agenttesla | 23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe
Size

1.0MB
MD5

bdc3b662d1136f20f51f55a0f6a2fb9d
SHA1

ef8baad4f0f3f96e2d04f3c6cea1471bcd651008
SHA256

23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9
SHA512

29036ced934c7668b072c811285761a2b4cdd562b2d269e50be767e8be27589117e84bf0f34b0323912a3dea4545dab9b9e5a6046c8beb36d15ef65056a88ad8
SSDEEP

24576:/GBqWzMJ3rInJFhR1T6a3R6ZFlR+gKT44VoIOL7zk:/CHnca8YL6L

Score

10^/10

agenttesla modiloader discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
s82.gocheapweb.com
Port:
587
Username:
[email protected]
Password:
london@1759

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
s82.gocheapweb.com
Port:
587
Username:
[email protected]
Password:
london@1759
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4452-3-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-10-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-41-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-42-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-66-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-64-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-63-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-62-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-61-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-59-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-58-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-57-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-56-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-55-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-54-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-52-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-51-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-49-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-48-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-47-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-46-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-45-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-44-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-43-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-40-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-37-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-36-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-33-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-32-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-31-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-65-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-60-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-29-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-28-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-27-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-53-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-26-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-25-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-50-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-20-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-39-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-38-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-19-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-18-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-35-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-34-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-17-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-16-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-15-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-30-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-14-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-24-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-13-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-23-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-22-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-21-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-9-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-8-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-6-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-7-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2
behavioral2/memory/4452-5-0x0000000002BB0000-0x0000000003BB0000-memory.dmp	modiloader_stage2

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4308 powershell.exe

pid	process
4308	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lxsyrsiW.pifserver_BTC.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	lxsyrsiW.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	server_BTC.exe

Drops startup file 1 IoCs

Processes:

server_BTC.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk server_BTC.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk	server_BTC.exe

Executes dropped EXE 20 IoCs

Processes:

alpha.pifalpha.pifalpha.pifxpha.pifper.exepha.pifalpha.pifalpha.pifalpha.piflxsyrsiW.pifalg.exeDiagnosticsHub.StandardCollector.Service.exeneworigin.exeserver_BTC.exeelevation_service.exefxssvc.exeelevation_service.exemaintenanceservice.exeOSE.EXETrojanAIbot.exe

pid	process
4424	alpha.pif
5056	alpha.pif
2524	alpha.pif
1600	xpha.pif
1516	per.exe
1492	pha.pif
2728	alpha.pif
4044	alpha.pif
964	alpha.pif
4812	lxsyrsiW.pif
3944	alg.exe
2996	DiagnosticsHub.StandardCollector.Service.exe
1232	neworigin.exe
4776	server_BTC.exe
2420	elevation_service.exe
792	fxssvc.exe
1636	elevation_service.exe
1464	maintenanceservice.exe
1692	OSE.EXE
2260	TrojanAIbot.exe

Loads dropped DLL 1 IoCs

Processes:

per.exe

pid process

1516 per.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
1516	per.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wisrysxl = "C:\\Users\\Public\\Wisrysxl.url"	23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

46 api.ipify.org
48 api.ipify.org

flow	ioc
46	api.ipify.org
48	api.ipify.org

Drops file in System32 directory 12 IoCs

Processes:

alg.exelxsyrsiW.pifDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\87a3695e94857919.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	lxsyrsiW.pif
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	lxsyrsiW.pif
File opened for modification	C:\Windows\system32\dllhost.exe	lxsyrsiW.pif
File opened for modification	C:\Windows\system32\fxssvc.exe	lxsyrsiW.pif
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	lxsyrsiW.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe

description	pid	process	target process
PID 4452 set thread context of 4812	4452	23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe	lxsyrsiW.pif

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\javaws.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

xpha.pifneworigin.exetimeout.exe23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.execmd.exeserver_BTC.exeschtasks.exepowershell.exeTrojanAIbot.exealpha.pifalpha.pifalpha.pifalpha.piflxsyrsiW.pifcmd.exealpha.pifalpha.pif

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neworigin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server_BTC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TrojanAIbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lxsyrsiW.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

esentutl.exe

pid process

3520 esentutl.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3288 timeout.exe

pid	process
3520	esentutl.exe

pid	process
3288	timeout.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

fxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4204 schtasks.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

