agenttesla | 3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff.exe
Size

1.4MB
MD5

81c067dc4e31a48f590f84ed0baf221c
SHA1

fa83ebb45efa14f0f88f0f00cf63bc9a46880911
SHA256

3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff
SHA512

02ef9c19fb21ba427ab01ad5412b7b45a0ee8a86d178e149c63ab6b76469892851ecf5e3934b79b1865590ac014a31a6f2603e8e53cfd759b8a7398c5a0ba1bb
SSDEEP

24576:yDE6kndjL6i8soGiR01lqY21j+qP3THodi3PGy7:yAhtaA2x+83zodij

Score

10^/10

agenttesla modiloader discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
s82.gocheapweb.com
Port:
587
Username:
[email protected]
Password:
london@1759

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
s82.gocheapweb.com
Port:
587
Username:
[email protected]
Password:
london@1759
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral2/memory/4652-2-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-8-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-13-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-21-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-34-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-54-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-66-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-64-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-63-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-62-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-61-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-60-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-59-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-58-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-57-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-56-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-31-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-47-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-44-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-42-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-65-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-40-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-38-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-35-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-55-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-53-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-33-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-52-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-32-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-51-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-50-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-49-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-30-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-48-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-29-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-46-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-28-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-45-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-27-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-43-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-26-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-41-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-25-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-39-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-24-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-23-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-37-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-36-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-22-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-20-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-19-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-18-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-17-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-16-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-15-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-14-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-12-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-10-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-11-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-9-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2
behavioral2/memory/4652-7-0x0000000002E10000-0x0000000003E10000-memory.dmp	modiloader_stage2

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3884	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	lxsyrsiW.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	server_BTC.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk	server_BTC.exe

Executes dropped EXE 20 IoCs

pid	Process
3492	alpha.pif
4868	alpha.pif
1796	alpha.pif
3232	xpha.pif
4436	per.exe
1184	pha.pif
3128	alpha.pif
4508	alpha.pif
3924	alpha.pif
2392	lxsyrsiW.pif
1116	alg.exe
3128	DiagnosticsHub.StandardCollector.Service.exe
3924	neworigin.exe
3000	fxssvc.exe
5096	server_BTC.exe
4844	elevation_service.exe
3616	elevation_service.exe
1840	maintenanceservice.exe
2288	OSE.EXE
2128	TrojanAIbot.exe

Loads dropped DLL 1 IoCs

pid	Process
4436	per.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wisrysxl = "C:\\Users\\Public\\Wisrysxl.url"	3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	drive.google.com
22	drive.google.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
55	api.ipify.org
56	api.ipify.org

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f0917e8c89816891.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	lxsyrsiW.pif
File opened for modification	C:\Windows\system32\dllhost.exe	lxsyrsiW.pif
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	lxsyrsiW.pif
File opened for modification	C:\Windows\system32\fxssvc.exe	lxsyrsiW.pif
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	lxsyrsiW.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4652 set thread context of 2392	4652	3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff.exe	108

