KB

MD5
acedc1524b7c9f8f65e6c1a8e102e505

SHA1
7c601b0c69cbd15ed349f3aa3bfde7d272fc8efa

SHA256
54e6cb09f3284a632a94a0364467c0b7951dd5927447d1c8f7a04f5408cae5e5

SHA512
4b34acf38f6b65ac4d5eee4309e8799acadde46ad0f6dec09e2d2ec61941d9da570d91ac6dc758e607c39104654ae5f7f27e4c90cad09030160b389111bd65d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
54KB

MD5
6b5f001b559faed851ef8e07225f10b8

SHA1
fd60b35826dea74a9e8e432d53973593a9a9e79b

SHA256
4ebcab23984f61311401edb1d11b8d88fac6cd2b3515d980c3e188632d4917a1

SHA512
a36d675e4c9e9feefc223f4956d906b38d27182e8b3622d6ba7420740e4afe3cb0f7973d69fc74e2638644b2b17b510ebcc7dc3b4d275053a4624301298d17d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
132KB

MD5
8b55d981f86d0959737909c2e0ea8183

SHA1
d44c7a3659085cdabd38c6a62f818e1d7ac67a0f

SHA256
050ef55f43a2c68040cb788948304abe7ca77d47632ceb2fa3b41c0f1ef20e29

SHA512
4023e82f2198c2512e1201500a9480a2d28a0f54768afec5c08bc2a79016084e30964f20970cb685220168c592ce033675b6eee94314d32b13d798df14667d69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
110KB

MD5
7d177dc139a0b768e783aba1ba026edb

SHA1
34f2fbb30776faa381639138a5d1cfa06b28cfa2

SHA256
fd821650eac15476e18214e3a264d9a7326515a35d99164f47c000af74268a8b

SHA512
8addbec972d0102c4c59655434ef47de43f506103b9ac20d878451d51846d9b621a841fda88b7c5b1c4a5d219903dc3bf40035c7053a897c8553ec694250afcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
59KB

MD5
ee59a1d84bed63f1b172e157b553078a

SHA1
0be59cef2564db5a8e3858014f57d3fc718f84f2

SHA256
ca8f5dba600af71d36bbcbc799b86acd356aff06464478ecdc2d613e8c38bbf9

SHA512
854d64544ef99803d8cb452020d72681dbf862429efc3bf35bc922108aa2e974262ba0ad1ef658a760910906a74a0faccc348b3a10e667755e0f154dc54ad289

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
139KB

MD5
dd4720ccb3ae8a1348dca1715fff7c37

SHA1
859bc70a4cf2fbb41356ff86dabb9366b007edfc

SHA256
c9d6bc72e5a3cc25e4c19038cb85333ca3a790ebfa1847e6a7f38be051168acc

SHA512
726e0d829abdcd329bc067ce1de6b9bf475d2afbd2131f3aa06296ad54213677c948db3345c969b9900dfa6eda3841d1baa3b6a619e75304a70078d24297b813

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
50KB

MD5
5b328a0c792c2d3dfa79be06e177d37b

SHA1
c4db01a855329634cc1a6657e8ee4137d44a81fb

SHA256
571f75caea5520451aa5201d182d4472fbaec3599e162713ec608387a0c89f7c

SHA512
cc2925e309a464e7c60fbe368c47c53e24c286d2a4626bd39da7452562fea758240cf5c69e9deb1a9578d97d14ba59ada182f8d0a8ec27fbb0b9f4ac82457201

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
112KB

MD5
54d213731a19e51194a31cd82101113b

SHA1
59003bace2b2ed260420becf50a4f713b29a4596

SHA256
d6a243eb956a0ff72999d2ad70119a11450c053c2657f58c3fa284f0da7fc4b7

SHA512
31b904ab1dfdab8c5f35294f736cbb7c89e6d2a9179328200dece309db09cb6449d5fb3136bf8a926b06671a0f751e73520171bc98c883137bd0265305068aec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
92KB

