2f14b315a1e3093f920bf1161af0aaea340c068914ca013466f143d31f6083ee

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 12:30 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Size

1.4MB
MD5

ac8b758586141295b69cfda013405256
SHA1

bf269a1aa67cba5220a9aea3856eedcc03ff9341
SHA256

2f14b315a1e3093f920bf1161af0aaea340c068914ca013466f143d31f6083ee
SHA512

a2f6887904cc0a0a44dbaee352fcaec3de1aa3640d193d7579f373fcb0a01a4146ffa0506240a3b76dec1e95078f7d487107d65589ba9605fe63ba43f3a13689
SSDEEP

24576:UcgGFE1snPpM6rVERyCAAaLeN8wMhgng:tgGK1CBXnUaaOw+gn

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4316	alg.exe
3060	elevation_service.exe
2248	elevation_service.exe
2148	maintenanceservice.exe
4632	OSE.EXE
1436	DiagnosticsHub.StandardCollector.Service.exe
2504	fxssvc.exe
4636	msdtc.exe
1768	PerceptionSimulationService.exe
4856	perfhost.exe
1856	locator.exe
1308	SensorDataService.exe
5116	snmptrap.exe
5104	spectrum.exe
2500	ssh-agent.exe
1028	TieringEngineService.exe
1112	AgentService.exe
4104	vds.exe
1912	vssvc.exe
2992	wbengine.exe
4796	WmiApSrv.exe
2272	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\52032fcb6003136b.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{B0092916-300D-42A1-8132-6122DFFE037F}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{B0092916-300D-42A1-8132-6122DFFE037F}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9eddadf57dfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fdbc7df57dfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007eb3c0df57dfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e42fe1e057dfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef1eafe057dfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071d805e057dfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7b1fedf57dfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002cefbbdf57dfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe

Modifies registry class 52 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS\ = "0"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe\""	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\ = "CphsSession Class"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\ = "CphsSession Class"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID\ = "IntelCpHeciSvc.CphsSession"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\ = "IntelCpHeciSvcLib"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer\ = "IntelCpHeciSvc.CphsSession.1"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ = "CphsSession Class"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\ = "IntelCpHeciSvc"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LocalService = "cphs"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win32	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID\ = "IntelCpHeciSvc.CphsSession.1"	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\Programmable	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LaunchPermission = 010014806400000074000000140000003000000002001c000100000011001400040000000101000000000010001000000200340002000000000014000b000000010100000000000100000000000018000b000000010200000000000f02000000010000000102000000000005200000002002000001020000000000052000000020020000	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3060	elevation_service.exe
3060	elevation_service.exe
3060	elevation_service.exe
3060	elevation_service.exe
3060	elevation_service.exe
3060	elevation_service.exe
3060	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1600	2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
Token: SeDebugPrivilege	4316	alg.exe
Token: SeDebugPrivilege	4316	alg.exe
Token: SeDebugPrivilege	4316	alg.exe
Token: SeTakeOwnershipPrivilege	3060	elevation_service.exe
Token: SeAuditPrivilege	2504	fxssvc.exe
Token: SeRestorePrivilege	1028	TieringEngineService.exe
Token: SeManageVolumePrivilege	1028	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1112	AgentService.exe
Token: SeBackupPrivilege	1912	vssvc.exe
Token: SeRestorePrivilege	1912	vssvc.exe
Token: SeAuditPrivilege	1912	vssvc.exe
Token: SeBackupPrivilege	2992	wbengine.exe
Token: SeRestorePrivilege	2992	wbengine.exe
Token: SeSecurityPrivilege	2992	wbengine.exe
Token: 33	2272	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2272	SearchIndexer.exe
Token: SeDebugPrivilege	3060	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 3560	2272	SearchIndexer.exe	132
PID 2272 wrote to memory of 3560	2272	SearchIndexer.exe	132
PID 2272 wrote to memory of 4816	2272	SearchIndexer.exe	133
PID 2272 wrote to memory of 4816	2272	SearchIndexer.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-26_ac8b758586141295b69cfda013405256_mafia.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2248

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2148

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4632

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1292

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4636

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4856

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1856

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1308

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5104

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2188

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4796

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3560
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4816

Network

DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

pywolwnvd.biz

alg.exe

Remote address:

8.8.8.8:53

Request

pywolwnvd.biz

IN A

Response

pywolwnvd.biz

IN A

54.244.188.177
POST

http://pywolwnvd.biz/imunqmcyajwvkqgf

alg.exe

Remote address:

54.244.188.177:80

Request

POST /imunqmcyajwvkqgf HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: pywolwnvd.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 780

Response

HTTP/1.1 200 OK

Server: nginx
Date: Fri, 26 Jul 2024 12:31:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=232dc970c1d6d0b6412ec3d112c9a394|194.110.13.70|1721997062|1721997062|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=194.110.13.70; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

ssbzmoy.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ssbzmoy.biz

IN A

Response

ssbzmoy.biz

IN A

18.141.10.107
POST

http://ssbzmoy.biz/gvcuontoxfnwxf

alg.exe

Remote address:

18.141.10.107:80

Request

POST /gvcuontoxfnwxf HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ssbzmoy.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 780

Response

HTTP/1.1 200 OK

Server: nginx
Date: Fri, 26 Jul 2024 12:31:03 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=0634dbff78b2457a6ec1b2107b8179aa|194.110.13.70|1721997063|1721997063|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=194.110.13.70; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

177.188.244.54.in-addr.arpa

Remote address:

8.8.8.8:53

Request

177.188.244.54.in-addr.arpa

IN PTR

Response

177.188.244.54.in-addr.arpa

IN PTR

ec2-54-244-188-177 us-west-2compute amazonawscom
DNS

14.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.160.190.20.in-addr.arpa

IN PTR

Response
DNS

107.10.141.18.in-addr.arpa

Remote address:

8.8.8.8:53

Request

107.10.141.18.in-addr.arpa

IN PTR

Response

107.10.141.18.in-addr.arpa

IN PTR

ec2-18-141-10-107ap-southeast-1compute amazonawscom
DNS

cvgrf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

cvgrf.biz

IN A

Response

cvgrf.biz

IN A

54.244.188.177
POST

http://cvgrf.biz/vfmtfud

alg.exe

Remote address:

54.244.188.177:80

Request

POST /vfmtfud HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: cvgrf.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 780

Response

HTTP/1.1 200 OK

Server: nginx
Date: Fri, 26 Jul 2024 12:31:04 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=5485a7ec38db2a4e42d096d26dacd110|194.110.13.70|1721997064|1721997064|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=194.110.13.70; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=af18eb51cb1c44fb8ede6b55eca766ff&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=af18eb51cb1c44fb8ede6b55eca766ff&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=014C837A0F1C6203308797B20E3B63D8; domain=.bing.com; expires=Wed, 20-Aug-2025 12:31:05 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7FF43F3BE52F4DB387DD3A02CB7B5158 Ref B: LON04EDGE0610 Ref C: 2024-07-26T12:31:05Z
date: Fri, 26 Jul 2024 12:31:04 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=af18eb51cb1c44fb8ede6b55eca766ff&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=af18eb51cb1c44fb8ede6b55eca766ff&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=014C837A0F1C6203308797B20E3B63D8