TrojanAIbot.exe

pid process

2260 TrojanAIbot.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

pha.pifneworigin.exepowershell.exe

pid process

1492 pha.pif
1492 pha.pif
1232 neworigin.exe
1232 neworigin.exe
4308 powershell.exe
4308 powershell.exe
4308 powershell.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

676
676

pid	process
4204	schtasks.exe

description	flow	ioc
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2260	TrojanAIbot.exe

pid	process
1492	pha.pif
1492	pha.pif
1232	neworigin.exe
1232	neworigin.exe
4308	powershell.exe
4308	powershell.exe
4308	powershell.exe

pid	process
676
676

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

pha.piflxsyrsiW.piffxssvc.exeneworigin.exeserver_BTC.exepowershell.exeTrojanAIbot.exealg.exe

description	pid	process
Token: SeDebugPrivilege	1492	pha.pif
Token: SeTakeOwnershipPrivilege	4812	lxsyrsiW.pif
Token: SeAuditPrivilege	792	fxssvc.exe
Token: SeDebugPrivilege	1232	neworigin.exe
Token: SeDebugPrivilege	4776	server_BTC.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	2260	TrojanAIbot.exe
Token: SeDebugPrivilege	3944	alg.exe
Token: SeDebugPrivilege	3944	alg.exe
Token: SeDebugPrivilege	3944	alg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

neworigin.exe

pid process

1232 neworigin.exe

pid	process
1232	neworigin.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.execmd.exealpha.pifper.exelxsyrsiW.pifserver_BTC.execmd.exe