MD5
3991f1d5a8e89a4b5114feac5eae8726

SHA1
f33a6fb5eaff3d558b3f4a5fa821ff8e51e58b29

SHA256
9dfa67358daf8391c8ba49bfdff9af3018148aeefab54cf0dff47fb1f2f4c8e2

SHA512
e88f57ad425c4f891773293bf646667caa404d769790cc743bed22486d94e8e8a23b4e60e19d429fa6171cb105d5eb9fe84731098b61515c7791b7afb2aa1930

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
30KB

MD5
b5e7fad9c628be384f79ea929923f29a

SHA1
6af60636509dad4eebeb8d2aa45309e7cfa250c8

SHA256
4e7537b731d5897129bffd0966b0101d03a43a7557b3894c62fe0483ba04362e

SHA512
5d780ed851b4d889c03072574b81e2e46d51968f3c667760e615922165f52a8ca64a008fab68a0e281c20cfb85c66a21d90490dd1b970026c402df5bc302e0fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
196KB

MD5
844a33e072c20870e261cbb3742b0870

SHA1
4cab399c07c363e741c7b15582d4ae0d393a9649

SHA256
083b58875df3e688804250775dd654ff5669c2e7daa9afdcdbe4436d4374893d

SHA512
b0761a50fc634744c790cfeb0f4932d8396cf23742c9f963e1b32a6007b1e357f7378746e672874667cb2fe5718999cc835bde8f050c05eb4e9db148e2a578fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
69KB

MD5
d4a18c3ac8760fc6296fcb35fff81cbc

SHA1
bc21f22dfaba04171af092fe6ae76114546aa6c5

SHA256
131e597df6ea7d021ddf25bbe36ec4f94b18e2e6ed0ad1e68ff28572f81289d6

SHA512
2d76844efa385e7a9db59342ecb1b4c57bc20bbe83f9df7f8d069a8f094bc4d6134a0ff00556dca3aaebfebe6ab2b7933f5daffa2345ca31f93ec57df872d434

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
88KB

MD5
33a854940b3b2f75cec0611846652ee0

SHA1
b9e565d34629d1bd1ff1f8f2dcbabcf88ab51620

SHA256
427d63aeab4c226383d4644b03ff9e88ce95ffae0a1a83739a3b68f67016524b

SHA512
c95f4417e6b5e946fca4fd99da73551ea93d73daa807bdefc94ae9e9ea6bc8a77a9caeb3ce5f826295a3dbc70af3bca4c76d1991beed54028d77ecc5b7c82e57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
83KB

MD5
0a537dd133173116adc35ef7d1eba615

SHA1
1b71f28df4903114414158ab7b22b50b80f4939d

SHA256
437515cb0fb3788f3cdcc40bdd6b03f31e4d1099e52dc7e921fa9e21b9422d85

SHA512
e0905c3c6c9ce6f061d3ec63e8859a51e2dffc008c53ab163f8ceaf8104f0f942b3fc34370edae67bdc1a17ee8d5365199dcb15011e58fd9e0323f74e18a3764

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
57KB

MD5
8d6448e804bc51d7405c160a1e526b39

SHA1
b43213a01d7a253015d63e805b73d016e28e6352

SHA256
76f1646ab0116cd76b03eca7ea34773b1e3a6fbc0a20e44ac6d1e2104e471285

SHA512
3e2863f03c6b390b4225aea95667b25617b5160c1fc0fd6f6958b49aec88f1449801cafe58c580a5a5165898c8ff9a64d071269daea41279588fa7e7587c4078

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
65KB

MD5
2831f86de672fca0c8a332807603180b

SHA1
7032b5fba03196418a758dfb994116562f1e627f

SHA256
8fe7ced5a82e09268b971d93cb7108fbae6efa4b981eb54dace6ae713e20cf3a

SHA512
d8f938f4b63b6c582de23aff74a445384e0c9c8408eec4edbad3ddb10f33a625aa5111b172fd65c8d43c8301a58cf3ff563ea20f3ca754f509439071ab3c5568