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{A1342620-C3E7-48E4-A8CA-2B9DD9AE1E3F}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neworigin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server_BTC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TrojanAIbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lxsyrsiW.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3800	esentutl.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1172	timeout.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2568	schtasks.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2128	TrojanAIbot.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1184	pha.pif
1184	pha.pif
3924	neworigin.exe
3924	neworigin.exe
3884	powershell.exe
3884	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1184	pha.pif
Token: SeTakeOwnershipPrivilege	2392	lxsyrsiW.pif
Token: SeAuditPrivilege	3000	fxssvc.exe
Token: SeDebugPrivilege	3924	neworigin.exe
Token: SeDebugPrivilege	5096	server_BTC.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	2128	TrojanAIbot.exe
Token: SeDebugPrivilege	1116	alg.exe
Token: SeDebugPrivilege	1116	alg.exe
Token: SeDebugPrivilege	1116	alg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3924	neworigin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 2980	4652	3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff.exe	88
PID 4652 wrote to memory of 2980	4652	3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff.exe	88
PID 4652 wrote to memory of 2980	4652	3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff.exe	88
PID 2980 wrote to memory of 1840	2980	cmd.exe	90
PID 2980 wrote to memory of 1840	2980	cmd.exe	90
PID 2980 wrote to memory of 1840	2980	cmd.exe	90
PID 2980 wrote to memory of 3800	2980	cmd.exe	91
PID 2980 wrote to memory of 3800	2980	cmd.exe	91
PID 2980 wrote to memory of 3800	2980	cmd.exe	91
PID 2980 wrote to memory of 3492	2980	cmd.exe	92
PID 2980 wrote to memory of 3492	2980	cmd.exe	92
PID 2980 wrote to memory of 3492	2980	cmd.exe	92
PID 2980 wrote to memory of 4868	2980	cmd.exe	94
PID 2980 wrote to memory of 4868	2980	cmd.exe	94
PID 2980 wrote to memory of 4868	2980	cmd.exe	94
PID 2980 wrote to memory of 1796	2980	cmd.exe	95
PID 2980 wrote to memory of 1796	2980	cmd.exe	95
PID 2980 wrote to memory of 1796	2980	cmd.exe	95
PID 1796 wrote to memory of 3232	1796	alpha.pif	96
PID 1796 wrote to memory of 3232	1796	alpha.pif	96
PID 1796 wrote to memory of 3232	1796	alpha.pif	96
PID 2980 wrote to memory of 4436	2980	cmd.exe	99
PID 2980 wrote to memory of 4436	2980	cmd.exe	99
PID 4436 wrote to memory of 1804	4436	per.exe	100
PID 4436 wrote to memory of 1804	4436	per.exe	100
PID 4436 wrote to memory of 1184	4436	per.exe	102
PID 4436 wrote to memory of 1184	4436	per.exe	102
PID 2980 wrote to memory of 3128	2980	cmd.exe	104
PID 2980 wrote to memory of 3128	2980	cmd.exe	104
PID 2980 wrote to memory of 3128	2980	cmd.exe	104
PID 2980 wrote to memory of 4508	2980	cmd.exe	105
PID 2980 wrote to memory of 4508	2980	cmd.exe	105
PID 2980 wrote to memory of 4508	2980	cmd.exe	105
PID 2980 wrote to memory of 3924	2980	cmd.exe	106
PID 2980 wrote to memory of 3924	2980	cmd.exe	106
PID 2980 wrote to memory of 3924	2980	cmd.exe	106
PID 4652 wrote to memory of 4284	4652	3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff.exe	107
PID 4652 wrote to memory of 4284	4652	3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff.exe	107
PID 4652 wrote to memory of 4284	4652	3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff.exe	107
PID 4652 wrote to memory of 2392	4652	3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff.exe	108
PID 4652 wrote to memory of 2392	4652	3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff.exe	108
PID 4652 wrote to memory of 2392	4652	3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff.exe	108
PID 4652 wrote to memory of 2392	4652	3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff.exe	108
PID 4652 wrote to memory of 2392	4652	3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff.exe	108
PID 2392 wrote to memory of 3924	2392	lxsyrsiW.pif	113
PID 2392 wrote to memory of 3924	2392	lxsyrsiW.pif	113
PID 2392 wrote to memory of 3924	2392	lxsyrsiW.pif	113
PID 2392 wrote to memory of 5096	2392	lxsyrsiW.pif	115
PID 2392 wrote to memory of 5096	2392	lxsyrsiW.pif	115
PID 2392 wrote to memory of 5096	2392	lxsyrsiW.pif	115
PID 5096 wrote to memory of 3884	5096	server_BTC.exe	120
PID 5096 wrote to memory of 3884	5096	server_BTC.exe	120
PID 5096 wrote to memory of 3884	5096	server_BTC.exe	120
PID 5096 wrote to memory of 2568	5096	server_BTC.exe	121
PID 5096 wrote to memory of 2568	5096	server_BTC.exe	121
PID 5096 wrote to memory of 2568	5096	server_BTC.exe	121
PID 5096 wrote to memory of 2128	5096	server_BTC.exe	124
PID 5096 wrote to memory of 2128	5096	server_BTC.exe	124
PID 5096 wrote to memory of 2128	5096	server_BTC.exe	124
PID 5096 wrote to memory of 4912	5096	server_BTC.exe	125
PID 5096 wrote to memory of 4912	5096	server_BTC.exe	125
PID 5096 wrote to memory of 4912	5096	server_BTC.exe	125
PID 4912 wrote to memory of 1172	4912	cmd.exe	127
PID 4912 wrote to memory of 1172	4912	cmd.exe	127