description	pid	process	target process
PID 4452 wrote to memory of 2588	4452	23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe	cmd.exe
PID 4452 wrote to memory of 2588	4452	23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe	cmd.exe
PID 4452 wrote to memory of 2588	4452	23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe	cmd.exe
PID 2588 wrote to memory of 880	2588	cmd.exe	esentutl.exe
PID 2588 wrote to memory of 880	2588	cmd.exe	esentutl.exe
PID 2588 wrote to memory of 880	2588	cmd.exe	esentutl.exe
PID 2588 wrote to memory of 3520	2588	cmd.exe	esentutl.exe
PID 2588 wrote to memory of 3520	2588	cmd.exe	esentutl.exe
PID 2588 wrote to memory of 3520	2588	cmd.exe	esentutl.exe
PID 2588 wrote to memory of 4424	2588	cmd.exe	alpha.pif
PID 2588 wrote to memory of 4424	2588	cmd.exe	alpha.pif
PID 2588 wrote to memory of 4424	2588	cmd.exe	alpha.pif
PID 2588 wrote to memory of 5056	2588	cmd.exe	alpha.pif
PID 2588 wrote to memory of 5056	2588	cmd.exe	alpha.pif
PID 2588 wrote to memory of 5056	2588	cmd.exe	alpha.pif
PID 2588 wrote to memory of 2524	2588	cmd.exe	alpha.pif
PID 2588 wrote to memory of 2524	2588	cmd.exe	alpha.pif
PID 2588 wrote to memory of 2524	2588	cmd.exe	alpha.pif
PID 2524 wrote to memory of 1600	2524	alpha.pif	xpha.pif
PID 2524 wrote to memory of 1600	2524	alpha.pif	xpha.pif
PID 2524 wrote to memory of 1600	2524	alpha.pif	xpha.pif
PID 2588 wrote to memory of 1516	2588	cmd.exe	per.exe
PID 2588 wrote to memory of 1516	2588	cmd.exe	per.exe
PID 1516 wrote to memory of 3132	1516	per.exe	esentutl.exe
PID 1516 wrote to memory of 3132	1516	per.exe	esentutl.exe
PID 1516 wrote to memory of 1492	1516	per.exe	pha.pif
PID 1516 wrote to memory of 1492	1516	per.exe	pha.pif
PID 2588 wrote to memory of 2728	2588	cmd.exe	alpha.pif
PID 2588 wrote to memory of 2728	2588	cmd.exe	alpha.pif
PID 2588 wrote to memory of 2728	2588	cmd.exe	alpha.pif
PID 2588 wrote to memory of 4044	2588	cmd.exe	alpha.pif
PID 2588 wrote to memory of 4044	2588	cmd.exe	alpha.pif
PID 2588 wrote to memory of 4044	2588	cmd.exe	alpha.pif
PID 2588 wrote to memory of 964	2588	cmd.exe	alpha.pif
PID 2588 wrote to memory of 964	2588	cmd.exe	alpha.pif
PID 2588 wrote to memory of 964	2588	cmd.exe	alpha.pif
PID 4452 wrote to memory of 3968	4452	23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe	esentutl.exe
PID 4452 wrote to memory of 3968	4452	23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe	esentutl.exe
PID 4452 wrote to memory of 3968	4452	23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe	esentutl.exe
PID 4452 wrote to memory of 4812	4452	23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe	lxsyrsiW.pif
PID 4452 wrote to memory of 4812	4452	23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe	lxsyrsiW.pif
PID 4452 wrote to memory of 4812	4452	23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe	lxsyrsiW.pif
PID 4452 wrote to memory of 4812	4452	23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe	lxsyrsiW.pif
PID 4452 wrote to memory of 4812	4452	23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe	lxsyrsiW.pif
PID 4812 wrote to memory of 1232	4812	lxsyrsiW.pif	neworigin.exe
PID 4812 wrote to memory of 1232	4812	lxsyrsiW.pif	neworigin.exe
PID 4812 wrote to memory of 1232	4812	lxsyrsiW.pif	neworigin.exe
PID 4812 wrote to memory of 4776	4812	lxsyrsiW.pif	server_BTC.exe
PID 4812 wrote to memory of 4776	4812	lxsyrsiW.pif	server_BTC.exe
PID 4812 wrote to memory of 4776	4812	lxsyrsiW.pif	server_BTC.exe
PID 4776 wrote to memory of 4308	4776	server_BTC.exe	powershell.exe
PID 4776 wrote to memory of 4308	4776	server_BTC.exe	powershell.exe
PID 4776 wrote to memory of 4308	4776	server_BTC.exe	powershell.exe
PID 4776 wrote to memory of 4204	4776	server_BTC.exe	schtasks.exe
PID 4776 wrote to memory of 4204	4776	server_BTC.exe	schtasks.exe
PID 4776 wrote to memory of 4204	4776	server_BTC.exe	schtasks.exe
PID 4776 wrote to memory of 2260	4776	server_BTC.exe	TrojanAIbot.exe
PID 4776 wrote to memory of 2260	4776	server_BTC.exe	TrojanAIbot.exe
PID 4776 wrote to memory of 2260	4776	server_BTC.exe	TrojanAIbot.exe
PID 4776 wrote to memory of 2896	4776	server_BTC.exe	cmd.exe
PID 4776 wrote to memory of 2896	4776	server_BTC.exe	cmd.exe
PID 4776 wrote to memory of 2896	4776	server_BTC.exe	cmd.exe
PID 2896 wrote to memory of 3288	2896	cmd.exe	timeout.exe
PID 2896 wrote to memory of 3288	2896	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe
"C:\Users\Admin\AppData\Local\Temp\23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\esentutl.exe
    C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
    3⤵
    PID:880
- - C:\Windows\SysWOW64\esentutl.exe
    C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3520
- - C:\Users\Public\alpha.pif
    C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4424
- - C:\Users\Public\alpha.pif
    C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5056
- - C:\Users\Public\alpha.pif
    C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Users\Public\xpha.pif
      C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1600
- - C:\Windows \SysWOW64\per.exe
    "C:\\Windows \\SysWOW64\\per.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\SYSTEM32\esentutl.exe
      esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o
      4⤵
      PID:3132
  - - C:\Users\Public\pha.pif
      C:\\Users\\Public\\pha.pif -WindowStyle hidden -Command Add-MpPreference -ExclusionPath 'C:\Users'
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1492
- - C:\Users\Public\alpha.pif
    C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2728
- - C:\Users\Public\alpha.pif
    C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4044
- - C:\Users\Public\alpha.pif
    C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:964
- C:\Windows\SysWOW64\esentutl.exe
  C:\\Windows\\System32\\esentutl.exe /y C:\Users\Admin\AppData\Local\Temp\23b47a050614d71d7081f8e0313c972e9e6b1df6c9eec10f59b6ee06d0506ec9.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o
  2⤵
  PID:3968
- C:\Users\Public\Libraries\lxsyrsiW.pif
  C:\Users\Public\Libraries\lxsyrsiW.pif
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\neworigin.exe
    "C:\Users\Admin\AppData\Local\Temp\neworigin.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1232
- - C:\Users\Admin\AppData\Local\Temp\server_BTC.exe
    "C:\Users\Admin\AppData\Local\Temp\server_BTC.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4308
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 20:34 /du 23:59 /sc daily /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4204
  - - C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
      "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      PID:2260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCCD1.tmp.cmd""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 6
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3288