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=uXuMwppsttdBx8VJnFGpk9tuTPksdtfgE9hf1JetoVU; domain=.bing.com; expires=Wed, 20-Aug-2025 12:31:05 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9DBE11E10E6749DABD0C2C569A05AC4A Ref B: LON04EDGE0610 Ref C: 2024-07-26T12:31:05Z
date: Fri, 26 Jul 2024 12:31:04 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=af18eb51cb1c44fb8ede6b55eca766ff&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=af18eb51cb1c44fb8ede6b55eca766ff&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=014C837A0F1C6203308797B20E3B63D8; MSPTC=uXuMwppsttdBx8VJnFGpk9tuTPksdtfgE9hf1JetoVU

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 64F0C1E1BDDF45E8BAFC357255835765 Ref B: LON04EDGE0610 Ref C: 2024-07-26T12:31:05Z
date: Fri, 26 Jul 2024 12:31:04 GMT
DNS

npukfztj.biz

alg.exe

Remote address:

8.8.8.8:53

Request

npukfztj.biz

IN A

Response

npukfztj.biz

IN A

44.221.84.105
POST

http://npukfztj.biz/wwjpdkecml

alg.exe

Remote address:

44.221.84.105:80

Request

POST /wwjpdkecml HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: npukfztj.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 780

Response

HTTP/1.1 200 OK

Server: nginx
Date: Fri, 26 Jul 2024 12:31:04 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=5b485e7b32f6f8804a076924e6fa4114|194.110.13.70|1721997064|1721997064|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=194.110.13.70; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

przvgke.biz

alg.exe

Remote address:

8.8.8.8:53

Request

przvgke.biz

IN A

Response

przvgke.biz

IN A

172.234.222.143

przvgke.biz

IN A

172.234.222.138
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
DNS

105.84.221.44.in-addr.arpa

Remote address:

8.8.8.8:53

Request

105.84.221.44.in-addr.arpa

IN PTR

Response

105.84.221.44.in-addr.arpa

IN PTR

ec2-44-221-84-105 compute-1 amazonawscom
POST

http://przvgke.biz/ctwdvejaclyrsax

alg.exe

Remote address:

172.234.222.143:80

Request

POST /ctwdvejaclyrsax HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: przvgke.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 780
DNS

zlenh.biz

alg.exe

Remote address:

8.8.8.8:53

Request

zlenh.biz

IN A

Response
DNS

knjghuig.biz

alg.exe

Remote address:

8.8.8.8:53

Request

knjghuig.biz

IN A

Response

knjghuig.biz

IN A

18.141.10.107
POST

http://knjghuig.biz/rwyyxqumdq

alg.exe

Remote address:

18.141.10.107:80

Request

POST /rwyyxqumdq HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: knjghuig.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 780

Response

HTTP/1.1 200 OK

Server: nginx
Date: Fri, 26 Jul 2024 12:31:28 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=2b84f88272a0228885b98b7b512e62c0|194.110.13.70|1721997088|1721997088|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=194.110.13.70; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

143.222.234.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.222.234.172.in-addr.arpa

IN PTR

Response

143.222.234.172.in-addr.arpa

IN PTR

172-234-222-143iplinodeusercontentcom
DNS

uhxqin.biz

alg.exe

Remote address:

8.8.8.8:53

Request

uhxqin.biz

IN A

Response
DNS

anpmnmxo.biz

alg.exe

Remote address:

8.8.8.8:53

Request

anpmnmxo.biz

IN A

Response
DNS

lpuegx.biz

alg.exe

Remote address:

8.8.8.8:53

Request

lpuegx.biz

IN A

Response

lpuegx.biz

IN A

82.112.184.197
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418589_1A7GR0X7EOYKFPJ56&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418589_1A7GR0X7EOYKFPJ56&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 592830
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5B6B3FE69E4B49BFB6BE81D6A8CC938F Ref B: LON04EDGE1214 Ref C: 2024-07-26T12:31:34Z
date: Fri, 26 Jul 2024 12:31:33 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388042_1APSAGRCSB9NM0S8N&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239339388042_1APSAGRCSB9NM0S8N&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 665915
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EBAB041A36C0475F89570A524D2C4349 Ref B: LON04EDGE1214 Ref C: 2024-07-26T12:31:34Z
date: Fri, 26 Jul 2024 12:31:33 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388043_1HMYXED637CKIBU88&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239339388043_1HMYXED637CKIBU88&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 682955
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 852F4CD988F14D759EAE70E638BB0E89 Ref B: LON04EDGE1214 Ref C: 2024-07-26T12:31:34Z
date: Fri, 26 Jul 2024 12:31:33 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301715_1L98D8CO0BH9X0WDY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301715_1L98D8CO0BH9X0WDY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 543646
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9826F9355BE74124BE0EE21756621D47 Ref B: LON04EDGE1214 Ref C: 2024-07-26T12:31:34Z
date: Fri, 26 Jul 2024 12:31:33 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301306_14JKCMWI1LY9W4K6L&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301306_14JKCMWI1LY9W4K6L&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 497379
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A35A9377A77E4EA3903EEABE7EF60D86 Ref B: LON04EDGE1214 Ref C: 2024-07-26T12:31:34Z
date: Fri, 26 Jul 2024 12:31:33 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418590_1Z5SLYPYIFLU5OB7B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418590_1Z5SLYPYIFLU5OB7B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 525311
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 71220BD379C44B48B8B37CB774BA30C8 Ref B: LON04EDGE1214 Ref C: 2024-07-26T12:31:35Z
date: Fri, 26 Jul 2024 12:31:34 GMT
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

10.28.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.28.171.150.in-addr.arpa

IN PTR

Response
DNS

92.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.12.20.2.in-addr.arpa

IN PTR

Response

92.12.20.2.in-addr.arpa

IN PTR

a2-20-12-92deploystaticakamaitechnologiescom
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR

Response

81.144.22.2.in-addr.arpa

IN PTR

a2-22-144-81deploystaticakamaitechnologiescom
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR
DNS

38.58.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

38.58.20.217.in-addr.arpa

IN PTR

Response
DNS

vjaxhpbji.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vjaxhpbji.biz

IN A

Response

vjaxhpbji.biz

IN A

82.112.184.197
DNS

vjaxhpbji.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vjaxhpbji.biz

IN A
DNS

vjaxhpbji.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vjaxhpbji.biz

IN A
DNS

vjaxhpbji.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vjaxhpbji.biz

IN A
DNS

xlfhhhm.biz

alg.exe

Remote address:

8.8.8.8:53

Request

xlfhhhm.biz

IN A

Response

xlfhhhm.biz

IN A

47.129.31.212
POST

http://xlfhhhm.biz/muqbxlec

alg.exe

Remote address:

47.129.31.212:80

Request

POST /muqbxlec HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: xlfhhhm.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 780