C:\Users\Admin\AppData\Local\Temp\3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff.exe
"C:\Users\Admin\AppData\Local\Temp\3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\esentutl.exe
    C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\esentutl.exe
    C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3800
- - C:\Users\Public\alpha.pif
    C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3492
- - C:\Users\Public\alpha.pif
    C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4868
- - C:\Users\Public\alpha.pif
    C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Users\Public\xpha.pif
      C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3232
- - C:\Windows \SysWOW64\per.exe
    "C:\\Windows \\SysWOW64\\per.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Windows\SYSTEM32\esentutl.exe
      esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
      4⤵
      PID:1804
  - - C:\Users\Public\pha.pif
      C:\\Users\\Public\\pha.pif -WindowStyle hidden -Command Add-MpPreference -ExclusionExtension '.exe','bat','.pif'
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1184
- - C:\Users\Public\alpha.pif
    C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3128
- - C:\Users\Public\alpha.pif
    C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4508
- - C:\Users\Public\alpha.pif
    C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3924
- C:\Windows\SysWOW64\esentutl.exe
  C:\\Windows\\System32\\esentutl.exe /y C:\Users\Admin\AppData\Local\Temp\3fc1433cd0c6745b46ddc85b7fdde0d73ef45821af2a2b8d16cbc2c19df92fff.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o
  2⤵
  PID:4284
- C:\Users\Public\Libraries\lxsyrsiW.pif
  C:\Users\Public\Libraries\lxsyrsiW.pif
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\neworigin.exe
    "C:\Users\Admin\AppData\Local\Temp\neworigin.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3924
- - C:\Users\Admin\AppData\Local\Temp\server_BTC.exe
    "C:\Users\Admin\AppData\Local\Temp\server_BTC.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3884
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 20:51 /du 23:59 /sc daily /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2568
  - - C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
      "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      PID:2128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAFF2.tmp.cmd""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 6
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1172

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1636

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3616

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1840

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
413150039289c4f71ae7d73101a1d0e6

SHA1
fa804c160e4be374b18679d4d5cf97ce42b63658

SHA256
b060b3c1d88b0f906b749f4bb984676a4e97eb73a8acc260c448ec5289846e6b

SHA512
9032ccd93dbfb169611bafb748d8584cf3dcf48e5f78ff1773995f5303787d3e8b82e72f4279acc392835105f7b93567721193e35b2b394d65a6214ac7e7713b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
3e9e19ad086164802eb792727362e3c3

SHA1
74ee58c0b64fcc9e510ec1a79b45b5a55435bb9b

SHA256
685da976acd6091d1efff5b52f6e5bea39eb48037f0d3a164e475c2868abc830

SHA512
7e4ab52d81e6a7e8524938cc4ac125cee8d84ea76475b0779340017cd8a03c41e938b2dad5927f3bc2c67cdb460a678fe9eac5386fe9bbe7e2b244b8da4648cf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
2b1f3e274103cd71b97c95f239f1c975

SHA1
2645302b4474ef8db248d1f9d3fa0b25aaa51029

SHA256
51b8b7e848b2846bdb74add8330a9514e58bafa12a91fdfcd754b21504634aa5

SHA512
fedaec4c5d73914d29598dd1414ae814ff6d4827d0fc768b280801721240e3f0db9587800d62bbcfbb2a62b968d10739b9b78014e319015230c87976d1462fb7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
d9d07978cb0ad07322bb8916378891b9

SHA1
a524566aae5d6e782e9aee45ec26320b06b3526c

SHA256
737a679a4fdd265b2f77caf0f39e27331d8768e400055141e69af4a4f6d80cd7

SHA512
e4f0635acc15abb9a621ec31baa34f67742f9a76927866d3cb0242a86fe9dc3092efd4fcd0d03fb0437b9e42139574e309bbd37a7ff12124449b992ee178e06c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3vjumuwr.vqa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\neworigin.exe

Filesize
244KB

MD5
d6a4cf0966d24c1ea836ba9a899751e5

SHA1
392d68c000137b8039155df6bb331d643909e7e7

SHA256
dc441006cb45c2cfac6c521f6cd4c16860615d21081563bd9e368de6f7e8ab6b

SHA512
9fa7aa65b4a0414596d8fd3e7d75a09740a5a6c3db8262f00cb66cd4c8b43d17658c42179422ae0127913deb854db7ed02621d0eeb8ddff1fac221a8e0d1ca35