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1752

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1636

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1464

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
856262906092116dcd1ceb34cd66a179

SHA1
e85ae49b75be32d8bccf7323898649adb06e650a

SHA256
24377e2174dcda69334dc1581a233282401f2b73cf89d0a1cba4162e2c6927c8

SHA512
4ed8d198cd087d643f17592e9fc7a5be99f852a1600e8124329e84ef3e81650bfcdfc4831449711d78d8be3b99725d5dcf385dd2f68d247c4c1da8eaac9c084c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
de1e29dd51d075abc205d7897ce7b09f

SHA1
83c55abe902830ddcf966e1c1f8b637322306a12

SHA256
a6e55ffd79d3bf32542d7c63a8d8ec80ce75976b9f4ee1eff28b417da829e0c5

SHA512
00a5abe9309300ae6fb40e7a3c0bb609b7ac5aea449c756d01b596feb1adc6d8f8b62f4a9cd67815d91264a0adb875dfb2194388a7ccc1c25446ff4af6d28cb6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
f8b5d54a7a52abd8504a4b1f606efe7b

SHA1
4fc90239a91613a029a773cc8c6eb49a82d879c7

SHA256
cd37c15d1c3a2fd5541fc20549dced0f71bbf661f9f8c7ba792dbcd05243c016

SHA512
2be77e658e1405fbb22d645b839904087790f47364eef58e02cfdfac8fae389173d4813d1b19ab725f88b1954229c15592451f728b18437a4bf5ca8cbcc1fbab

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6b279c0cd9e2b74601cf25fa407a2371

SHA1
2a87c7f7f13ef4e9aa269a2f66ef45d84b53be93

SHA256
4ace121b9136aab75d5381ed2d9626e05876d7a37c68bb9a993d3aa2a0b3144c

SHA512
36ab11f8d50135a66c1eb9738464b2661dbb4718c8691705e6bdedef8ea51564c94383b7cfc38cefd7236ba2a0dad0cf1f4800e82ab0d9548b44085cca73964e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
77c7b47bc5777d7745f9581de840686f

SHA1
adcb8033bfbc17639c82394567eef92996e1e7a0

SHA256
2dc23893f950e90617caab2b8e07169380b7b288fe76f183a77cbc3e5f7cac83

SHA512
dc9152b0b8b743c216ab09c1ab042bfa8a8abae4d70d1e4b2b2d2414194d0b88404decf1123e445341c6d825fef5f03cd89ee300451d545b55570c5e42fa067f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
273d4cdfd8d24771dd7fd9df1429a87a

SHA1
b4f749ac44ea35a7faab93517cd6d131a34ef59a

SHA256
5c5db9cd71a87a9390d5782f58eaa9eac0ffbde58bfdf75f5e76c2d13d73c009

SHA512
9567ed8cef86179688989da1d8a78eb52a359394c9cdadb2495d9bb7cfa6ca59535dff6e0b9a6ea2f2cfdfe8e0c7844067b29b83f6c2276249f4eb65846ef853

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
22005c786ac1025595cdf47deb2a6c03

SHA1
82037ad916a5c9550665bd793f49fa91d255e06e

SHA256
d44d0f9ccb75d5e045d9be1b41d4831103171f2764e8ee8cb7457ea979559db8

SHA512
4ab005d5df69879e989519b49ace90eb660c4a58dcde2afd1a236c6f236b917679c55617de89f75445fa9d3b5144d78623e0f269620217dcdb2111cb5cbed48c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6759a061d9460276d3f482614e6aebcf

SHA1
886081baf1d8dd58af48009e46b101a560e94186

SHA256
2df238293109e5c0cb1b5ba15bdc1cba0bbcbc2561809539028298cf5a1e8abc

SHA512
1063e86570c7db6e71d90b0608b08adf66653cade49768ddd3d0bf0195468f16fe693dedd1ec356963e88ed0110c6399450d9beb6230282954ba6be2fa6e6fec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
464766da7a6e85b115ca2cc3b79ae410