Response

HTTP/1.1 200 OK

Server: nginx
Date: Fri, 26 Jul 2024 12:32:57 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=e12c401e2c30d7f758d2fedecf7ad4d7|194.110.13.70|1721997177|1721997177|0|1|0; path=/; domain=.xlfhhhm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=194.110.13.70; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

ifsaia.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ifsaia.biz

IN A

Response

ifsaia.biz

IN A

13.251.16.150
POST

http://ifsaia.biz/gxiy

alg.exe

Remote address:

13.251.16.150:80

Request

POST /gxiy HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ifsaia.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 780

Response

HTTP/1.1 200 OK

Server: nginx
Date: Fri, 26 Jul 2024 12:32:58 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=ab235310eebf5d1811284f7497e56abe|194.110.13.70|1721997178|1721997178|0|1|0; path=/; domain=.ifsaia.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=194.110.13.70; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

212.31.129.47.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.31.129.47.in-addr.arpa

IN PTR

Response

212.31.129.47.in-addr.arpa

IN PTR

ec2-47-129-31-212ap-southeast-1compute amazonawscom
DNS

saytjshyf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

saytjshyf.biz

IN A

Response

saytjshyf.biz

IN A

44.221.84.105
POST

http://saytjshyf.biz/aybcqpysh

alg.exe

Remote address:

44.221.84.105:80

Request

POST /aybcqpysh HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: saytjshyf.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 780

Response

HTTP/1.1 200 OK

Server: nginx
Date: Fri, 26 Jul 2024 12:32:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=29338b6e84228f009c7b8aa56507eb77|194.110.13.70|1721997179|1721997179|0|1|0; path=/; domain=.saytjshyf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=194.110.13.70; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

vcddkls.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vcddkls.biz

IN A

Response

vcddkls.biz

IN A

18.141.10.107
POST

http://vcddkls.biz/gqg

alg.exe

Remote address:

18.141.10.107:80

Request

POST /gqg HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: vcddkls.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 780

Response

HTTP/1.1 200 OK

Server: nginx
Date: Fri, 26 Jul 2024 12:33:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=4e7079f8d815edb09540c72dbb2b4d70|194.110.13.70|1721997180|1721997180|0|1|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=194.110.13.70; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

150.16.251.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

150.16.251.13.in-addr.arpa

IN PTR

Response

150.16.251.13.in-addr.arpa

IN PTR

ec2-13-251-16-150ap-southeast-1compute amazonawscom
DNS

fwiwk.biz

alg.exe

Remote address:

8.8.8.8:53

Request

fwiwk.biz

IN A

Response

fwiwk.biz

IN A

172.234.222.143

fwiwk.biz

IN A

172.234.222.138
POST

http://fwiwk.biz/blkxgtmr

alg.exe

Remote address:

172.234.222.143:80

Request

POST /blkxgtmr HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: fwiwk.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 780
DNS

137.71.105.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

137.71.105.51.in-addr.arpa

IN PTR

Response
DNS

137.71.105.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

137.71.105.51.in-addr.arpa

IN PTR

Response

54.244.188.177:80

http://pywolwnvd.biz/imunqmcyajwvkqgf

http

alg.exe

1.4kB
667 B
6
6

HTTP Request

POST http://pywolwnvd.biz/imunqmcyajwvkqgf

HTTP Response

200
18.141.10.107:80

http://ssbzmoy.biz/gvcuontoxfnwxf

http

alg.exe

1.4kB
665 B
6
6

HTTP Request

POST http://ssbzmoy.biz/gvcuontoxfnwxf

HTTP Response

200
54.244.188.177:80

http://cvgrf.biz/vfmtfud

http

alg.exe

1.4kB
655 B
6
6

HTTP Request

POST http://cvgrf.biz/vfmtfud

HTTP Response

200
204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=af18eb51cb1c44fb8ede6b55eca766ff&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

tls, http2

2.0kB
9.3kB
21
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=af18eb51cb1c44fb8ede6b55eca766ff&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=af18eb51cb1c44fb8ede6b55eca766ff&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=af18eb51cb1c44fb8ede6b55eca766ff&localId=w:29030E6B-39D2-65A0-5B93-B1D2300B7E50&deviceId=6825836757756773&anid=

HTTP Response

204
44.221.84.105:80

http://npukfztj.biz/wwjpdkecml

http

alg.exe

1.4kB
666 B
6
6

HTTP Request

POST http://npukfztj.biz/wwjpdkecml

HTTP Response

200
172.234.222.143:80

przvgke.biz

alg.exe

260 B
5
172.234.222.143:80

http://przvgke.biz/ctwdvejaclyrsax

http

alg.exe

1.5kB
164 B
7
4

HTTP Request

POST http://przvgke.biz/ctwdvejaclyrsax
18.141.10.107:80

http://knjghuig.biz/rwyyxqumdq

http

alg.exe

1.4kB
658 B
6
6

HTTP Request

POST http://knjghuig.biz/rwyyxqumdq

HTTP Response

200
82.112.184.197:80

lpuegx.biz

alg.exe

260 B
5
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
16
14
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418590_1Z5SLYPYIFLU5OB7B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

132.7kB
3.6MB
2658
2651

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418589_1A7GR0X7EOYKFPJ56&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388042_1APSAGRCSB9NM0S8N&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388043_1HMYXED637CKIBU88&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301715_1L98D8CO0BH9X0WDY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301306_14JKCMWI1LY9W4K6L&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418590_1Z5SLYPYIFLU5OB7B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
82.112.184.197:80

lpuegx.biz

alg.exe

260 B
5
82.112.184.197:80

vjaxhpbji.biz

alg.exe

260 B
5
52.111.236.23:443

322 B
7
82.112.184.197:80

vjaxhpbji.biz

alg.exe

260 B
5
47.129.31.212:80

http://xlfhhhm.biz/muqbxlec

http

alg.exe

1.4kB
657 B
6
6

HTTP Request

POST http://xlfhhhm.biz/muqbxlec

HTTP Response

200
13.251.16.150:80

http://ifsaia.biz/gxiy

http

alg.exe

1.4kB
664 B
6
6

HTTP Request

POST http://ifsaia.biz/gxiy

HTTP Response

200
44.221.84.105:80

http://saytjshyf.biz/aybcqpysh

http

alg.exe

1.4kB
659 B
6
6

HTTP Request

POST http://saytjshyf.biz/aybcqpysh

HTTP Response

200
18.141.10.107:80

http://vcddkls.biz/gqg

http

alg.exe

1.4kB
665 B
6
6

HTTP Request

POST http://vcddkls.biz/gqg

HTTP Response

200
172.234.222.143:80

fwiwk.biz

alg.exe

260 B
5
172.234.222.143:80

http://fwiwk.biz/blkxgtmr

http

alg.exe

2.7kB
208 B
9
4

HTTP Request

POST http://fwiwk.biz/blkxgtmr

8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

pywolwnvd.biz

dns

alg.exe

59 B
75 B
1
1

DNS Request

pywolwnvd.biz

DNS Response

54.244.188.177
8.8.8.8:53

ssbzmoy.biz

dns

alg.exe

57 B
73 B
1
1

DNS Request

ssbzmoy.biz

DNS Response

18.141.10.107
8.8.8.8:53

177.188.244.54.in-addr.arpa

dns

73 B
137 B
1
1

DNS Request

177.188.244.54.in-addr.arpa
8.8.8.8:53

14.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.160.190.20.in-addr.arpa
8.8.8.8:53

