b747a3915d8568913fdd0bc7ed08bf25c1f6569955a9a4f7198d40fe32264efd

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 14:32 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b747a3915d8568913fdd0bc7ed08bf25c1f6569955a9a4f7198d40fe32264efd.exe
Size

1.4MB
MD5

710bc10139fbcba90929c547a03db20c
SHA1

a6fe597e6f8020052854c7f3a9d53195822b5769
SHA256

b747a3915d8568913fdd0bc7ed08bf25c1f6569955a9a4f7198d40fe32264efd
SHA512

041edc9c79063789e3dfc90e556712a8336916170d9d84d139936e2901fd91cbb4dfe0a044edcc5640b33d905c6810c9a7f971c9cd0744ba3ddfa2b111178839
SSDEEP

24576:QPiBL/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:QiLLNiXicJFFRGNzj3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2428	alg.exe
4944	elevation_service.exe
3728	elevation_service.exe
4780	maintenanceservice.exe
2228	OSE.EXE
5112	DiagnosticsHub.StandardCollector.Service.exe
4132	fxssvc.exe
4420	msdtc.exe
2356	PerceptionSimulationService.exe
4136	perfhost.exe
1844	locator.exe
3548	SensorDataService.exe
3588	snmptrap.exe
5116	spectrum.exe
4596	ssh-agent.exe
3156	TieringEngineService.exe
5028	AgentService.exe
2076	vds.exe
5072	vssvc.exe
4424	wbengine.exe
3964	WmiApSrv.exe
1900	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\75fe35bac92b1ccd.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	b747a3915d8568913fdd0bc7ed08bf25c1f6569955a9a4f7198d40fe32264efd.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bdd9e34ae56da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000665cfa33ae56da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001d10f34ae56da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee1eaf32ae56da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086526a32ae56da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc76f934ae56da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4944	elevation_service.exe
4944	elevation_service.exe
4944	elevation_service.exe
4944	elevation_service.exe
4944	elevation_service.exe
4944	elevation_service.exe
4944	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2604	b747a3915d8568913fdd0bc7ed08bf25c1f6569955a9a4f7198d40fe32264efd.exe
Token: SeDebugPrivilege	2428	alg.exe
Token: SeDebugPrivilege	2428	alg.exe
Token: SeDebugPrivilege	2428	alg.exe
Token: SeTakeOwnershipPrivilege	4944	elevation_service.exe
Token: SeAuditPrivilege	4132	fxssvc.exe
Token: SeRestorePrivilege	3156	TieringEngineService.exe
Token: SeManageVolumePrivilege	3156	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5028	AgentService.exe
Token: SeBackupPrivilege	5072	vssvc.exe
Token: SeRestorePrivilege	5072	vssvc.exe
Token: SeAuditPrivilege	5072	vssvc.exe
Token: SeBackupPrivilege	4424	wbengine.exe
Token: SeRestorePrivilege	4424	wbengine.exe
Token: SeSecurityPrivilege	4424	wbengine.exe
Token: 33	1900	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeDebugPrivilege	4944	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 448	1900	SearchIndexer.exe	116
PID 1900 wrote to memory of 448	1900	SearchIndexer.exe	116
PID 1900 wrote to memory of 2180	1900	SearchIndexer.exe	117
PID 1900 wrote to memory of 2180	1900	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b747a3915d8568913fdd0bc7ed08bf25c1f6569955a9a4f7198d40fe32264efd.exe
"C:\Users\Admin\AppData\Local\Temp\b747a3915d8568913fdd0bc7ed08bf25c1f6569955a9a4f7198d40fe32264efd.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3728

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4780

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2228

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2212

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4420

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2356

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1844

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3548

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3588

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5116

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1772

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:448
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2180

Network

DNS

79.121.231.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.121.231.20.in-addr.arpa

IN PTR

Response
DNS

pywolwnvd.biz

alg.exe

Remote address:

8.8.8.8:53

Request

pywolwnvd.biz

IN A

Response

pywolwnvd.biz

IN A

34.41.229.245
POST

http://pywolwnvd.biz/u

alg.exe

Remote address:

34.41.229.245:80

Request

POST /u HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: pywolwnvd.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 778

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 03 Feb 2024 14:32:55 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=c253f3f5f913ea59fa85ec27a52bde86|89.149.23.59|1706970775|1706970775|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

245.229.41.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

245.229.41.34.in-addr.arpa

IN PTR

Response

245.229.41.34.in-addr.arpa

IN PTR

2452294134bcgoogleusercontentcom
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

ssbzmoy.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ssbzmoy.biz

IN A

Response

ssbzmoy.biz

IN A

34.128.82.12
DNS

179.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

179.178.17.96.in-addr.arpa

IN PTR

Response

179.178.17.96.in-addr.arpa

IN PTR

a96-17-178-179deploystaticakamaitechnologiescom
POST

http://ssbzmoy.biz/dijuova

alg.exe

Remote address:

34.128.82.12:80

Request

POST /dijuova HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ssbzmoy.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 778

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 03 Feb 2024 14:32:56 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=6100132461137c1169129047f603cca1|89.149.23.59|1706970776|1706970776|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

cvgrf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

cvgrf.biz

IN A

Response

cvgrf.biz

IN A

104.198.2.251
POST

http://cvgrf.biz/gi

alg.exe

Remote address:

104.198.2.251:80

Request

POST /gi HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: cvgrf.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 778

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 03 Feb 2024 14:32:57 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=ac2656e5edc4311d036d0d9a7d738127|89.149.23.59|1706970777|1706970777|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

12.82.128.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

12.82.128.34.in-addr.arpa

IN PTR

Response

12.82.128.34.in-addr.arpa

IN PTR

128212834bcgoogleusercontentcom
DNS

251.2.198.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

251.2.198.104.in-addr.arpa

IN PTR

Response

251.2.198.104.in-addr.arpa

IN PTR

2512198104bcgoogleusercontentcom
DNS

20.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.160.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

npukfztj.biz

alg.exe

Remote address:

8.8.8.8:53

Request

npukfztj.biz

IN A

Response

npukfztj.biz

IN A

34.174.61.199
POST

http://npukfztj.biz/ttakhuswly

alg.exe

Remote address:

34.174.61.199:80

Request

POST /ttakhuswly HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: npukfztj.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 778

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 03 Feb 2024 14:32:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=14e24796675ad3e033c7f99ac1795288|89.149.23.59|1706970779|1706970779|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

przvgke.biz

alg.exe

Remote address:

8.8.8.8:53

Request

przvgke.biz

IN A

Response

przvgke.biz

IN CNAME

77980.bodis.com

77980.bodis.com

IN A

199.59.243.225
DNS

199.61.174.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

199.61.174.34.in-addr.arpa

IN PTR

Response

199.61.174.34.in-addr.arpa

IN PTR

1996117434bcgoogleusercontentcom
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

zlenh.biz

alg.exe

Remote address:

8.8.8.8:53

Request

zlenh.biz

IN A

Response
DNS

knjghuig.biz

alg.exe

Remote address:

8.8.8.8:53

Request

knjghuig.biz

IN A

Response

knjghuig.biz

IN A

34.128.82.12
POST

http://knjghuig.biz/mknyaflhcpencimo

alg.exe

Remote address:

34.128.82.12:80

Request

POST /mknyaflhcpencimo HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: knjghuig.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 778

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 03 Feb 2024 14:33:42 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=a5aac64a8e848b2a5b63e9830722dc63|89.149.23.59|1706970822|1706970822|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

uhxqin.biz

alg.exe

Remote address:

8.8.8.8:53

Request

uhxqin.biz

IN A

Response
DNS

anpmnmxo.biz

alg.exe

Remote address:

8.8.8.8:53

Request

anpmnmxo.biz

IN A

Response
DNS

lpuegx.biz

alg.exe

Remote address:

8.8.8.8:53

Request

lpuegx.biz

IN A

Response

lpuegx.biz

IN A

82.112.184.197
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

178.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

178.178.17.96.in-addr.arpa

IN PTR

Response

178.178.17.96.in-addr.arpa

IN PTR

a96-17-178-178deploystaticakamaitechnologiescom
DNS

vjaxhpbji.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vjaxhpbji.biz

IN A

Response

vjaxhpbji.biz

IN A

82.112.184.197
DNS

1.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.173.189.20.in-addr.arpa

IN PTR

Response
DNS

xlfhhhm.biz

alg.exe

Remote address:

8.8.8.8:53

Request

xlfhhhm.biz

IN A

Response

xlfhhhm.biz

IN A

34.29.71.138
POST

http://xlfhhhm.biz/xsiijtofime

alg.exe

Remote address:

34.29.71.138:80

Request

POST /xsiijtofime HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: xlfhhhm.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 778

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 03 Feb 2024 14:35:12 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=faeb033d6e9700ee506a8cfe1b41a878|89.149.23.59|1706970912|1706970912|0|1|0; path=/; domain=.xlfhhhm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

ifsaia.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ifsaia.biz

IN A

Response

ifsaia.biz

IN A

34.143.166.163
POST

http://ifsaia.biz/odwq

alg.exe

Remote address:

34.143.166.163:80

Request

POST /odwq HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ifsaia.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 778

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 03 Feb 2024 14:35:13 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=0c279180b0375f8ff703ee78a709e253|89.149.23.59|1706970913|1706970913|0|1|0; path=/; domain=.ifsaia.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

138.71.29.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.71.29.34.in-addr.arpa

IN PTR

Response

138.71.29.34.in-addr.arpa

IN PTR

138712934bcgoogleusercontentcom
DNS

saytjshyf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

saytjshyf.biz

IN A

Response

saytjshyf.biz

IN A

34.67.9.172
POST

http://saytjshyf.biz/u

alg.exe

Remote address:

34.67.9.172:80

Request

POST /u HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: saytjshyf.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 778

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 03 Feb 2024 14:35:14 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=deac1285e3a9c9d8b98ef3f4845a0f0c|89.149.23.59|1706970914|1706970914|0|1|0; path=/; domain=.saytjshyf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

163.166.143.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

163.166.143.34.in-addr.arpa

IN PTR

Response

163.166.143.34.in-addr.arpa

IN PTR

16316614334bcgoogleusercontentcom
DNS

vcddkls.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vcddkls.biz

IN A

Response

vcddkls.biz

IN A

34.128.82.12
POST

http://vcddkls.biz/qjjwg

alg.exe

Remote address:

34.128.82.12:80

Request

POST /qjjwg HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: vcddkls.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 778

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 03 Feb 2024 14:35:15 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=da7791d2ccb99ed33cdefb5bc52b7c0d|89.149.23.59|1706970915|1706970915|0|1|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

172.9.67.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.9.67.34.in-addr.arpa

IN PTR

Response

172.9.67.34.in-addr.arpa

IN PTR

17296734bcgoogleusercontentcom
DNS

fwiwk.biz

alg.exe

Remote address:

8.8.8.8:53

Request

fwiwk.biz

IN A

Response

fwiwk.biz

IN A

67.225.218.6
POST

http://fwiwk.biz/nwpmclgvgvcnv

alg.exe

Remote address:

67.225.218.6:80

Request

POST /nwpmclgvgvcnv HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: fwiwk.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 778
POST

http://fwiwk.biz/asjfkllfttyskc

alg.exe

Remote address:

67.225.218.6:80

Request

POST /asjfkllfttyskc HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: fwiwk.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 778
DNS

tbjrpv.biz

alg.exe

Remote address:

8.8.8.8:53

Request

tbjrpv.biz

IN A

Response

tbjrpv.biz

IN A

34.91.32.224
DNS

6.218.225.67.in-addr.arpa

Remote address:

8.8.8.8:53

Request

6.218.225.67.in-addr.arpa

IN PTR

Response

6.218.225.67.in-addr.arpa

IN PTR

lb06 parklogiccom
POST

http://tbjrpv.biz/gloqsmdx

alg.exe

Remote address:

34.91.32.224:80

Request

POST /gloqsmdx HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: tbjrpv.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 778

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 03 Feb 2024 14:35:16 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=3db9e95ab001173cb7f021ac4f88846c|89.149.23.59|1706970916|1706970916|0|1|0; path=/; domain=.tbjrpv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

deoci.biz

alg.exe

Remote address:

8.8.8.8:53

Request

deoci.biz

IN A

Response

deoci.biz

IN A

34.174.78.212
POST

http://deoci.biz/yuplhtdvrppa

alg.exe

Remote address:

34.174.78.212:80

Request

POST /yuplhtdvrppa HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: deoci.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 778

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 03 Feb 2024 14:35:16 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=7a3fef3dfa9497c38f276f4fa2980258|89.149.23.59|1706970916|1706970916|0|1|0; path=/; domain=.deoci.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

gytujflc.biz

alg.exe

Remote address:

8.8.8.8:53

Request

gytujflc.biz

IN A

Response
DNS

qaynky.biz

alg.exe

Remote address:

8.8.8.8:53

Request

qaynky.biz

IN A

Response

qaynky.biz

IN A

34.143.166.163
POST

http://qaynky.biz/j

alg.exe

Remote address:

34.143.166.163:80

Request

POST /j HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: qaynky.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 778

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 03 Feb 2024 14:35:17 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=77f49945d4d3f7f0096dd7cae5d8b4a9|89.149.23.59|1706970917|1706970917|0|1|0; path=/; domain=.qaynky.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

224.32.91.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

224.32.91.34.in-addr.arpa

IN PTR

Response

224.32.91.34.in-addr.arpa

IN PTR

224329134bcgoogleusercontentcom
DNS

212.78.174.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.78.174.34.in-addr.arpa

IN PTR

Response

212.78.174.34.in-addr.arpa

IN PTR

2127817434bcgoogleusercontentcom
DNS

bumxkqgxu.biz

alg.exe

Remote address:

8.8.8.8:53

Request

bumxkqgxu.biz

IN A

Response

bumxkqgxu.biz

IN A

34.174.61.199
POST

http://bumxkqgxu.biz/sncinivhhx

alg.exe

Remote address:

34.174.61.199:80

Request

POST /sncinivhhx HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: bumxkqgxu.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 778

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sat, 03 Feb 2024 14:35:18 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=144485dfa1c57e3307bc40a01bdee026|89.149.23.59|1706970918|1706970918|0|1|0; path=/; domain=.bumxkqgxu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=89.149.23.59; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

dwrqljrr.biz

alg.exe

Remote address:

8.8.8.8:53

Request

dwrqljrr.biz

IN A

Response

dwrqljrr.biz

IN A

34.41.229.245
POST

http://dwrqljrr.biz/akhllytjlld

alg.exe

Remote address:

34.41.229.245:80

Request

POST /akhllytjlld HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: dwrqljrr.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 778

34.41.229.245:80

http://pywolwnvd.biz/u

http

alg.exe

2.6kB
617 B
7
5

HTTP Request

POST http://pywolwnvd.biz/u

HTTP Response

200
34.128.82.12:80

http://ssbzmoy.biz/dijuova

http

alg.exe

1.4kB
655 B
6
6

HTTP Request

POST http://ssbzmoy.biz/dijuova

HTTP Response

200
104.198.2.251:80

http://cvgrf.biz/gi

http

alg.exe

2.2kB
653 B
7
6

HTTP Request

POST http://cvgrf.biz/gi

HTTP Response

200
34.174.61.199:80

http://npukfztj.biz/ttakhuswly

http

alg.exe

1.4kB
656 B
6
6

HTTP Request

POST http://npukfztj.biz/ttakhuswly

HTTP Response

200
48.1.83.0:80

alg.exe

260 B
5
48.1.83.0:80

alg.exe

260 B
5
34.128.82.12:80

http://knjghuig.biz/mknyaflhcpencimo

http

alg.exe

1.4kB
656 B
6
6

HTTP Request

POST http://knjghuig.biz/mknyaflhcpencimo

HTTP Response

200
82.112.184.197:80

lpuegx.biz

alg.exe

260 B
5
82.112.184.197:80

lpuegx.biz

alg.exe

260 B
5
82.112.184.197:80

vjaxhpbji.biz

alg.exe

260 B
5
82.112.184.197:80

vjaxhpbji.biz

alg.exe

260 B
5
34.29.71.138:80

http://xlfhhhm.biz/xsiijtofime

http

alg.exe

1.5kB
655 B
7
6

HTTP Request

POST http://xlfhhhm.biz/xsiijtofime

HTTP Response

200
34.143.166.163:80

http://ifsaia.biz/odwq

http

alg.exe

1.4kB
654 B
6
6

HTTP Request

POST http://ifsaia.biz/odwq

HTTP Response

200
34.67.9.172:80

http://saytjshyf.biz/u

http

alg.exe

1.4kB
657 B
7
6

HTTP Request

POST http://saytjshyf.biz/u

HTTP Response

200
34.128.82.12:80

http://vcddkls.biz/qjjwg

http

alg.exe

1.4kB
655 B
6
6

HTTP Request

POST http://vcddkls.biz/qjjwg

HTTP Response

200
67.225.218.6:80

http://fwiwk.biz/nwpmclgvgvcnv

http

alg.exe

1.4kB
212 B
6
5

HTTP Request

POST http://fwiwk.biz/nwpmclgvgvcnv
67.225.218.6:80

http://fwiwk.biz/asjfkllfttyskc

http

alg.exe

1.3kB
172 B
4
4

HTTP Request

POST http://fwiwk.biz/asjfkllfttyskc
34.91.32.224:80

http://tbjrpv.biz/gloqsmdx

http

alg.exe

1.4kB
654 B
6
6

HTTP Request

POST http://tbjrpv.biz/gloqsmdx

HTTP Response

200
34.174.78.212:80

http://deoci.biz/yuplhtdvrppa

http

alg.exe

1.4kB
653 B
6
6

HTTP Request

POST http://deoci.biz/yuplhtdvrppa

HTTP Response

200
34.143.166.163:80

http://qaynky.biz/j

http

alg.exe

1.4kB
654 B
6
6

HTTP Request

POST http://qaynky.biz/j

HTTP Response

200
34.174.61.199:80

http://bumxkqgxu.biz/sncinivhhx

http

alg.exe

1.4kB
657 B
6
6

HTTP Request

POST http://bumxkqgxu.biz/sncinivhhx

HTTP Response

200
34.41.229.245:80

http://dwrqljrr.biz/akhllytjlld

http

alg.exe

1.3kB
44 B
4
1

HTTP Request

POST http://dwrqljrr.biz/akhllytjlld

8.8.8.8:53

79.121.231.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

79.121.231.20.in-addr.arpa
8.8.8.8:53

pywolwnvd.biz

dns

alg.exe

59 B
75 B
1
1

DNS Request

pywolwnvd.biz

DNS Response

34.41.229.245
8.8.8.8:53

245.229.41.34.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

245.229.41.34.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

ssbzmoy.biz

dns

alg.exe

57 B
73 B
1
1

DNS Request

ssbzmoy.biz

DNS Response

34.128.82.12
8.8.8.8:53

179.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

179.178.17.96.in-addr.arpa
8.8.8.8:53

cvgrf.biz

dns

alg.exe

55 B
71 B
1
1

DNS Request

cvgrf.biz

DNS Response

104.198.2.251
8.8.8.8:53

12.82.128.34.in-addr.arpa

dns

71 B
122 B
1
1

DNS Request

12.82.128.34.in-addr.arpa
8.8.8.8:53

251.2.198.104.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

251.2.198.104.in-addr.arpa
8.8.8.8:53

20.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

20.160.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

npukfztj.biz

dns

alg.exe

58 B
74 B
1
1

DNS Request

npukfztj.biz

DNS Response

34.174.61.199
8.8.8.8:53

przvgke.biz

dns

alg.exe

57 B
102 B
1
1

DNS Request

przvgke.biz

DNS Response

199.59.243.225
8.8.8.8:53

199.61.174.34.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

199.61.174.34.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

zlenh.biz

dns

alg.exe

55 B
117 B
1
1

DNS Request

zlenh.biz
8.8.8.8:53

knjghuig.biz

dns

alg.exe

58 B
74 B
1
1

DNS Request

knjghuig.biz

DNS Response

34.128.82.12
8.8.8.8:53

uhxqin.biz

dns

alg.exe

56 B
118 B
1
1

DNS Request

uhxqin.biz
8.8.8.8:53

anpmnmxo.biz

dns

alg.exe

58 B
120 B
1
1

DNS Request

anpmnmxo.biz
8.8.8.8:53

lpuegx.biz

dns

alg.exe

56 B
72 B
1
1

DNS Request

lpuegx.biz

DNS Response

82.112.184.197
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

216 B
137 B
3
1

DNS Request

194.178.17.96.in-addr.arpa