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
193KB

MD5
434d30b480c33ccd6f721ca5448bd029

SHA1
65613854cc75b9ca1f3309bf3b7e38f6a1a16267

SHA256
93db8ba6e562af5365fc041dd5860cbf1145fe46131c2e8d116969689a74f28d

SHA512
ae424b54b9fa6692d9dcd7d56cad4ce2026f8efec50d315e9355d854909e2f38b9b829b76abe4ee4ed8f6713a649fd284c458f9278262459ffbb2364ba28d839

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
154KB

MD5
7c7311ec0443fe9c2e399bae134665c2

SHA1
25f62be3448b8f378d9f0d930f1090c441b9fc6a

SHA256
98234d0c4b7a99c8bd09dd243bacfdcb0c58edba6bc5600fb885b27af29b53cd

SHA512
a07176f18b5410eb2184046fe1cbdffc24bdef42e441b980e0fed706f5718697d28b38b203fc946a2b073670cddb772f2d6059e41f77460c0f08b2939b2a789b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
33KB

MD5
a72656cf8fc43f2636dcb5f7970796db

SHA1
6a0a32ae55dc6717c6b5943546d52f5aecfaaf84

SHA256
beff91ecf84d7f413d12258525dde40ae3d15c45c2a702fbc7afdcaa34e8bbc3

SHA512
e95cddda5380b3625032fddb04fa1f04f3e0170b41db31d9b04cb51e11c1355b8d198389946e7e74d0ea559b1bb61599c78f9da480df21aa7317b9d454df48e8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
206KB

MD5
2aa49da504b685a522f7d9a34d6076fb

SHA1
d9e244fdbf2c11bccd0a16f2d7c42aadbb1bcc82

SHA256
cb792451a8e81c52cf327c90c0c3762559ee61712fe47964042a0618abf9e0ed

SHA512
2320d7519c2db3825df0b2749e9a7d4f6150a9e711dfb3a17e41c549feb713ccbac936ea26077421069369420c2393dc2dc4a6fc618015d7958a703b4ca4af18

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
326KB

MD5
c4c5b45a3f0fbc84e8c9438bcfaf8918

SHA1
d014b25cfe0ea3dfd900e68b8c663c8b45ccae6b

SHA256
60f6a22e2b8bd21f1068f2a8dd0a9547c0a09306ff2b6fd1c5502d6b53346ac5

SHA512
ec32a1a2ae5503191b7adc5643ec3a9e554ac0218de9eba483f5415b03cd08e33b319657992837003c5fa1fc560540c898f270a226f171d37be29c9c2ce47cbc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
627KB

MD5
1f591835f5ca77b8e9dccad8074908a1

SHA1
3e7da5ce8a948c7bfe1d0ba4d4a26c6118280457

SHA256
fbf4263f6f54b7d497459e62536c5640427c58ac643523ecc8beaf013ad395d6

SHA512
3513e067e5b9c05419d8d801ec7faa09babec1dcdfe771b6e2f64e78b992238b791124228fef17614ea66c8893880e7d450e4b5e0145648e38781c143be90671

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1KB

MD5
483a5f9b44d554e4d86d1ec941a7fd64

SHA1
e32cfaa0770d73da420fa362acb2016623a1fcc4

SHA256
88c8ed4c0ee80b4d3419bbf6640017d0d29ae8ce3a30c2c6a4c5536cdc098750

SHA512
a1817ad2306183165d5635e347973497a0776a4b1683b83a154191e5ec3808c47cbcfbbffe7cbc4cb41e9530f247de4df2706eb2a812cb2c40e76394b8b9def5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
372KB