107.10.141.18.in-addr.arpa

dns

72 B
140 B
1
1

DNS Request

107.10.141.18.in-addr.arpa
8.8.8.8:53

cvgrf.biz

dns

alg.exe

55 B
71 B
1
1

DNS Request

cvgrf.biz

DNS Response

54.244.188.177
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

npukfztj.biz

dns

alg.exe

58 B
74 B
1
1

DNS Request

npukfztj.biz

DNS Response

44.221.84.105
8.8.8.8:53

przvgke.biz

dns

alg.exe

57 B
89 B
1
1

DNS Request

przvgke.biz

DNS Response

172.234.222.143

172.234.222.138
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

105.84.221.44.in-addr.arpa

dns

72 B
127 B
1
1

DNS Request

105.84.221.44.in-addr.arpa
8.8.8.8:53

zlenh.biz

dns

alg.exe

55 B
117 B
1
1

DNS Request

zlenh.biz
8.8.8.8:53

knjghuig.biz

dns

alg.exe

58 B
74 B
1
1

DNS Request

knjghuig.biz

DNS Response

18.141.10.107
8.8.8.8:53

143.222.234.172.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

143.222.234.172.in-addr.arpa
8.8.8.8:53

uhxqin.biz

dns

alg.exe

56 B
118 B
1
1

DNS Request

uhxqin.biz
8.8.8.8:53

anpmnmxo.biz

dns

alg.exe

58 B
120 B
1
1

DNS Request

anpmnmxo.biz
8.8.8.8:53

lpuegx.biz

dns

alg.exe

56 B
72 B
1
1

DNS Request

lpuegx.biz

DNS Response

82.112.184.197
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

10.28.171.150.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.28.171.150.in-addr.arpa
8.8.8.8:53

92.12.20.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

92.12.20.2.in-addr.arpa
8.8.8.8:53

81.144.22.2.in-addr.arpa

dns

140 B
133 B
2
1

DNS Request

81.144.22.2.in-addr.arpa

DNS Request

81.144.22.2.in-addr.arpa
8.8.8.8:53

38.58.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

38.58.20.217.in-addr.arpa
8.8.8.8:53

vjaxhpbji.biz

dns

alg.exe

236 B
75 B
4
1

DNS Request

vjaxhpbji.biz

DNS Request

vjaxhpbji.biz

DNS Request

vjaxhpbji.biz

DNS Request

vjaxhpbji.biz

DNS Response

82.112.184.197
8.8.8.8:53

xlfhhhm.biz

dns

alg.exe

57 B
73 B
1
1

DNS Request

xlfhhhm.biz

DNS Response

47.129.31.212
8.8.8.8:53

ifsaia.biz

dns

alg.exe

56 B
72 B
1
1

DNS Request

ifsaia.biz

DNS Response

13.251.16.150
8.8.8.8:53

212.31.129.47.in-addr.arpa

dns

72 B
140 B
1
1

DNS Request

212.31.129.47.in-addr.arpa
8.8.8.8:53

saytjshyf.biz

dns

alg.exe

59 B
75 B
1
1

DNS Request

saytjshyf.biz

DNS Response

44.221.84.105
8.8.8.8:53

vcddkls.biz

dns

alg.exe

57 B
73 B
1
1

DNS Request

vcddkls.biz

DNS Response

18.141.10.107
8.8.8.8:53

150.16.251.13.in-addr.arpa

dns

72 B
140 B
1
1

DNS Request

150.16.251.13.in-addr.arpa
8.8.8.8:53

fwiwk.biz

dns

alg.exe

55 B
87 B
1
1

DNS Request

fwiwk.biz

DNS Response

172.234.222.143

172.234.222.138
8.8.8.8:53

137.71.105.51.in-addr.arpa

dns

144 B
316 B
2
2

DNS Request

137.71.105.51.in-addr.arpa

DNS Request

137.71.105.51.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e5bba093558c914412600b08139f9406

SHA1
aade6a767c2fa25c0c46a3df20d139a0ac78a3db

SHA256
9c2e8c916daa231fe42e3645d10d4ccfdef9ee7f897aa1ac7fb2bd6b6a0678ff

SHA512
a57fa43267a9505f7fa87faecda3d649dff72faaaf253d4ae730b10dcc5923ba1b75dee198bcaf6aa94e270be746723d1822758acba30979d9b7349b0795c707

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
cb64ebba77032ec85b8aa7ad91f48d29

SHA1
9735a8fa61cc2afe23330cad3c2be70a43a18163

SHA256
0f048e3e7fcedbf551aa39d11371220ca8b556d2b95eb09910e9f1364ddc9dba

SHA512
a3e526fd114ff4c42e612cc4766cb5c7d8f2529998de59fad900a06845c8547247f52cd21127bfa9842fe4199d4d7132c6a41e4d382cc25d9bb9653f4f5d6790

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
575d7fcf95ff52384492893b3d87d0fb

SHA1
17c3c7a987ed24838b5cff8c195d9847ec10399f

SHA256
77236efdfe87284bd7bdde22605de537c9579de8be52ff4e9020c2c833e3aba4

SHA512
a0003f7c862084d53ac7e65399080aea71b9aff083c398089792c3651df0f76840aa51eeaa4a164615c9a25c870359cea166eed4454ebb29f2e104e8c20dab54

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0a571e66b806c795ffc2c9c192971f60

SHA1
5b8d6c6134ec1734a9b6c86bba662eb61df43e99

SHA256
222ec30852bbfe9ed0230554c3fb9c5ea0199aae7c30c40de1528d1f79893b37

SHA512
b61531b41b0640d82218da02ecd62ae55eaf19cd056561ae4a798d7548e075fd9287c8c9b9f69d3fa337879381f7e6cd3300d68db0b5c9344c33d4be4950bd89

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
136848008483f5eb836a429dd0078654

SHA1
13755afeb8dab9dc50091c642415f967bae5e648

SHA256
d7f1078ffe9f280dfba927a90c31f1c9760554eea6a07ba6598a997b28739f41

SHA512
be3b95bea1497809c1216c3904a720ae26ae35466445c2e874197764578d25b0345890a303f7c2fbede0caa76afe6b80cb8a87731b885dff56f144175f7b4c6d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
bfcb32fb8b288b046ed083a0a02328b4

SHA1
0aaf9996bf8120db565d7046e959a6a28272cc30

SHA256
70e35ec7a05fdce03a06c2abda49be179c44e2dd42fe6bdaf673e998e2758e4a

SHA512
37ab6bc61a11fc2a3c00fa6da1c03e40b39b281b067afc63d79c7b806ebfc708af484861c01fa54a68db4c10ebe22b092f138beb981b25fc0c8e07b009f43f66