DNS Request

194.178.17.96.in-addr.arpa

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

178.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

178.178.17.96.in-addr.arpa
8.8.8.8:53

vjaxhpbji.biz

dns

alg.exe

59 B
75 B
1
1

DNS Request

vjaxhpbji.biz

DNS Response

82.112.184.197
8.8.8.8:53

1.173.189.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

1.173.189.20.in-addr.arpa
8.8.8.8:53

xlfhhhm.biz

dns

alg.exe

57 B
73 B
1
1

DNS Request

xlfhhhm.biz

DNS Response

34.29.71.138
8.8.8.8:53

ifsaia.biz

dns

alg.exe

56 B
72 B
1
1

DNS Request

ifsaia.biz

DNS Response

34.143.166.163
8.8.8.8:53

138.71.29.34.in-addr.arpa

dns

71 B
122 B
1
1

DNS Request

138.71.29.34.in-addr.arpa
8.8.8.8:53

saytjshyf.biz

dns

alg.exe

59 B
75 B
1
1

DNS Request

saytjshyf.biz

DNS Response

34.67.9.172
8.8.8.8:53

163.166.143.34.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

163.166.143.34.in-addr.arpa
8.8.8.8:53

vcddkls.biz

dns

alg.exe

57 B
73 B
1
1

DNS Request

vcddkls.biz

DNS Response

34.128.82.12
8.8.8.8:53

172.9.67.34.in-addr.arpa

dns

70 B
120 B
1
1

DNS Request

172.9.67.34.in-addr.arpa
8.8.8.8:53

fwiwk.biz

dns

alg.exe

55 B
71 B
1
1

DNS Request

fwiwk.biz

DNS Response

67.225.218.6
8.8.8.8:53

tbjrpv.biz

dns

alg.exe

56 B
72 B
1
1

DNS Request

tbjrpv.biz

DNS Response

34.91.32.224
8.8.8.8:53

6.218.225.67.in-addr.arpa

dns

71 B
103 B
1
1

DNS Request

6.218.225.67.in-addr.arpa
8.8.8.8:53

deoci.biz

dns

alg.exe

55 B
71 B
1
1

DNS Request

deoci.biz

DNS Response

34.174.78.212
8.8.8.8:53

gytujflc.biz

dns

alg.exe

58 B
120 B
1
1

DNS Request

gytujflc.biz
8.8.8.8:53

qaynky.biz

dns

alg.exe

56 B
72 B
1
1

DNS Request

qaynky.biz

DNS Response

34.143.166.163
8.8.8.8:53

224.32.91.34.in-addr.arpa

dns

71 B
122 B
1
1

DNS Request

224.32.91.34.in-addr.arpa
8.8.8.8:53

212.78.174.34.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

212.78.174.34.in-addr.arpa
8.8.8.8:53

bumxkqgxu.biz

dns

alg.exe

59 B
75 B
1
1

DNS Request

bumxkqgxu.biz

DNS Response

34.174.61.199
8.8.8.8:53

dwrqljrr.biz

dns

alg.exe

58 B
74 B
1
1

DNS Request

dwrqljrr.biz

DNS Response

34.41.229.245

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0cbea0bf7b5e76800b0521bcce85b5fb

SHA1
5d847b61144aa1de0fbbd5c3bd89192000100a94

SHA256
ee5eef900c6e1ed55b8f2f2bde20d157a907b4fe6cb6d016983de13ce984761c

SHA512
f2d289c341abe827c5f482c81419d41ea3edc714b7fa25381b6adf054adc46145c686de69d49cc6bf94430f8ad178b1810dcd208e4c041189fcca287c2e36349

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
1f9cff02980164dbe0052e23ec96f8c4

SHA1
0ed9e1ed6a0f3ad0f2f6159551f2792d16aec2c2

SHA256
26ff388a9eba20380426091125397f5e8b264687f0beb9cdfa7656d309597064

SHA512
a44d9d45017e08309cfd73a3b3d8991831d20d88165e016afe99b6d70dcf30a356a90e53990e97ca8f33e6f07db2533f2a7b50cf318deac0c3bf0ab159f2ff47

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
2a4fedd1f975cd84a537f05cb8e3b034

SHA1
b75dd57c1ef7a5edf65af5809ea4dca5e8ff7677

SHA256
7c39708a7e495a7988049622c5e3d0eaa9bfe173f6df338a2a5c730bcd7a36f9

SHA512
18ec43a7f1fdda480dd950393caaa697c0be44c751be05d8cda599a5392c95414ea18318768ad841a69039e8e6bc8b27d7e474c56bcbf7a229dfb96d1a0f73bf

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
55bfbea3a50bd89898cf77775354ba90

SHA1
447e80ba75de6182e65e880450e1e4f8bfca2079

SHA256
3d4e13a4ace500864cce6bf1e9735800efbbe369ebad7ace2fdb3ef5919b4726

SHA512
733c2e12abc59aca64da813c68732de53d3404d4dc1e9e96a0618ea1bdc7773510e9d4aea3009dc981b563ff5e2a5d90aacb063fb25a7501df1f64b4e0703dbc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
85d057caeaccee58b54e8552661b06a7

SHA1
660e61b397fcd218153c6b536d236b7a6f4bf894

SHA256
65f9ffc5bf04ba969724333d85e3fd342256361161ba42e8e6fdae5d02883803

SHA512
6a64fe3181b4718809f615e4d3554e51a4acf2e443441c632d3a2afe325dec93ec19c9ade2eae38e867112f6bf5089892e55c44a2836b57173197a5b850f6204

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
51f6c3b6d8d983b301861cd5b0ebe25d

SHA1
b32fbace4f4aaceff7f459b69bcc8782909cf5ef

SHA256
ee6434e2e99d78fab24cd8bccc6ac311310c54eb07190a1996e18880d6e6b13e

SHA512
f730b9a548095deefbd819fd25ebccd2ce979ec43291382fc6fdcea7e24e1499199d423b4fab3780c2a2d4671074792acc566cd0ae3613ebcc232d64030dfb09

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
768KB

MD5
47a44f95ca0fe56bb757bca35335a4f2

SHA1
2bc02aaadafaeb686d2b70d23af852756c979e9b

SHA256
2b92081f529a22a295fbac37ea6e69c5795c7cd215709c88e130d722503fab63

SHA512
c4bc8fe748b945d57f6a963a14bbcfdf420a3351a6ec3771106c8a19b54e7d0327070c5a3d6fc26d74d6529b6ace830c74423fcdb1ee14db2de67f943faa97ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9610d7b43934e20e1f8e5c1934fafa6d

SHA1
e178789f08c71353d0d604d562b547548f7a1bf1

SHA256
eb2a44fc4d56ec25c298a93f1f696cf240152f34b35696978e979344925454e2

SHA512
308c42c2d1fd3f745f45c73934cb97a63eebdc6b65162920b116d72e9d845a19c1e7b5c8776aa308367ee027c33c4676895a7823de94b4d95a14a1a9048dc08b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
2d85db2246047d0af836d548b120248c

SHA1
3d6c79728537dfd95be9ea5295c87372110babb9

SHA256
6a693e339e25c3ba4a35847e59aabbae8d7a909a1df423579f88c6f791e80e1b

SHA512
6231a226bc4c4fb4f35c11d3e1147f80036f07ff8401d725db14c6eadffb1034b89a6cddd35e4b086886eee842ebdae2ea621bc37ee1f8169d605551350c114a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
704KB