SHA1
f914218af7efc37064c8ca70f837d2e42b762898

SHA256
f2d7d6ed55514174203f7928a711a5cb67bda44a932ac1c4ca341ce40989304c

SHA512
512e2174c1c18de6c62580054e130056f599dae48f94cb87e28ce7f477d993667140f4385965625a650a00acc5eeef65df61d87c235824c400741b81ed75659d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
66ad4951621cf8af6d4bdfb3378a77da

SHA1
e8d7b6cbd3bfafd510c4a1eca63935faf39e92a6

SHA256
4361a9287f330d8009478c6d9ec1197f17714ad5ed2009d47db31bf749705788

SHA512
6bbb8058bd5f7ceaa64a7eac7012bc1266ab53cd3e54320e069f79f0334f2e4614b3fdd6a7e3fd5f2b322a0780c58bbe957abcabba2709b29bd9ab320d6eeff8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a6275dc98c8002d7771e1be9271d9242

SHA1
e753beed3d97ee32267c35ba07bf5474d6de3d25

SHA256
1a40256216d5baed7b7380ed6389a76b03e78392dd3f568134aed1a3ba9ae6cb

SHA512
bbe2fc84ab5f45f01a6b597359fca00ad7c38ce4e6851bdcca767766e58f8062addfff298624daeaa58f2c524a4dda1422d23c856d77bdbf12948b55a6efe427

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
dfd06950420ec8e7b3b3b56043315964

SHA1
c5584efbd0da385722ea0623f5871dd7929de10a

SHA256
fcb310f660eecdd45aae888925a60365287b0d404f5b7789c426575dcf0e30b1

SHA512
7e8172a56c09655338d1d2cb871c5295a630651fd0cd024c4cb66b1945834f0e43d55ab85a004af532e6c995e7e000cc7ab95ef9a2a0b27649fd452b1e73cf06

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
83f91d26353d89d5195a7fab0d811747

SHA1
4c859ef14016083f82165249f0c5e7c0a6ffe4b3

SHA256
d916a38441367ed7f384707929d9eb8b93327bd56f2027696c438435908c271d

SHA512
acda0946f05ca40b9f7a3d88f9d10f17bebc7b1882b4ab60ef5f716b80093853d660f013babc0a3691d1d9edaf1c943d1694544c56bf6dc4f9cd4619df12eec8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
fc1fbb39125e9c495cbe5c40729128f7

SHA1
9a876b0f77fb9d31b81b1efd5e6cd9d4a0bd7e53

SHA256
cf2be14270accc1a46f601ec1ffa50a8374feb444d6aea2616aebd40d624f640

SHA512
a3de3b081977d92f75e7e28c59bbb13de5d969d6329b650caed0b064dea844e547602e787a4f457766dbe429284bf1c9a882c47906b3be065e4718e143a12985

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
4766026aaeefccdb1bd8f5b2da26866b

SHA1
67772be004578f93aaa077c5d7aaaa104b6d572c

SHA256
80518d0b28789abebc5eedb31fa9da66988996b839b35328a2a5f2219105537b

SHA512
9c667f65e6cb1a96ceeabd941f151a744523aebceba7c6d623860a002ba54f8195474d1c7a81e9a96491cc91df63698b9c559400b609fcaa20357908af0ec28d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
4d73dc1e6f48bfce0f88f012b8630203

SHA1
0c677a0dece0a47549851ae29bcfc9bee05923e8

SHA256
1b4c53556a6a95c4d0e930a974dc345be1ca03a848cfac4b6f92f0299d3470a4

SHA512
903ab661d4072de7b9c190857bfbe3519285071b406676c953c7bf4e8c4a5fa3ec4e6f7f89dfb84e6bf74bf163220e05407a62faa55476247e8568b42173cab9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
5fd286129960ed577f7b8d7cc36c2a28

SHA1
9337dad3d3d1e4754264de6c1ef951cbc3b51a0b

SHA256
d9d5e1a5a8b36ea0e0446ac55187270783cbd284370adc459fbb439f857478ca

SHA512
625c62466600b4c5bf7650315094e7c3e9a2e793db3b3a06bc351bbe69a1dea4c88852dab0b16995b4417a7f1c027d0e55868a69fa3d7bdf5c8fbcb11e627c5f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
86a18a46d4357290e302affe7bfcfe3f