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
679245f6bc27d66e7efa0e395bd29d78

SHA1
901121d1ebe778f7e76b11182a852a4f91a4730d

SHA256
eae2efd5d89856973b2ff3e3b2775848790534cd7610ffec68de4a8e56ecbd33

SHA512
c27e09cad2374b4fb7d82bb8ebcb22da0e0abc33b9e9c6031c467767e836f0ec286485d6207dd51b5aad323952cb4a9b5cd420d1cf2fb6acfe15ddc8e5975883

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c7612d46b8e5ab498ff546343b5eda04

SHA1
325530f0efd3e0979510784b7b42a8bd349915c1

SHA256
328ff82f96becdf31a5c383230b195cb5443496c372a0ddf25b76313b7195845

SHA512
f1367fdbb5b66539f7bc819656f6d57ac3288d25a3be740a5221d5428a25e17fe396e673c418bf0cdf11d279e5ac9dc3716701c6e7b1884e1045d694dfda2f89

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
50bf1b2a48d18ffb4e1d4f83a8a44835

SHA1
8ebcfa6b2d2d7ea32e926d41f52124e30d8578c4

SHA256
94be6251cf27029167e0afcb62d203fb102d7c98235c95d68cdfef519a1ff524

SHA512
675f9d84be6ea8aa130ff593e38d2116b885a82c673c4b131ae54a7388369c88fc690fc069ff3736e4f53ed5409d59638068347d64a0ba66525872651e6a93b3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
10fc85556e43544bb019cb0365b5f4b0

SHA1
2552e028b22d4993d60adc429b76f6de947798bc

SHA256
3355a31c5a09b710fb01cb95d0e853f8d07898a69bacac9a3959c082369e6a88

SHA512
e8ada02d5ae42cfa4c4f1687359fbb2d09c068a2a303923b5a7916481ae64b08da9f7133e8a43d9e7500782283bb7f4ed9f45ab8f6bf9b72104fd68dd0233e40

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ee6b177f8f90fed5a2f13c698c9110f3

SHA1
a8101c9b4e8ed300d799428a9d8e97689e03f7c8

SHA256
9e58888547a922ede70ff48df7ce5cc68e5b9c262e40a56ce9d437dcb6366e03

SHA512
996b212853b8aba1c41f0ae5b7c2b1f2f75b5e2f4e8a0b8a88cfd965dd0e608dd2898b5dac73f51be71d9c9b0f59fed1205f247c8c6d008044d9813d012ed67f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
818163dc3d633db462bf4395a7dbf7cb

SHA1
6cdee7e3fdf22438e032e1680f2911a550f7a903

SHA256
48785a5343b9433e569ab3a09fb1014f24b7175d4809a9c66c38a6f899c1a89c

SHA512
ba881d1e91428d3cef484517040b5c0edbea6c740d2764e59da38eb45c010c4927ae9403aebb9e9f88c3881912d9378da78481090c306171e96c3a334e2e225d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
4110bdb35c4dbe20bbcb112c75a2281f

SHA1
f1c56c659bb1cb97d739bf2ba7ea7ed7dff3fdfb

SHA256
b11476b8b0b34e3d094a0752257a1ec5fbb68ebdf22a59c2293591889a00d106

SHA512
46765eef2dcecf54b2240ab8030ddcc2e69f68a755e69438e83b23602b2efa7ebad1b40911c360f7290615bb953c20c1ab3b91744d1f4aaa23de57a0d12b055d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
d7bfc1ba60ee5207e32720c51aac623b

SHA1
899d10a0f9d0a8fc5f0e41621a272280f380fdf2

SHA256
9faf0685afe7de304644101e62984ffacc1c0c230a3f363a6801e8a5994a9157

SHA512
4ae6169c27470d253d8f454332cd62e2672f71a43c60207c50ff69e148c8cae2f397e4b20c97734a1bf2e83e9516e4a1c9fbc5aa81fe1aaef2e96f27080d47c3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
ae7bb772e8e16629d2af32db7151b18e

SHA1
96a60c8c9ef3b726187aa1122bca4a08dbee60ef

SHA256
9b5decead71b6176dcf78f366559ed960fbb1553b2bb72f0cb83222ffee97bfd

SHA512
b042413d62b82ad49bf32c9dfafe57cef38abdf98f1f5d6136caae9c35735bd480e3dceafd5232231ea0a4add8ef1a18d4c9b3eee9c69270340f9fcaca865202

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
ca28c9894ee52053d53fe3e7bf351235

SHA1
4dd461dc979254a536c94132b3a3dde1e4d6b49d

SHA256
bb89c9fb25dafc1c27010546a32b72aafbf69fef9368499a10bbfcbf9f3f8aa8

SHA512
8c8eb980f6f649793bcc41d832a6f67491bf241a686d9fda572b47fd7e0b23c14217c33fae39a0c5048018293922955e330a7ed0474d2934acbb8a69a18fbcb8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
49c9bfba8cb87b65159dbc160fe77f98

SHA1
146054e9d66c2597635c3a616e88747ae047b7bc

SHA256
2d6ae118e21be5fd6c4dac78f2f847c66a30060bea9ef10778925b9da15be4e9

SHA512
f39440c597c0257b9ab3072331a27aff1cfa85a47f5ff56a2e139b29ef3648b2e557196535caba50628c9bdc0c63b5497297f8fcc640e3157f1e278ebda43cbc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
0f5380ff332ec7a0d9f120d0efb4eff6

SHA1
8885ba2804336f8c585daf88f22ca4cbed119e4d

SHA256
88b0fb9d952b4a75e758f610f720b3581f100171ac48812b28291d14a939a742

SHA512
112f6607893e3b4de328be41b506482faa8ec63eac49237d55d4b24ed85f2a83f59312c6473b52cb57aa5c4ef67150783155352227a5f54b3a366576fd5838f0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
b345138224f2d98a8e4edb4ee21e4667

SHA1
49ab66c1dee599ef6c01a3e3bd4ebf9088b59855

SHA256
8f72a8d851f0b22fef20fee85b4fac4144e22fc5ad4f2dd133adcb1461275e51

SHA512
968ae59fdfcf42e6063b145d88e7be99b1c96e7b25d3ca683a3b5fa9335ae42ee70ea6e89c38d65b09a196646254d528f26e70a0bf0f2956c8e13fa99b90fdb3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
2a8fd724ec9baa5ca456752b81198720

SHA1
9249a86a9d183a02efe358549dc7ff9a5a56df6e

SHA256
4582e5e4734a220a2ff18398c2e833175c1b1441b1f3673056b78222080708d0

SHA512
d3abd9bf36c722656033ef41a554a5dc20010f29e2fa0433665cc2529cfaf4b5921f44694015a43f2ae004e671ccc33b9920a4e2f90efce2175280075bb9dc63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
cbb5cc606cbcc947495cd33d2c34e4e9