MD5
4d025789a47acefdd8fd6d81b360a66e

SHA1
66d74e8cdd022221859cd6eacdac60e3efc97e22

SHA256
57fdf0f33cff282f6542bce28b8ab4cfa0e2dff1341cc7837fbcdf8eb6fde083

SHA512
586f4f2ed405952add4af62d1faed4c7c6eafd204707aafde81c9c923e3f63efeddeb1a369daebdb4833e2da2204611ffa5bbb805359adbd16b74b785c7af5c4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9d25ad3c4fde89dd3c827963e67bbef4

SHA1
df284d3d721310e9378e3d63e90c69baacb2037f

SHA256
6eb2fde4379a4102b2a8edc1f24f397b1099f3bdd9e98c84a2cbefdfb8991197

SHA512
2802789e00baa75d1b646933b27220c27f80cde26df8393d24b990870c4d3f967c03f781ee3302e5178834db775e572c8ef59c7a04aa52776e7d1b789a6fb937

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c7e4c4e3f4804af2ac1198fa61989220

SHA1
29f1c18188ba2d829c5f24d711b7cbc0e8a09f6f

SHA256
6e2952bfd354a13c23b2ca44bd05f00d98bffd16253ec33e42b11aaab96c6468

SHA512
693d8326f162bb155f7d277c93e7b9277f4432ecfe7e0f085fdd1d5e7dc878a30d42de21cd78ca2071e70f99db09209383b94444a833d8c7ac0c19acd7d6e157

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
eb48db3f2d28c6c07be4f612e7b7d98a

SHA1
1eaf1458a5aaf72d6ff5a4b60e4692b909bd49ab

SHA256
549cd4515ad5d4e948f3d6de16ed3f9894bc3d99f0da0848bc033d30f859204b

SHA512
501482ffe0081fcdec91e61aa35665d347a6deb3043b806cf9ecd7f325187ca5806971a3ff5c3daebac2485fa469eb7b684d9ce82629639e1d8379a115602d96

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
576KB

MD5
53df5ddcb4dc75575005042413e28de3

SHA1
d5b2aec6d7e0c11df2852ec2c9efc120338481d9

SHA256
35901d5e6c15aa071bb2fc0896ce503287587e3e066e0facc06185b31b9983d9

SHA512
2fa0d2ad47f7087782dbc44702b4ca2e64e39fb5e2b4f986a4e4050ec78589dd388cd5aace967506c0a74cf64a2e8e5295df567175f0c86f44559df7472a3f16

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
499a43bf4e9a60867f140921f3d46811

SHA1
3c1a21fec47bacde148b6b27a7048bbfe6bac9a2

SHA256
6699320fd68677a3b0f35a0339d0ff33149769475264bd178e73f4f55019dd4a

SHA512
a10bbba627c193189b428872ecc2a5d45dbb066e4dede1f72ee9eabd7c15a7bd1826858e8e7b7b7463aef8b06df0d0c8731151b20ac8777784c15533c5f5acb0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
2.9MB

MD5
47715fcb7f206b71cf3e531dd308edac

SHA1
40e8ccdd4aa0437e7c15dac614cf6364f8c7d4f2

SHA256
afe446bb4bf4df25a9bceb79bab0f1b6372f10753766d8c51885ff8fa8f344d1

SHA512
05643642d5e2ab8c5f735fb1261f12dc3fdc3380ac58dd4820f7de2a47711b560c5e8fe80ae57d0cf4961d09f8982f5f26d923e80964c9cae4d9a35b58eee4d2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
7aab3d30b973801d7739d3714464db26

SHA1
f9c9b9af5738daa3b6eca32c4f51b00c05727127

SHA256
c75eb8cc42553fc16a941c22d849ff15445ce9f352b58396f7fd5003a899c0e0

SHA512
56a1b73d4a67a9cf0caeaa7aa36401e468f444fd88d511a7808cc3a0b6a178f1f2a5338c0d4079d891539c7341709c2cec360dde6e79e20f6b1b51b20c54338b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
12c06a498ef6dbaa4d41a4f90e67bbee

SHA1
40ced690951627a74ed26f5e28187535de35355b

SHA256
2ef758562b16ce7d1a9b5073d6dfc00211650765ed9bfb017f7640b107e36e64

SHA512
1c2842a6401bf28fb0a5429e562d11ddef1ac12bb4365f5fb32def2001815df6e92126700c5711956dde826fdb0dcdd30ab570a68127f979556ea1dbdd399cc0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
48b68909d0cff54410920988584c301b

SHA1
6a26a8e12524f9a3b2da076a70ab2c357f396279

SHA256
1d1b3355b49cf34259c4caf6e3bb97408f295c6578cf0eeecc8f8c632e773b64

SHA512
406ee9a6321f0284e99a56dfcb6a43348e5b0f42af543a19133747f5b4fc94bda5d715c747287f2939f18a86727b94cd5aaa976619bdfde708b1966c25d31e83

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
749e6d1163c70917d4893d503df9f2c4

SHA1
1e9ec64342effef8903dc473fbf86acf1ad014af

SHA256
5473924dab8778d705edd504aeb578331675b24a75651d7714d665593ad8d323

SHA512
3c3cf5a3064be0e04ab676cb18f257ed830de94f7a08d458cb9b719d9a8d1bb8d63edb19c5afe39391acc1a5aba968dc20ab3bb8d5f9203ebbd4a6320ae8f2e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
f95c649922bbcd9eb784f42bb6f70cb4

SHA1
0e22969ecf05a49021aabd039b0ddde3d9782098

SHA256
530a612406f57b040b761e5b71048f69d0d4e861eccc03cd6f2e9181a878826b

SHA512
a09c7c8954891adac1d3d2956fc66fd8ac283521a0f05c7f16b98341d5bbd488e11636a2bc5c40f95284e236335f1d649d3d75fe7099033e165170735df6780f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
769ecdc214064f35ff357ab49d8fc42c

SHA1
8fcc67a41224ebb992e825047ccd722c7528a40c

SHA256
9b66d81c6f655f4dfcbfcf9be5a16a2e3bb2a05dc9c78c17fd5ddbe028622fc0

SHA512
761cbc8c44729d65a89312a1c08274f3a7880ab61f61409dd62f82a64b0f67c8e1e54bd4b1bf1956e4d942a1ced535c96e809adf4eed710d9e5ae700e93d7f1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
93d0b4524ec9bbb66a7bf097f3c25907

SHA1
0ee83ba827f0cc577d5e94ae3391903975fa5dbd

SHA256
9611302b094dd31815f5c05fa0d153f92e85ee0c14a6ef45861bb57189e404d5

SHA512
326b5a06f891c2138e3d0c4fee36e7fe468bc9f68f94c32a5e1cbe919f5a991d7ccae387bb7d3acc4ced2a5c15691255bf20a9f2a7ee00b86c578f5117260953

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
bea5092cf006aac9edc94e7c0b0c6a0b