MD5
222c74c178b81565381a754d001be00a

SHA1
99d6e12f0a8fed1a880b6b7a642665d974faaccf

SHA256
a22a91699e6ce12587a6eae06cf91809874f5d8605eaa7ed4a9a7b908b95e338

SHA512
34f42bb149269f567190c7091a1d949cc1dbe7df76fa702bdcc345363c58b04ef1ef6ab53cad91e1cb26b18fdcfbad105eaf7c155f3e6c22f759ff6857f83875

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
57KB

MD5
eab52fa0937ea576e5f6016965a4284d

SHA1
bdb08ff71cf8d9a460aec1554179e870e479c57b

SHA256
fe54c812667205344daa462859f6e1abc3b794c760438519200b3315a5bda25f

SHA512
8ad6227e1a8050115460d201e570af438b2ad7189009c895e72a69c849b539cc250c80ba6ab0644a8ea7af1baec7bd8ffbf468396251ebb9a6e7aff0d5d738cf

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
149KB

MD5
b2d51070e2741950ddb4c9dfe2f4077e

SHA1
b9d42a2a03bab208fa3ade4fb59150e69553d096

SHA256
5d3c7ff6757d9f73f80d98a755233a4ec1f12c810096796893909df795032446

SHA512
74f012f4c50a69b012380271cd2dc62bc94d33668624ad3d50fdf298c46cc721f96add79ad146204efa62dd54c7a04f1db240dd713b26b0cb8af789de8ee74e8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
118KB

MD5
5283cb255f08b9a8ee16f74378690c65

SHA1
ceb6e1df441575c27d7b34d95d1daecfc45b5555

SHA256
9ca1004f585959246df4e06ec11a1e8043cd22a128f9a7b4f086b2bf3e950dcf

SHA512
dfdec8f61f1ca890efef0a3256ba732bc8b6d455afb14ed5bd60bb51dcfd3fe4fc9224a027f12f3abe7538253e36ead35417889c152d550942b2baa27576ed82

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
45KB

MD5
52496850fe51719a37d21a1e34082d53

SHA1
215c96428a30aa60fef5ad7233e6fa3dc35ab18b

SHA256
c372f88b4555f614383f4fbec7bd6a8ed71994a0e4f50f54fc0435066f39b998

SHA512
58cca5e8f41b93a207015ee3fd2f676329bec15e5154c6854b9742d3f4a8180441037ea18c031a66973058f2566650cf4263aee98c888ff31c56974fc96f6488

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
310KB

MD5
b86d3d5d7024cecf677f7d31bbd5d030

SHA1
3be9ba30d060bf13dd56558a340bd0f12473761d

SHA256
c098940bc3df9bc435412072bef648dde873951b952946d05eadc6058b8cd9b8

SHA512
44303e019ec2a4057e6223807eaaf911df86cc982d5e4eed63a6287b7b96877c8e5356bfa1e07c8d899e75b674a5053bac9213fd5cbe5748c4ee7f873c4ec2e7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
236KB

MD5
6c2acb5eb8d3aea068af07a321384883

SHA1
36a995a55a8e16aeaa1e338b692f6d11819c1f55

SHA256
179afe02129e03e918e9f3a4c10b24aec4cb8e13ba566ad51e8bf7ced3b97c94

SHA512
ee2e7cd00c02e8c1fb2b01b2ab4bc4f4484eb052b7e0bb1fd73143ca76d76b85a171dfb54da9900811b17d662a6a8332b9caec157506329bcf86b9b93c18af55

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
131KB

MD5
5efc8752ab191577b8daf2a677ea5ae1

SHA1
57ff64d8660575d43c191a186bf219e578f19b59

SHA256
3f90e41c274f8ddfbcf3731aec175126cd5bd473cdf6b4bbbbc509f0f4fa5844

SHA512
817758407d1fc0f3dd1df24343aceb795e2e2233cf0c343b209be244a1a76b369706413b7eb9a06aaf0fcbb9513cfc4f99731ac9534b18179b0d67725d805730