SHA1
459fcfa012187810e740aa0837400531f8315462

SHA256
fe723e46a2dd361516b2205c50df4f7e6912507041d023196f0affa6deb877c2

SHA512
5807caec23e59c2dc7cecb596d538968b3d720c9a10ada5e95f5a4f210cb361fd769f4ef901994692ea5e07435e19d75a02d7da76c1e9f54f6cdfe4b0bf35c6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
3f05a46c7f92be36c8861df3ae323802

SHA1
b2a6fad3cebc169a5e0c94de74e8f0b1cf7662c6

SHA256
71eae521bca16c71a54213aef2b69015db0de576bcb9eddfe1576429e2b9d35b

SHA512
f63fbd01098b67f63f6f62c14cc1cd9f04152421ee3a7e3177003dfd02ee1715d06c833b50e9bdca7edd0331dad45d2f886262898d01eacfa1bc28d54cc22d3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
c91c851f9470084dae707a25abc9067b

SHA1
545ffdd8c937c60f9772b081ac1b089db3277704

SHA256
3969a533f30384e69536e71c0e0fcf5132f390d44c952844470d9b7ee23232c1

SHA512
4264142dcb72ace298e75d23d821b94dbed4d12e7d96fac047aa0788b1bf745d2216b65353d1f2b664c05f70b36bbd7000aa8240fccfcc5d4920bdc918c8d7d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
e409d41bbb5e83619d9684238ce80e6f

SHA1
3ec7440273a62c8a8dccb0921836e3471c546c4e

SHA256
a4bb7916e98c3379528b6464437fd472b98d86f48beefd04971516344a74e5f0

SHA512
dc1b7052fc7719bad1b220cc10835d98c7f103d4c9f3dd2e48df731a25c25f2b3b6315c6f3aea12f9b913d44a70f62cd6a7dd7f82860f65338a8b35e98894e02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
6c9aa23bd7bbd1fc4425f921d42ce0e3

SHA1
06498d1b2bfd5429110a4d2859b5364557cb63c6

SHA256
1c98bee3f38c2dc053df2c45cd276550b45f7246115f4e105b6da1fe931690c0

SHA512
c45d8b4e91f610251ee184a8abe88766d7fd284311fabae6a88667773a4ba909ce78a82cdff5e911d5c67d356e135d638f1eb4577cc90316fd6099a942f5dab7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
0ac97eea9c1a0898f1e3804dcacd90d1

SHA1
8d43f67571482d6d2dada02d175ae048b46b1226

SHA256
769598879868f0a4b8f1f41f38f993fbe3261237488d2aa288ac07e722bb34d6

SHA512
338c7b2e500eec3142423edcacc170deca0fc0f384cd5811f0ab04c2ba1a5542b97082472e039e1786e2e459b66cb669abd64c141386803b2c25779c885093aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
3f46fbc81747f75433594850c23c31f5

SHA1
00588a7a60c68415a220189db45caecf2d1702de

SHA256
67ed401b07ccc7fce5a9edce6726dedcb46166277b290eb7354492277c05206c

SHA512
11cb61ad1c48572ec6022e9e765353e0657ea5c8caeb3598927e895f26655b6e37f213efdbabd6247461231eff6747ad0e91bd9dd60af70e564cdb9a36397ea8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
c584bebba93cc71a3e1fab5bf3ccde76

SHA1
0aeb351c96c13327ecf4fe06712dc4c0fcb889c0

SHA256
b9b6bfbcbcdb423c71414f38ec01c3007066b01a81bd34f9ec9c28e5136761f3

SHA512
36d116726cc954db1c6b917c7b62ab6614d5d9bc78bc51a6b2b2b15c656d7d59b26539c5f60e886efc23293c951dcbaecdaabf5239a760135bc6e5a8b6dd09f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
d75359e9f5e8ac1579c7ae51fd8634b7

SHA1
3c6749bb55a2c171828df46cc55d2925970e5dc1

SHA256
7c9244be6cfb4619bb51975bd7e8a827c752d1ab36052f67701c4e405aef675c

SHA512
55741184c0d1d435a94e812ce204acfc5abd901be111918dbce227a572dacb055684c92f4f8bc2616d307844d6369d6370a71483bac7aa3d729c1e40eb16c4da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
fa8334c6e4ee78c920a310603db2ccdb

SHA1
37ff07b515db278db5a9375b9fba05189d4bd32c

SHA256
786abac991a8c12e019257f42c7ac51360d6aef3d84284926f60c75768baaf41

SHA512
800563ce33919aa03697f77e1ba3ee6d97b80013f4e4c510a2b721795d6f44bd3407f4b7b833076f1a060fe8ebf895f2fbc3d6dca779a66da333990cf6ffb789

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
9bd4525c24c129aa74e144cae8c7c4c0

SHA1
0a4b17c19b62d4ef75828ea5f3bc7dd7ae2f5b61

SHA256
74f69851c9c29f44b34f2dc71be9707d5a7cd395f1f381219a433a88fc0daa7a

SHA512
08661fd20d45b02bc62c9ccae0e0c1a38e622898a30212552e797d56f8c5d0870687d9a40390660ad5200168915ceb8f95682b4c854cfeeb22b07a9c644186af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
0601645f5a9496131bd72218eecfc144

SHA1
840e72abb52d63a173884f2d52d97531a9c75539

SHA256
c071a176aeef3ab78a8b28e163ccc712243be18eca7fb1a3a1abefa5ac09e83b

SHA512
bd69b29c01a82fd302f8ffeec69bc0912be99d02a47ed3f511234bb435132d4d11459d8a289804f99e8ea4d197712351ea0f5ebf70f8fc633c1be20629f065ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
1878d22e33872ab8f48bc84814c58343

SHA1
ff6799f2a7e781065a8dcd2bad7661b7d2ef0ecb

SHA256
da2541a37cb049114393b3a5e7e43e3bcb599ab208a5d067f2466f55b8e0aa4f

SHA512
2449c2385ff6996b9442d208434ab7ab312fd571a41a687e4c3ec763c70d9ca04b8c7ba67e60fa449f08faa50b8786b2b55b3244ac14820cd9ac8b2d2dd92bea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
815cb1047feca85d341827cf97277337

SHA1
128224a7daf793f331612df01e09b4d4949105dd

SHA256
7e5f9db8612ba93250bc40eefa30254849c89ebfd0c415dc45b445e3b5a889a7

SHA512
47d0b690a05a49e34e1178b13324242741fc16ab249c30aed29c932d7ff78d7fefe41647f5cd1491fc5a8726933c3c2d5a8b05684bc368f24cd03c56b487d579

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
2b490a7e8234da53100556bfde326657

SHA1
5772b2ac6a72d873f483ad0e218257fb91bd3075

SHA256
b2fbd11122bb916fdc294ab67bef0412f64476aca2bcff3b3a12e87df17f5a9c

SHA512
23e1ff3417507f1bc253eee2b0d3ee4135f3216399e185a844d9598f7dedb2ec1a91c9e88e5d7328109495a73739f3a89d693977cf1a3484e786adb829c4f342

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
3a16a992fbcdec0b71810ab37ba5ab5b