SHA1
367b39371f99aa754acfef0b80d7f4f3ab90a1ea

SHA256
e7c23c0e8d15e210abbd8c537e958b4567a421b009ffa24137a844efdfbc79a8

SHA512
ddc9c12f9a4df3a083ea8a6cedee063bbee139812a6aba798bf7b652c388c80719e6f3de73f0a1f677b232b52e263268f9cb391c70925bd6019d20bf2345163d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
58b3c0d06bcb8b9748caadddbac496be

SHA1
5ac21ab635f21bc4a994046af9c67da3a18d31e9

SHA256
7c83faed8e5d08712b2ef67fad7cd89e6953326369526ac743f7480e30a049c3

SHA512
6cc843d5448cf083c0cf745400e94586e2f373b283387987b2ecf05639b053507200863802825ffec8ec0287cccd67841f2f3dc26fe6d714356f1c78187cf6d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
8b6e3a8510271a7d84d22d234cf934fa

SHA1
2a0765dfcfd21ee013e722581f375543ce25624f

SHA256
e9db9149e171d57a9f32d3dd8b57bfedb2daa4ec1b7cc7bed697a4a3f0d7295e

SHA512
d3f20ee97e0cfe76947f680c35b126cf837b2635989fad8ebce152f4cd0bd6c004b5e9c1a7b254ab443308cd5757df9aaed605c2b71fa91fac50c51f1dbacd1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1024KB

MD5
2a967479435a357fadf43079730037de

SHA1
9ca3606c9d6e85c72e24cc0ab83b50dcb237d17a

SHA256
14abf19714f182e6b63648eac025ab46bb26ae6de1af2c3b8fe098cc5f0e23a2

SHA512
a12d4340985102723c68e6f602fe2ba2e50b49fe39ba98b11a57a871a96d0538f0844c56b1c73aa6d37bacd4c6b1180053a3060ff1cafe9c721c540425075d37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
960KB

MD5
aca78d3cb724c49a7cce72ef0e171db0

SHA1
ac875f0a12c86a2c34a4d0148c3b6696eba6cb98

SHA256
8fbb3ef1ac4b2c10d766a9fb72f513e587643649941d7768be99fcebf191ad77

SHA512
cca839390f7a90cd3af306dde822cc41a397d3c29d1024dc6ebe61d266c0b19ec278a9742d8bac00f0a15eea1a0ef057226a53577b43dcf70bea6c9439f8b038

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
960KB

MD5
436e3de8b324823d3f8023067eee7954

SHA1
73140196bbae8d0a98b35ff1f2bd6933fe43ddf2

SHA256
b729c0a9128fafa83a37a571792c4b9eb7d9f17f8be700de36b42a559997372f

SHA512
465382e3ac4c65fbe8b9ee8d470fe3af0eb9d6b79718be2271d9cdbdabab03103d2b30724f7ea84757178eb4ba3dac02679f494aaf3208936c270c5f594721c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
896KB

MD5
6e5abd6a1db772b15851821c823178ef

SHA1
6ef6487182da710ce921c2905c6de580fef67d36

SHA256
51b7e2a3468beec37db6061fc4a807092ff1ae1b2ea797d494148ba537300a2b

SHA512
5d3de2253497a96a90726c07b86d46c40942883e03159146ae6bb80a2e39526074ee014457cec3092f8b2c9fa4bb1eb8e184eef0193d0368cee8c5a65e9ccd00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
832KB

MD5
b1f7ebeaf1f7db3ba9185bfb242f1023

SHA1
70193f16619d05c14c77bbf8510b959a0ff2c988

SHA256
0969fcf9647d7cc112ede450959822f26c250d8a9c0f7818cae32f80df395108

SHA512
6f1985a9d8c357b2a4af3c5b779584b70b301697326edcab7d64b6ca5a0e5cc701f182c6d5e9ae98489830c8a0fa6940665ccba2ea6505361a264b25d23da06f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
832KB

MD5
3d54b57d5b650621a4898ebb6bb14a96

SHA1
8c36898ee2f620b660218a9e43abe710387b6977

SHA256
0c606854b0a20c877a4f1f702bf32b76e2caa773a14ba3dcbaa9763e9ba84053

SHA512
34e2b31996205826d2af59b602057cea217b569a7efae213e3255e470bd8ec5214b3a861e82c6a8f879e5f7ce902aaed37879b01f4059ec8562cf4b0a32d18a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
768KB

MD5
6c0cade51ce2a868d44d61b8a1c42dc9

SHA1
378a74e0df827d5999e5a6ec0cdcb33b8de1b545

SHA256
24eb69a89010007df214c78ded08f2c7bd3838e47f3731d80286691f9026e4b0

SHA512
27aa53d2e340c3f3ddf17240da5a64958a9dd03b315abfd46e640bdf1bd9b9f31e788eef0fef4b04659c8908c65d8ce60737e1ae8806b5546375e1d98f08e4ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
768KB

MD5
99ca1e28c0e693db2816690a2a70b74c

SHA1
b640ae58abc1994bf176dadbad359e5590dd6f54

SHA256
e56bbda129e6d384b73bfa27f5b72ff9d28ac914dfba7a1181e3d84d0e24ed85

SHA512
a37f75dd552e5eeff705c2bd5e0acd6c8dcc60fa8b14974dffe2d651c5cc6b9eaf598ddf6ebf74bb1164a1ed1c1c5ac3dacfa5d054c3130ceb7092374554e6b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
768KB

MD5
8862b4eeb6b86dc4fcc8c69619d7283e

SHA1
9f3b10ad161bb46eddb9518fc429fc918a50be76

SHA256
055db5e92bcaa992e6297d6d15af5a0d2825ff3dc69e6f3ddb446ce604f6c884

SHA512
f2a7bc7512bd0a6c0d281f89d3b11e4ab7b53ed4bdba1ff7eb650c515fa99d9afe8833ef196003417fad55baae054469b2e0c5c18079585835286cd0dffb9e2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
512KB

MD5
dedde733d4f5e2f210c7984b0c27621c

SHA1
e584ae3b082c1ed8292e3b94537440b097f0b1e6

SHA256
bb6cb6a0f66901c0886ac760b1577f706e365b5e606465ab72d934065638b489

SHA512
e9bb831002618c884a65c85e8c94a49daf15c12625859a8e19ff1e0f1c7054e8cf692f14744e61d38459adcecc19b213bfab008417c0c290612295c3d925fe94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
704KB

MD5
401b28940f9ef029d2e6dbb2d9ad22f5

SHA1
362bedd68bf1b67d3ddbc04a8e50e5fe5c8151b1

SHA256
dc38a9c43d7dac65ce082653eef4b8236b129fe47a6a1f7529cc88dfd59f5c6c

SHA512
02b3eaa77764fee236de4bda176898408c05253b1b6eb0373b0c16a31df81557cf3bb987d461bf507d5bd025bef3fb0f2f0467a55d7cc989b2aa6760f8a295f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
704KB