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_BTC.exe

Filesize
226KB

MD5
50d015016f20da0905fd5b37d7834823

SHA1
6c39c84acf3616a12ae179715a3369c4e3543541

SHA256
36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5

SHA512
55f639006a137732b2fa0527cd1be24b58f5df387ce6aa6b8dd47d1419566f87c95fc1a6b99383e8bd0bcba06cc39ad7b32556496e46d7220c6a7b6d8390f7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAFF2.tmp.cmd

Filesize
162B

MD5
7ae3061a90773d88d735fde054a8686a

SHA1
70a8c70c4ad9bba7f8b0da6391b5a071bde1a1ee

SHA256
9712d2e916cc98423f687f9572d4edf96a5b6e35eb48aa0ac27529a9b3f3e6af

SHA512
8f24effd23ec9a036609d2f7dfba21eadb3b078d5f45e5139f0df7ff42e66c5c010c883b0ae6c87557b8e0383043c4c5f2b7b981a5e0aa77de57d5eb0e6b7a52

Download Submit
C:\Users\Public\Libraries\lxsyrsiW.cmd

Filesize
60KB

MD5
b87f096cbc25570329e2bb59fee57580

SHA1
d281d1bf37b4fb46f90973afc65eece3908532b2

SHA256
d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e

SHA512
72901adde38f50cf6d74743c0a546c0fea8b1cd4a18449048a0758a7593a176fc33aad1ebfd955775eefc2b30532bcc18e4f2964b3731b668dd87d94405951f7

Download Submit
C:\Users\Public\Libraries\lxsyrsiW.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
C:\Users\Public\alpha.pif

Filesize
231KB

MD5
d0fce3afa6aa1d58ce9fa336cc2b675b

SHA1
4048488de6ba4bfef9edf103755519f1f762668f

SHA256
4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22

SHA512
80e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2

Download Submit
C:\Users\Public\pha.pif

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Public\xpha.pif

Filesize
18KB

MD5
b3624dd758ccecf93a1226cef252ca12

SHA1
fcf4dad8c4ad101504b1bf47cbbddbac36b558a7

SHA256
4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef

SHA512
c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838

Download Submit
C:\Windows \SysWOW64\NETUTILS.dll

Filesize
115KB

MD5
0a3e62e66c8122029ed5c553f61db5ee

SHA1
f64b2c06ac565e89dba7d30076b0e3e22127e07c

SHA256
9c29a4d0bde05024be4419c0b4718229c7fdd5b88d476d1213f511e6987186f9

SHA512
cbee0005f29f779349b6d49be151557ec99a74dcc342ec2700bbfbbc3cb2e884fd8e29e5f88da4e0936b25654f51b01e028bbbaa4c600f07b5397b0654189bf5

Download Submit
C:\Windows \SysWOW64\per.exe

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
21f6520f19cbde90930dbd69e9c83295

SHA1
c27a8837957c086e9884b5723ed758d4395ac969

SHA256
2817f5c3bda8e4d011e5265dd89a93c0a64a7340330ef834bec9e809feb30a32

SHA512
91a77f11b72d3c6ba2a525eff337a7fe24f7f2ade37ef4e8e0d0eba9a2f485a73c7d07097a2f31ac3a823fd937d59e6df23420fa95e91017d4ae8a3f38350ace

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ed943282ed505a48f8f37a49d3e11b28

SHA1
c05d254aa8b963cf8061d8deb0069fa45f6ae722

SHA256
57d7801f350bc6f95223d3a7264efa3f1246205ba975d4a1aa3cb5102997ed90

SHA512
06a5f6025b7c023ffdf1377ee59c507ccfdf51c191355fd955799a62dfeeec57640f4c18dd0ed3f91eb93869995d0f4a64ac08e772befd0c2fee08630952b3e5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
af42c20cd447d37849338f0d2b34739b

SHA1
7bfeb1848a24cb3f4e6433b315250269ba9b9243

SHA256
8e53372fa8f0d3ab9767bc7df9ee8e998625babe121564e54a42e55013a5eddf

SHA512
f7f645789c29ed1d10c11392186f2cf631f572497883aba0263811e2f7bfeeda2e55a059e3d6878a339ca6f750abb176b020d01529813cb71ec5f3490eafad7d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0884a29a333b456d31bea775a7d6ec13

SHA1
4e5702473b4a858a7d9d7e94b4526a9454abb45d

SHA256
51d59ef87ad400cec7178638046d6235c7006950fcb46ef36106ec57f1126e10

SHA512
7caf569c6722cf30164cc146b994eb7063e3d08a46f191664efcb9c1c9597d08aeafbe0d96dc767978728dbd178b7899aea5f5b9f2f0832d3c8f4eb344f497f1