SHA1
c33799fc5ef4c0628faac2877c47825c525dd5e4

SHA256
6941c05869300e3737b3c257be45148d5e2bca54b35412ae907619e8caf185be

SHA512
e8f04f033c4d4d52c910b22c3afd77cbd794e11723f8a87656789e3214fe0fc5322a75d0b81792edb11cccaaa76e11a390cef82432bdbacca8a9a68fc59be70e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
fdcd76ae6ab2368fe7502fd822a3491a

SHA1
981e2059afef8a3e2664d474532b18dd84bd7b4a

SHA256
ee034e5820aefa6c43bb2e0971d8d9c95c459eee3018611f50304171ea5baf97

SHA512
4f47d0f1d2589c511105c0f9528d3e79fba6a4a0bc78a47d92095a307b7ce058c22a4f43b24d9918933b29d854cde3ed693c99e0ae9d0571c5f2c59cc1d0f114

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
588144d1d86ee8d961a45d68d1d9dbc6

SHA1
b26608fc50947134d500fa683d6ccfea20512114

SHA256
666871b5351e0da4a7ff26bca4de4fdd236aec96c0dbeacfcfc6b45183364c21

SHA512
bd236f0728d28777002e961fc6c7a9dbf16d91adfd4418f484938ed1cc142a647b5084a099545733a0bfa014fa883da4a85fc9916121360d65fbe4f75722e108

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
f72a889b6ee240f5690e4bdfd76f9ff4

SHA1
ec4b77a25cdb4e12dad627c996c842be9ff22dcf

SHA256
83523126ebbdf0c50f8ab53878e7c4ce542c7c9ea5bd04263e406a8892e90b0e

SHA512
ddf8e9f4549077b29a80b97ad2768366ad38a575f9c8edc803547a7244ed67f6eab9ef82ee92310cbb26b87fcef99c61428e4d9e0ef2dc5697a04201513f23bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
f347a99ded754fa8d7668713cf82209f

SHA1
d27eb8ea0a2e57c72e0fcad6e19b2bf59730d3cd

SHA256
5969ff810e2866cbfcff7aa2ed4ac0b2f72a24f996b6c48a612fc86bdaf608ad

SHA512
5308d72b2c37d9617f26abf86289d4f954dac1ef0975480af1ed9f88ce64be8e800ba52c31bab0d4dd12e1d034525a697d537682731b2432ff5a3942858f0893

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
b800adf326dfdf5878ebc9c37d397805

SHA1
8d086b4fb1c9272ec789e8dda105b1398ba25a99

SHA256
0d9756d1eeb3dc55610c864cdb97bcbcde0e5e6b254e44c3cd6c2e08cf34a4bb

SHA512
64e56fe5e0be051c93482c78d085da7c4e56dfb3e41c769b6f8e6bf08c3cdd6d8f808bfdb17fe65828115f00597ea32384a3b87914e7d4a92d50cb84f77e8cf8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
5140e21ced3c560e575b68c81ca135fe

SHA1
58e38e361b4fcb4026f0237502d53ed03a129c39

SHA256
7915ed2f11bcc20c90bc7cd7b2dc77a0a071ba8ec3cf990004078fe9a92755c3

SHA512
9cdcbd45367c4360813ce8e01be6154c47c924196eacbeee5db3fdd8275771ef516d5608b7008b1a645767c01b1d847568b50285abe000ed99b1fec2342bef82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
223839ecbe2c4978b1cdaaae9306365a

SHA1
aa90cabc85fd7bd1817a888b6b124cac11503ea1

SHA256
d6626a6419f211eef8b67a68a17c1b473d12b1dcf2b8dbd195b6193a4bea7274

SHA512
666ff8ae9cbc94c9f47821e17a1cd09a2c27d6b8d5068a7d596e97f3fa4fff776c615ceb9fbb8edcc321944ce86d686b9bb3e20a56955c1e22579b9f3d46255c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
8a435f939345f3f40ec83c35c65c6bb2

SHA1
605fb768d5624604e7df3cee5274cd8f5c157ef8

SHA256
974a9bebd0d334cb9210e7dc6080cfa5e556c85cf8086882c979e048caac2c07

SHA512
6afb9d0e86fd785d975337da4b6f9fe81e86628c62380fc61bae3c354cf9cbb8a4ded0c0017b1fb2a4921c04000788e7229be4248b92f571bc8f677d83e8880d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9a554fef4b876b98ad54040af8052c37

SHA1
232f8a199d412bbaf2da3a25f53ede7e93421896

SHA256
7b6b3d1a4583a33c51b394126d6aca9c79d56b5e46a44ffc4fa3794015f12615

SHA512
2dcd48931ae417c5d087b2848c04201850622f7aa7ea4a49006808a63d784e65c14abaf3b337702a7355880bb5f50330c33227c8f64ed06f7f0093d6987b1e64

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
006182189f8f29e17f40619fedf90208

SHA1
e28a8a44b4e586ad50536b6e135e0944054defef

SHA256
6169c9c4ca0b26c132d369e4e29efd1493b8ff21e7ef39cac8ddfba5387536d6

SHA512
d8ba34eafd99afd29fb4fdef1b72ef9b47cf02f2897e3d9caf9701251047fc90430e9071d61bdd1e0b428d1b91fa5433c5f9a1cde15fc52fd8850d92a2c36cc0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
85fe8c601c083282b46a4be9f1fdad17

SHA1
e4bb4c780f0ab0e71927c20c684707aaa15420b3

SHA256
c3333528796504ae42c1135ea999b2847d414b5edaa6cfcd8f4f622e5f3cf5d6

SHA512
38096a643202ba401138d0c7ef266488b95dd1d178a59c04f47d6875ba02d057a78c67f38a164c75f9567fd2c490adac512e7096777b0c0cbad5cd8a8f15b1a0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3c53bd44d9c057ed296c0aa6a66f5dcd

SHA1
06552abab145f50fa8b36717b325204ad0753b1c

SHA256
6a1c7504aa6c9e53a8d5c6990df00490dc4980c791bfd1dd10d51b035935d214

SHA512
5c9c0137dc8b363362da7cd57cd5096b649d2ee4e7fc77b56bad257a67e3ae816bbe74032e5c8a305bd44a7e49a171b1b9c9e26dfec81ac5893a390e93fe8f00

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d07ca8b12295dea620371c83dc19bbda

SHA1
1014db54c9ac453fc9609be4777cbfe8e01e7c9b

SHA256
e1e9f2ce487b3b6ff938d038cb4fd24785a2ceb0c6e2fb76ed8d2b6ff07a920a

SHA512
7d1f7d83c634fc9b80a46eb75f93f75715be4c63c36fcfc6bf5f5a51a7a88a7d118779682f9b855929221ddf9bee2ecf3a40725ef5baabdfd12e6507f19ee5e4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
9c5af7a0798ce4b6cfecee4cb37594f0

SHA1
0bcfd1f562a4e628f66ce198d67274bf855a8844

SHA256
7024addfb215c26589905996c09f6793b650a30fc47bdc585bb01439e518812b

SHA512
e9406295893b93dd9ceebc4f7db67a869ef895fe87763032afe3f772df5836be212d402188d6a714d989d346f9e32e1cec91168e15774610a2734f7946bf5065