MD5
0b981023bca80df50733c920b50fc654

SHA1
aaae0bd60a8bbdf4dacfa1d9848c2bb36c5afb60

SHA256
478ad4033d6fb2071ca3c151a42a6a8e4f1720254ca5725b405cc35143213d07

SHA512
3d4bd0361bd9057002ef679e05baf76199e0d4da7df433df505c683281e0bceb8523190574aa87f76be1d1bbe63f4e67fe535bef14d2f94e67610bdcdfa1a0eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
640KB

MD5
6c8b3177ecb4cd7e98be93b3f7552ddc

SHA1
a03ede0f8647cc39d5689cb0e90bd615db482aa6

SHA256
2d59d93c7c3b4c81af9283d5ee0a80292c7f225298355ba834a631dee36f0fba

SHA512
eb52fb4819664f911e562d3c69e8804aaea39229057e12b21fa55768f05b2dd0109415ab6b8758e140e796d155099e8199253d6905f23c5c24053de6167afc90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
576KB

MD5
88a705fd9896a7387ee9b0077cd1fea6

SHA1
9f198f5da4ce3177a742673c9dbc2da6d07210c4

SHA256
3ec501fcefd2a19e229a626a2700dd42b4878ca1acddde9aaf3cb95feb06e2a0

SHA512
e01eb70d64fd999bdee4ae711839ec0c73a5295d7d6386c0a4a34a3da5254836ae2b8852825e833d56d1272dcb8be5a818253c66b8d68ddce25eca1ce05dd64d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
512KB

MD5
563a500a0e63329d4aa4ad636a42076a

SHA1
98be57d38ba03537f0455955619dcaa5cde47dea

SHA256
923f40286f98750943be7db1f7b934ffd74f520dd0be9f9c528bf5294a27cb79

SHA512
543605a04e0799582b04d8a8641fe5233c46aca2253e9a39e2e18eb649c83c1744350278ad6e0b62a3e72d165a766a36e2156b72ea65870013c5a122359cffa9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
512KB

MD5
11875fd4c0493f4a9bbbc337c95f015e

SHA1
920422c63d6b021c6e3af4909de8910513b778a1

SHA256
afc3d50571d76aaff07862771beb882aad381fdb1c69a316f5ff882deae94a93

SHA512
19aa85253b36f83d6be1735d4989dc1851a38376afc5601347ff5ec10b7642f6db2f2d320307cff85f2beb4d8008fb6666a00c0e854362eef11b48de31400040

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
d1ed72df100b42dad71f41aa534377ab

SHA1
1ac6096e09dba974ff04c718fffb91f53d7a2ea4

SHA256
46bd7217984489d600993f80fa399a14990b1980d3e665e3782105d6dbcfd6fc

SHA512
b61b19537ba0854220b4b50c6cf58f9e486da5a24f43ec71969bcc01a6c627fd1d3b7e0ab394228a31b1462827f6265e0c37ed7b2ab56e3b6259c6f395e3455c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
b3823b690b7777a53188448ac1a05128

SHA1
d10adb9816ed11ebf61bcea82746a87a746b758b

SHA256
811900719f25f705b6fe2489fdcd319a5d10b0faceca362f8026c95624507aa2

SHA512
6adeda6205f515d028758fda3d79a0374156535a20b820f4fae63c170dcd45ef700fa48b31440474b65e6998cdd91df2d96f92690690e4f321d7828615b589fc

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3319054a224544ff45866fb322957032

SHA1
577771b557e445d641fe6ad4566a5294a3559721

SHA256
c168d3d70212d47add09f99c903aa9aea9c1e6557bacaa31892c6454306e74a2

SHA512
cb40e97b18aa54dd37b844e472ff4bbf48dff4578a5c1275db2f35f2daf1450c865268281c466174ea6ed487702a57ab508be1d220716265ff91c8703434ab6b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
832KB

MD5
1273a0ccc07d0c7aa75da61d7d8900f6

SHA1
eadf420866a91e5e18059031549cfeaa01e9a99e

SHA256
f17fd1ac12b00171a199078ff6c8dbd1bda42caaabb91c1b23ee6457d21453c2

SHA512
bd75602b6e3a7b3278e73078ad9b7416dbbe8476139e53a9c7de822c30fa1dbe0442a18a92a19976cadb03a9ab4fb514c25d4e39e42ecd565352d6b62c0d41cf

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
db6ce50ecc1752b48722bdefa80f1fe1

SHA1
88dbe998c7ddb033c457e502b801d105063487cd

SHA256
b6ea432a21305f5495c6a20e675b4b92d3057b9df8e0cb1385d37c878ba1866e

SHA512
009499d117ba6957bfd5e8e351f3047bd0bc3f28559400d6bdf1507c7d3edc1ad98365291688249b4a4578aee0294d3bf05430cf75e16409fad539bb79fdd2dd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a6f516f243e99e399a1c47dc11a02854

SHA1
061ba59bc716b4fd24fd2d6e981bf865bba7f1cd

SHA256
3c0c6a0cbc074c5eeb874cb8ca5cb2103af8abd7111a56744d2431048bd1abc2

SHA512
6a44e36b877c4e46846e72d55679cb79deba421f550d56fc8098eb49ebc8121455d6caa25be3c5aabe85155e870c4b1aed1f9bf999a804fd3b203376896b1352

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
2bc09aba688aa502ded23a36060cb140

SHA1
c1008df87a53ef764c184ab86a7038b3755d2fb7

SHA256
5e66f38e432fe545085c509ecf8188020ab245428547cefc68dd743f1ede16e7

SHA512
474e839718f29c6efd2717199cac8aebbb96b2ca30c76c92e3b208e1a77b9b526cb8d09dd7f874e7d3fcbed2aa037eb9c34d06e5ef0f3a469c8fcdb1eab68462

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.1MB

MD5
f4cc7031b90a1ce35c8d8b283fcb7768

SHA1
475907b34f71d25ef42a34b9144b74f9f90f1e5e

SHA256
235eb7299b93ed691bc59917f96724e012d7046a0f910d343c3970b610bddf65

SHA512
aa074e1d5629d980c76626f18fa66b12759663eb9e219b88397b647f40c9500a29df5702ca57c66bbf778f48d302bea52281ae40e0ec5a6bb35594b2d7fe372d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e254a6a69a18168452c0d55cc69c4af4

SHA1
9e56bdc55fb9fc382d5f8c687d6fbed6c5bbeace

SHA256
b7a28e1a9c43144e34b24001c28e36a2b76b00b05b1f1d09d0575c4a18f76c4b

SHA512
8b9e21058f3b10b13827cd4770c1634f435165e6e0256f15afcc998bef561dafbadb58466f90d8b0c5cf7a24abd97d7b4ef8b2339b382862343729bbf088b59b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d6153a520e6ea0d42f3050941bb390eb

SHA1
6ac8554f52b6824047120ff1250ae77effea5160

SHA256
0f5685cba1656756607ccdeb30814725f132e4b12a3e1ca1035ede7dbbddce1f

SHA512
305f708e70d12a2a080094ddb1c919ced017bbbfc109a849d7e8aa389c0e5d7b77bd686c883230a0b917bf75083a10cc9fd9d6bdaf193c0c6a9d89e97b2c5a61