Download Submit
C:\Windows\System32\alg.exe

Filesize
954KB

MD5
28ae144f3d7efc5f3784a5a6edc8e118

SHA1
2eb283b581a3e680263677677efd1cef0471425b

SHA256
2a6f6f9c8ddf06e7050e9ce850132d85bca9dfadb2689c863b72ffe1c43c8314

SHA512
6e1947d299a234349e8fae19bf3b0b318b16895e9641a3d0deab16fb6ae68382922383331a8aa0ffc32a2e9ed0b33b5e356294bad8ac00bab7e27df2832e59a0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
300KB

MD5
8e056a60232d82a7e287760b98a66074

SHA1
986c9f71e3483575ca7794ff992fde83cad5955d

SHA256
36f29bd02fe07a943e1903d096e933e5456a127c96e26f98a6b416a4c132a77f

SHA512
31a3d2c3b4eace1edbfeb476c7c1ffa818c377e9a281d939835a33627735a93a2d6f17da4753af1721805a10a1e19525e6184e86f294d8c74b578d6017f98175

Download Submit
C:\Windows\System32\vds.exe

Filesize
69KB

MD5
5dcd6adbf13d2e94f373ad0eeb8e98cb

SHA1
2fc31bd9479e7d6ed59f25753802c0d4eebd4d72

SHA256
a620ce6f0636a22232f94b5f393381d357375e031a9347a7992dbd28487ea6d1

SHA512
b1ec3cb965ab4075312681773c6590d4c6a12f5d36a29000c0b51aa95159f837490cd24d0c74d4d116a8e8beb5e4cfa31aa41f1864783302f1a47dd74e8adb7d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
128KB

MD5
06add06bcbd8e7af1ac527cf5feaddba

SHA1
5f43a2387c74cd5bab471b53c48066c80913a24f

SHA256
b8522c19b5f8e0c70006be395e7d28061d80ed3dc40626569f19881aacf61264

SHA512
3333d763dd621968b76c2752b3863de2695b4f4c0fb07a5d2f2a9bca9c7b3c70908947439bb10cd2fee45d72559aa000af728523f3d2803e0266beb2ee592546

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
83KB

MD5
4cbefd48fea159bbcad069f0efa4ee4b

SHA1
d8d3a92e00053219dd3410efd003c58099870c8e

SHA256
a2ab367e87cd7831f682f591f50a8923d3c5e3849c00bd337f97244ea4758ca6

SHA512
4564210fa803f00f3927fd9b114b6b91cd6967fe965e3676cc5bc94349dbc27a2aa394e9c36ecf0e52f19d53467dd90bef2b42a6da59d709f62b57b0bb7ec780

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
190KB

MD5
f3cc9fcd5c09f13c2a52b7b13ea33309

SHA1
a1692a3dda48cf681ed327ebca8b6e14152939fb

SHA256
da3e27eb7168ba33f51f274d9d82c6e089cb961143132f2930591a131f744bb9

SHA512
e3d109aa21587db57be3b12f4b1c76762d8a6c9191c25ac56e88ae302cb46bddb651b5082e43ab53a7dca0b888a94e98ecde54bdc0ea130b42a97a7e2270dc20

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
277KB

MD5
65b65834433f1b69582b5653c6504736

SHA1
24e23852a8f82d7dbbb55d16413a4201cf80da7b

SHA256
28b86b4eb8687dbef972a0a7fb47ca1bdc7a973b542b1bfbaceeedbcfdcdaa98

SHA512
3d3b6e9db5fcedc9fe29c2501659b35c17cc49064417b4f2a9945a89a5d0f145c27703e82dee1a97a434b629a978a347417b0e9de991efb5fcb5f616c06e6a64