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
5282e1e3acbad5fa35ee6b119977601c

SHA1
1ce14e802efc23761f79108461e768c58bffd87d

SHA256
71e941480abba8864109a6e22587eb9c6ab6bebbbc21b7de74803706e2430314

SHA512
63019f289909f62d969a9608d2955498a03d1161975136ce58facfc21ad4d62f942a2af7a91d07912ff3cfe726f4e1f30f3e73ddec395295481544a8d55c67b6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9827cf8c456e310d49387165ab22bd19

SHA1
6c00e2227f7f17271252b65bd6e307b4e2dcb008

SHA256
2e4f6196d13d9eafddf0dfc8e4876435771e02085321db5403733f47ac860ae7

SHA512
325ebc2a36a15ab94f2886b7e1dfc5769923706bd237c5a09fdfa45d71b7c1832b5a7220424c6226df7f2f4119fb139a8d7cbea52d8d434f5a1473c7fb3aeaaf

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4e39b5fc412337c1f867c701d5d9d368

SHA1
59ff4b2b2cc5122ec9da51ea043425563157037b

SHA256
b0b1b00eb78e6cebfccd5170ff6291b173d0aef27b947eab9dc376791f568bcf

SHA512
e21fe635fb74f3527409abd7a308b22874bd12905089813ff814aca0031e99e6fc7f2646d671a37b592d29d7569631b43dd1f9f48491d97db95158bef481de10

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7b190113ad413574ded71bf198b12235

SHA1
24c02fed692f02ecde0545d6174166f511b7c649

SHA256
77bc610fd93cd90b1f72c7da8e84fbe7f305e6f7b22370049d02c4c7d704ed58

SHA512
71498d358402a21ff492ddc88c3c08e9c5d9ed699d5cce35bb0197cdc85a1d4f403579e59d50f705edef0d56facff306f8b2397cbfc8ad2c61b3aada7a6bb683

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
7a6723cf0d09bf0534fb1afb229c8f7c

SHA1
641a55c9368f2baca4dc837ebe4f758f5fdaea72

SHA256
95b2a24153f2a5b5632cfbcab253a5b1186821d10b191734ccc3b63ecda565e3

SHA512
c42b272a5a4957b1f2614422c703c0028aaf5f3b79878ecce3cc53ed2246194dd407bfccba52cdf4ec9850bcd025c33730cd0f52a934d6d2d04400476488071e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0557318f5c6ec5aa88d84cf93c69b578

SHA1
6beb383c67eba6d41a4faed7756e433f75c3429c

SHA256
d21f203ab0ce14e75a76005ac88091ebf44529076d49918cd31492039bc2f485

SHA512
e1074ca21576e294d2893a50cb8d36fa03fc2387cbd4dd775b7b3eae1acb5536cd630925d4e178f5e17c569129842b42d4995716a17da86f0093beb66f1f19b8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
6b767446020d715760d2371eca43d345

SHA1
9d64a15a9d711632f272dd872a6b41d8aa85832e

SHA256
c23d35937cd026df0b85c1f64f8a72df7155c5fa6bedc7e40b56b4c673bb59c6

SHA512
feb8e0a9f6378553b8ddd43d708b4fcc1badd0bb1f883ca5abc31e00493fc8a553406fc65b98e1a53d7bd27fbe20302aaf215cd95387f83b8e50f1f82b5dd843

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
e011e3a6023f483b2d869940cc9273a8

SHA1
d9879de73f6a742541a07bbd4ad7cc81669b7b55

SHA256
857480d8ebdd55d64db4ed3ef5c9f52a28d45dbe1f838c901ad047e11c097b4d

SHA512
e906e4cadbc7057ecf1e3010f0a6c454f36ac78a79bd5b0b9829b36066e23b6026506c98c99b6196857842171f23e542c36b99e0dfc8fbc07f7f4fbcb6242bba

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ef6cbc1233542d92d1c27a22833f6e17

SHA1
64956f06259e87970b0b97bb9b56a807a749832f

SHA256
bb8f62a333f1c9d9befcb799f36c9715ae7e87514574834ad4acc0f9d1fb90e1

SHA512
dfc7459f5f97818720e89c2d46e5cb32223acd3a776f403bc0121935081d93431dc9edfcfa8b40803cf14615fbd9a660df431e233084317f3abd137b8920ad76

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4c00d898842f4d05d87b5870c288079d

SHA1
aefdcb1e794d059ce3ed4ff8d5649ccb7eae436c

SHA256
0b29b81d20705eb7ece2bc1b77bf808aaac974efc8540175f6c0f2dfb76e8a54

SHA512
973f79a708d1652b90286c22470c0ac8e5456b005708801a156a18990074b4f0033488038c15cf1ece9523ef4987de1d44317e467fac0c9c812d5f799ab30e23

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
480153aaad4568a3249597279c11d967

SHA1
5c120719e576e2d6957d2c6524a61265a75f11af

SHA256
10ed27296fa38951d6da2657770fb4e2dd91e3d723b718dd1a5ceaf3394acc35

SHA512
4af190bb4d280cb3958717f4827ce5b817250e186f66e7bd3f96ba7df84fd7590ff2b7f105bb260cfff169e94e7e285e2c9b45b85764cb7f5e96b242dd4c80d0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8d0aa892f1a39a95e4ca69f45b462112

SHA1
bf32b564ea97cba0145fe0c4b72757d004688d62

SHA256
8215366bd03afe6e604b30dcf1e0dcbfc73a0ebb132146ad380239fcf8a69fed

SHA512
f65b0ad5d45ae77948e0d9864bbea5ef0996b0ce2d8ff08c776e9a98ce813992658fdb73c2740efbecb43ea6d6b459d01080eb2bc4a755303cbe5f141cd8c302

Download Submit
memory/1028-368-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1028-623-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1112-382-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1112-370-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1308-620-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1308-441-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1308-320-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1436-239-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1436-366-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1436-247-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1436-245-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1600-1-0x00000000024A0000-0x0000000002507000-memory.dmp

Filesize
412KB

Download
memory/1600-6-0x00000000024A0000-0x0000000002507000-memory.dmp

Filesize
412KB

Download
memory/1600-34-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/1600-0-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/1768-396-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1768-283-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1856-302-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1856-420-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1912-397-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1912-628-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2148-68-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2148-72-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2148-49-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2148-58-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2148-57-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2248-233-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2248-38-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2248-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2248-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2272-442-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2272-633-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2500-347-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2500-622-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2504-251-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2504-250-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2504-265-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2992-417-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2992-629-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3060-26-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3060-230-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3060-32-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3060-35-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4104-627-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4104-385-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4316-18-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4316-19-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4316-11-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4316-17-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4316-229-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4632-73-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4632-234-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4632-62-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4632-70-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4636-262-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4636-384-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4796-631-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4796-421-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4856-291-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4856-408-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/5104-621-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5104-335-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5116-324-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5116-538-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request