Download Submit
memory/1116-597-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1116-907-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1184-317-0x000001DEAF740000-0x000001DEAF762000-memory.dmp

Filesize
136KB

Download
memory/1840-699-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1840-706-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2128-924-0x0000000006290000-0x000000000629A000-memory.dmp

Filesize
40KB

Download
memory/2288-940-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2288-709-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2392-547-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/3000-707-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3000-645-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3128-927-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3128-632-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3616-939-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3616-684-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3884-921-0x0000000007280000-0x0000000007323000-memory.dmp

Filesize
652KB

Download
memory/3884-923-0x00000000073C0000-0x00000000073DA000-memory.dmp

Filesize
104KB

Download
memory/3884-856-0x0000000000FB0000-0x0000000000FE6000-memory.dmp

Filesize
216KB

Download
memory/3884-867-0x0000000005530000-0x0000000005B58000-memory.dmp

Filesize
6.2MB

Download
memory/3884-877-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/3884-935-0x00000000076E0000-0x00000000076E8000-memory.dmp

Filesize
32KB

Download
memory/3884-876-0x00000000051D0000-0x00000000051F2000-memory.dmp

Filesize
136KB

Download
memory/3884-883-0x0000000005C60000-0x0000000005FB4000-memory.dmp

Filesize
3.3MB

Download
memory/3884-895-0x0000000006060000-0x000000000607E000-memory.dmp

Filesize
120KB

Download
memory/3884-896-0x00000000060C0000-0x000000000610C000-memory.dmp

Filesize
304KB

Download
memory/3884-934-0x0000000007700000-0x000000000771A000-memory.dmp

Filesize
104KB

Download
memory/3884-933-0x0000000007600000-0x0000000007614000-memory.dmp

Filesize
80KB

Download
memory/3884-909-0x0000000006660000-0x0000000006692000-memory.dmp

Filesize
200KB

Download
memory/3884-910-0x00000000701D0000-0x000000007021C000-memory.dmp

Filesize
304KB

Download
memory/3884-920-0x00000000066A0000-0x00000000066BE000-memory.dmp

Filesize
120KB

Download
memory/3884-922-0x0000000007A00000-0x000000000807A000-memory.dmp

Filesize
6.5MB

Download
memory/3884-932-0x00000000075F0000-0x00000000075FE000-memory.dmp

Filesize
56KB

Download
memory/3884-925-0x0000000007430000-0x000000000743A000-memory.dmp

Filesize
40KB

Download
memory/3884-926-0x0000000007640000-0x00000000076D6000-memory.dmp

Filesize
600KB

Download
memory/3884-928-0x00000000075C0000-0x00000000075D1000-memory.dmp

Filesize
68KB

Download
memory/3924-710-0x00000000051A0000-0x0000000005206000-memory.dmp

Filesize
408KB

Download
memory/3924-906-0x00000000067E0000-0x000000000687C000-memory.dmp

Filesize
624KB

Download
memory/3924-905-0x00000000066F0000-0x0000000006740000-memory.dmp

Filesize
320KB

Download
memory/3924-674-0x0000000000780000-0x00000000007C4000-memory.dmp

Filesize
272KB

Download
memory/4652-32-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-50-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-10-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-11-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-9-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-7-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-14-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-15-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-16-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-17-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-18-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-19-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-20-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-22-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-36-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-37-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-23-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-24-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-39-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-25-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-41-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-26-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-43-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-27-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-45-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-28-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-1-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-2-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-46-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-29-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-5-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/4652-48-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-30-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-4-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/4652-49-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-12-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-51-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-0-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/4652-52-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-33-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-53-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-55-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-35-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-38-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-40-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-65-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-42-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-44-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-47-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-31-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-56-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-57-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-58-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-59-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-60-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-61-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-62-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-63-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-64-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-66-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-54-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-34-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-21-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-13-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4652-8-0x0000000002E10000-0x0000000003E10000-memory.dmp

Filesize
16.0MB

Download
memory/4844-938-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4844-673-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5096-690-0x0000000004CC0000-0x0000000004D52000-memory.dmp

Filesize
584KB

Download
memory/5096-688-0x00000000051D0000-0x0000000005774000-memory.dmp

Filesize
5.6MB

Download
memory/5096-675-0x0000000000350000-0x000000000038E000-memory.dmp

Filesize
248KB

Download