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
190KB

MD5
1c4f3bf8305ef35c0744384dc73284d7

SHA1
2f2a69ddd5e1accc5cbf6a04585774c76e61ad28

SHA256
3f1c0b8fdd464b89cead5ad91ac4534e61ee13c3bfffd6f4fc25c643cca616f1

SHA512
ccf790b7423eb681ed31429ee199e8c2efc4241c73c75027949699d20b2fe3cd8749c186eb17776e304df56cb86d7d5f0942f6822ccc226b019c6480489ce455

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
351KB

MD5
39b773bcc0ce8cf1458db913646c78f8

SHA1
61c2e2f1f88dae2d4dfd41bbf668a65ef73342ff

SHA256
29ae33610e8a43165ba6e33b10958a01d807f8971240be30a02d003b79ff85ba

SHA512
35dd5db7a7e551957ccea82568339c1d172ccfd382282643885b5046eef35aaf935468466227f3b4a438512f6fa90a6576b8f9f7df93edd413ea45758afd4722

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
399KB

MD5
d252d851bef0591ffbef57de140339b8

SHA1
66af57407bb233d350082df58d8e08157b758550

SHA256
a7cd2a5b5798be1c24fcd42aae0fe5524489960de79a4fa5a5b10b516c004d3a

SHA512
4c75c5630398cede0a037bc31d0b779efe017b62fcdfa45a5d013eb2865fd81a1fd0aebb58814992ca3610b5489ffc8d96329678c4cf6661093672ccc40fb71d

Download Submit
C:\odt\office2016setup.exe

Filesize
389KB

MD5
e8448390f4aff8ef663d2f8ead239a63

SHA1
b588f96d70f9a7396ed1184996b62c138b60ecb1

SHA256
4c1ecf9b526cf3cb5a83880897aa6851d32efe26fbfb318f435e948fef140855

SHA512
e3a102a02029b18d12869e7ab00ba83dd6bbda3851894e1109374d1298b27da97158fefded0273efd31009241837a1abb97b42661d29e9bcd5a6bc318db60c87

Download Submit
memory/232-214-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/232-208-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/232-271-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/1200-143-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1200-13-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1200-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1200-55-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1200-56-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1384-342-0x0000000140000000-0x000000014016C000-memory.dmp

Filesize
1.4MB

Download
memory/1384-349-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1440-635-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1440-304-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1440-311-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/1636-673-0x000001F2F41E0000-0x000001F2F41F0000-memory.dmp

Filesize
64KB

Download
memory/1636-672-0x000001F2F41D0000-0x000001F2F41E0000-memory.dmp

Filesize
64KB

Download
memory/1916-241-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1916-183-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1916-174-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2176-298-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2176-299-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2176-293-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2176-287-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2276-167-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2276-232-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2276-161-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/2276-160-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2276-226-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/2372-234-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2372-242-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2372-302-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2576-157-0x0000000140000000-0x0000000140171000-memory.dmp

Filesize
1.4MB

Download
memory/2576-142-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2576-145-0x0000000140000000-0x0000000140171000-memory.dmp

Filesize
1.4MB

Download
memory/2576-153-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2576-150-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3088-106-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3088-117-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3088-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3088-112-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3088-114-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3224-323-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3224-315-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3336-120-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3336-188-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3336-119-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3336-126-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3524-204-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/3584-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3584-228-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/3584-218-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3708-362-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3708-354-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3744-201-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3744-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3744-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3744-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3900-273-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3900-280-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3900-340-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/4012-159-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/4012-94-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4012-101-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4012-95-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/4124-327-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/4124-260-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/4124-268-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/4324-253-0x0000000140000000-0x0000000140151000-memory.dmp

Filesize
1.3MB

Download
memory/4324-190-0x0000000140000000-0x0000000140151000-memory.dmp

Filesize
1.3MB

Download
memory/4324-198-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4388-336-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4388-329-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4740-255-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4740-245-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4740-314-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4904-132-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4904-573-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4904-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4904-7-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/4904-6-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/4904-1-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request