SHA1
10dfc6044f4ef6b968dd7c02c449eaacafcb52b2

SHA256
e2a00b2a4e358fd7421a6351622ef1d166c2057acfe4e5a17758fbb884f03a15

SHA512
af98447c8761b6b0ca8c442d7f68c633405e1363ba82797ffca409919388a730ea37f10ebca013e33d9627d5882f1c3d758b2bb8acdff766de40990b9fba569d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
e93dfdd66ffdd2bbb1a6ef960aa04df9

SHA1
6dcdb61acac72f811e9085c2c218f4644a8d4c61

SHA256
296afedd551d750934f7f089311a984ddf38bb5f5e1c9e913835382d8c00e487

SHA512
d30d13fd3b35d82f93f13222b80b304fa58af7ac98a799a8eb973178ea23d338dd4a51e0b17866394f5f6b2ad269eccdd2a4c81d0657d639be2b0c016d548019

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
a1d89235338c7edf6fc430187312c54b

SHA1
1af02d124aa2dbc6e9ee8d8c47b6984a7f52bf28

SHA256
a1d1e11610c276a67a84b977853faf25494fbdbfc9814e3a9fd3c2c530991e44

SHA512
b39141c9b414261193cdc0c77c393f2ffdd13308c1460a005b496723013e3891e0d6dc7c0f5637c429514342bc7e2d515ccb1b34486995afc9692ee5e5758b88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
e651753c728559b4b9f0de68e7dd2a14

SHA1
dc27c77aa8dae185933fb8a2ab67cf2fef7e36e9

SHA256
b6e7e28bd33da642fcc573ad9b06df00774e24b3c46edf33359a103571fde79a

SHA512
4d22c3cc5e380ef5c96c1df339f0b920d33219bbf6d5ddb836968ed454861eefa14016e398ad2d0ba42d12cc13d91a92b08eb701800a36ffd6a08a010585300c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
2ed49705c6e3de727686374de6275595

SHA1
ff7278de6e808163970007beeebe49b67b5849a2

SHA256
cee37c21bac37ef8c45d26ce57ebc9455f1dd42b6c53b7b2b1262a502317ecbd

SHA512
74cbecaa1e41b6e15344ca0bad2b93b4b04588e78bf3e67fe34485eecc71d0344dd7ffbb429792da66a51efa4e71555596fe96700eaeef1fff984bcab99b4cb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
f2213ed45a3bc07dd997a9c500e1a475

SHA1
3cf7a5fb531c0d95991c771d4dae70cd25bd93da

SHA256
14b565f952aef3fbb116b79a70eff5eebd83271bc03722072f45c81c73568d0b

SHA512
51eef20cf1d0a6b319f63bda862ab03b81d9decf889be76190d790e47a06c2030cf31a0be8954a330eae4c8d71d1c7450003c37151b12c8f22465487bd3636f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
ebbfc7695b7719061a8cc2c6462e48d9

SHA1
59b6296b071a1dd862e726fb3c8b4c60224b17d9

SHA256
3ef48868b7f811fe82cd10b347d6e51b070420a824e902777471c2f12e29bc2f

SHA512
45ca097229139f04213d937994e9d026380bb1423284683dfb6cef8cf730cc9bd0de645c1fe31c39fdda45939d456a9ec76b7d9bede79140c58e559c2e0eb8d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
81c62acba9d9bbc0891e2250fd53bacb

SHA1
9512fc4bfd986396be15a8ab7644fa9496d1d226

SHA256
cb890587d3143045564fe8d93530eb29a48977a0b1c1d4158f2f3f0c6815c76d

SHA512
b59765026db97beef2361b3233c52929c2c72d00d859c62e851b0184d4ce7ed8ccc45d6ca79ba1887c0dd2183f56ab8ac88885236d33faaae944f04bbd978370

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
a6a31b1e3ac43f0d0b1d258b8ae87146

SHA1
f7d00f7fc8ba02edb1b4dfbf7b0ff603f81822ee

SHA256
dab2208a4447c2d406f78365888f2c1fce7fc94345520c8f9e6162522d631c9e

SHA512
a8dcb37bb282d4d15bad68a33f4f3808a183ea641099fe9a4f9e2b4517edd907b249f3d7cf1c7dee6c21220d5e15cf67738b6c92e349a4c9752965675a166227

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
ef97acf7e2a0d12722f3680c12331959