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
32a3b591ffa84bfa0245af38e33f9437

SHA1
a033eaf2dde4cf06848ed90b376ddfd007bd9307

SHA256
67b29115e2bdb5d0a0b1c8ff778d6ac6431f45715485d2149ac92aa0bb3f09cc

SHA512
7eeb9cb58569ad16d025b4567d1b4ff7ebfe0a65fd9bfe79841f1a47bf0d49103cedbecd95cc34434386b1f022b271ab571c090e321e25d0df31097b5d28d25a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1f4d2f712277331ec4b0b15a526c5b3b

SHA1
13e9a15973cce128c68630b108e91eec4ba86504

SHA256
57e433f054fd68eb2bbef3fe3ff9601d423c62e52adc423b7bf271c3908176f7

SHA512
c02c375f0e82e783ddabc14e2ec29092f62af01d725315f05ea22a56016f8a81fdd73dbfea9a2e93588705159db7a6a0654811338e97ca61cbd44b24802420ea

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
7583cde56818cc4050fe1918a6e2e9dc

SHA1
7a1fc436048e95d84a39ee04d2e6ffdcaaa9db08

SHA256
aa14318d5cd9af07450910744ed4248939ffa0c3700807318d98fac4e09e1d3d

SHA512
38fb8d58b9f161f971756aaa6a03511ed4661eca3e2113317da1a5a308e23979aa67a13fd164cdad695730e4d02df247fc263434a8791e225a265ade731ffbbf

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
583048c8a614969197839d1096397691

SHA1
d6a97f6c3bf1748c6a29467781521e111a2d33c3

SHA256
0dcc5191dc595376c5b8783df3b4f77e229371c05e8577d1a121346b6f8de0b4

SHA512
2cbdb37ee5dd363c92068e25f74ad96e2675a0db457cfc34f3ba8d64293e66353dc611411570b936bf7722208aaf6103191f0b50bb543171fa30ce0855b478cb

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b081343e99867d71d950870649c70822

SHA1
ae7b41298d8d72d717d9cd83660612e5cef32070

SHA256
df63e70b3aafd01742ec8e5adf493907f4c045128150bd1c829c4e5ce6c0e1b7

SHA512
1bc640e09cc817b4bf7ae27a2119381c36a2b680097632b82274fd17fa9f4785add828aecbf0471639579fa641ace5df610befc0bc7ac6cdaafc6a2fcb0df190

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
1e6c59015755cc4214dcf2ce2c38559b

SHA1
e8a3ca217e24220f618410d87d0e015f4b4bed1c

SHA256
8985923b84a1f88342655cb36c78cddb1920c1d2c01c3cbdadddc468bf04c5b1

SHA512
9288f63af14fae71dc982b7e46a7ae3e9fd8234e626004c64905db18b5af0820fd2adae6923f8922b91ee135cbc04a7c9ac3241635463e182e86950975315fc7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
41530859ae3a5579b4c00eb840780329

SHA1
d6255aeeea4091a5bd3df320c8d126ec2cbc48ed

SHA256
1c4729a08670e3bdae43103f35f36709e4aa5cc9a1fa6e81f6989bc4e35465a1

SHA512
8ce5b40a2640c9d755ccf62644f18e76ec64f3b6ffbd5b25a4733e660bc182be855dd33f318e56503889c118800339701062194f4de2d09230d588d0de986ac5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
66075fbda68b0e07dd0d387d38f7bd1f

SHA1
45119bff1bed149bb656aef2746fb03b23a8eb64

SHA256
55ea4a207cb553459d188fc5c872178c5ee1a2a0430a2dd9422676b156607eeb

SHA512
2eeb33223bca4ee9777b8b091513cdb5d152e29de460f23f1a69925be2cb47a9870f9929bdbd20e3d9288b0fb8e17fd0058c0174039abea44e7156f8589c939d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
71b0e6c5ff4a2ec09ef93baa6c614db8

SHA1
85803ea03fdc9da8ea31a6cf58df39e05a464fdf

SHA256
85950331e81c046a49ea01991919a158a47b8681e64a5fa3a17f969e248ace53

SHA512
3117848025650bcc637ec0b4179ca30f2bd37154e4a2ecc604f1a2fb5a3f98503e267c498399a7c63c0fc5cdad3bff7131efca38b849a5f47c85c41daee50b7f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
761bfe9cef7018eb11faa7114475ce90

SHA1
eff767d39074a5285570619901dc00cff87810d4

SHA256
4747c2a8754c95618750e5e6b85abf24c6ca270aebe6fd3cd28469705d6163ea

SHA512
85b4a1295672286acc2b9af4298b8ebb12eb346e0a7027115e176c05893282116c63fe480da094d620ecd39fd3cbb0de2f81f2636f03c1b39e00f78027144d77

Download Submit
C:\odt\office2016setup.exe

Filesize
3.4MB

MD5
0db12057b3bcd60381ad526eee365fac

SHA1
1da4a8ba5d1f7802a5bb0670d3bf97bcd42ac267

SHA256
382e46dd2da359395d0cf8fae5f0440ad68eac9fe7b48a398928ecc03da7923e

SHA512
d8a359fae3871552299879cfffe0a45db0f58b0e780cc8ceb675548d34e304f8153a24d33bd00faf28dfb521d4ae51431096f30b9c1948a06d25900e4010efc3

Download Submit
memory/1844-319-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1844-311-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1844-377-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1900-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1900-467-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2076-408-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2076-416-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2228-67-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2228-232-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2228-65-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2228-72-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2356-293-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2356-349-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2356-284-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2428-73-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2428-22-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2428-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2428-12-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2604-7-0x00000000024E0000-0x0000000002546000-memory.dmp

Filesize
408KB

Download
memory/2604-1-0x00000000024E0000-0x0000000002546000-memory.dmp

Filesize
408KB

Download
memory/2604-6-0x00000000024E0000-0x0000000002546000-memory.dmp

Filesize
408KB

Download
memory/2604-0-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2604-21-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3156-386-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/3156-379-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3156-446-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3548-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3548-332-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3548-546-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3548-547-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3548-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3588-407-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3588-339-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3588-345-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3728-38-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3728-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3728-210-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3728-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3964-447-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3964-456-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4132-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4132-255-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4132-262-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4132-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4132-268-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4136-305-0x00000000008D0000-0x0000000000936000-memory.dmp

Filesize
408KB

Download
memory/4136-372-0x00000000008D0000-0x0000000000936000-memory.dmp

Filesize
408KB

Download
memory/4136-363-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4136-299-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4420-280-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4420-336-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4420-271-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4424-442-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4424-434-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4596-364-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4596-374-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/4596-433-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4780-60-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4780-63-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4780-57-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4780-49-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4780-50-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4944-191-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4944-34-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4944-28-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4944-27-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5028-391-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5028-399-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5028-404-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5028-405-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5072-421-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5072-429-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/5112-250-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5112-243-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5112-244-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/5112-310-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/5116-350-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5116-359-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/5116-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request