SHA1
dd31e77d3d9b3b07cca23f943fb93124fc25188b

SHA256
419dd5f17d6f428ce4c9993172c5f5a43a23ceee90d3faa9c6bbe08873bf43bc

SHA512
ed5f4c87b9f453c2cc7cbd47925e0a2600a1d78cd376c58c54931f8a718364adfd256f958e8c4fe21b82d7863b1d44b9401f9d6b689f69c6fd098c7e1f3e49fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
a37d83bedc9522f9edc5605d5a70eee2

SHA1
df763dbf912f45e154014e76fb63ee7c572fe2d4

SHA256
a0c7cae3bc3c4e11a5567b79ce3aee6f5814277a6df489daa7d6fd5dc73eb3d3

SHA512
2c547b371e2c1bce63280db8ef0f3cc9378dcbd5861dbca8cd01c6f7e84099db61f6e1d3e871467a7c475904d644fa362bcb6b1634811bd236b51227534e803b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
4c1c7bdf0b7a8ebc710901815499a4e0

SHA1
1f59172eb23bf6febd846e2754cfed74f011747f

SHA256
ad53e7390c11aed91fa13eb4c910140b283c366a6b6cba230208e278846f0bf2

SHA512
c5c3ed3a29ceca805544caa69ec4c60742a5d74d2804ca0f483c00138f6e2495826bd6af8992bba2433c527abbeaa001770b4ef4dd8926a7d63e397ec9edbf80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
67318a3c8394d841a36d6be9a9b4209b

SHA1
9106552da47aaa1a10dfd815840a634d5c27d48b

SHA256
dfffcad8fef5674b5b4f1e84665f5c2d2c72b63851966e8fdd8a66317ff7dd5d

SHA512
361f6669fd5adbbe2c4f71d242d46550c805c7e7d15f92c0fcf857e50b7413e132c7421ff42b491445fa08c138417ecf07034752287d8e2bd9d236d10bfdbf08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
641159afc7ced2187cd1896ccc74f97c

SHA1
f8eb473cd96206d6a7fc1acd9a1f2133c552438b

SHA256
de651bfa73808d3b065c65cbe9722c39201df32e8f01350785544fae60d5dd06

SHA512
70413ed6a970dca21b6084a6a008690936cb6f41d678258c6e6125f1eaa163c8f5664394f2d7c5eda0ae3d6c70fc5154097445d322dc5d1b7776289c22acac51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
c29570d5dab9259f25609592d670c07d

SHA1
f9b3825aa99c331318bce9184112120ae6b60c16

SHA256
e2354f209f13e71b4c81a4d0cf4bc12b1f459ad50b61d4a824c4cd9ab438e19c

SHA512
8594451f1fc50381af9427bf292f556e083a7c754871926091a1f40097178b8a0e9277bad03f4bbe6d12c5674c57b2c8ecada18861f49db85a2bb3d0f51d6f1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
672d983dc5e55391e386dd5c019006f0

SHA1
e990ca8cac9bf30583644412161e20c4e493cbd0

SHA256
6557f6ad8b13f8698f735bf4e99659ddb838e5a6a1c1a6694cfff865abe7903b

SHA512
14cf1e179eeb7f1dd8dc4eb74969d9be50590f24dd285d4e5d6a6386e8b15d38e599acc4c87ecf1498e26d1986f7d7a27f8c40bfddffe7b855bead96e50018e5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
f4cbfc324324867dc9433b5b6ef98ad6

SHA1
12ac80100f2b6357eef61be40ad72e7a0d5d60b2

SHA256
5f6c61a11d1a7414bb30072f8b2f00d5df67874f4f5c630ecbb50ea837db3424

SHA512
7d473902e2f4feba6f6e3309c37e59527fbb0d806d7cbb8201ec46a23afe24ce783ae1f51d28b8fb742d9b3f77f07093d3df0b0746e0189e5a398c3bbbe2a51d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tur1z224.4mg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\neworigin.exe

Filesize
244KB

MD5
d6a4cf0966d24c1ea836ba9a899751e5

SHA1
392d68c000137b8039155df6bb331d643909e7e7

SHA256
dc441006cb45c2cfac6c521f6cd4c16860615d21081563bd9e368de6f7e8ab6b

SHA512
9fa7aa65b4a0414596d8fd3e7d75a09740a5a6c3db8262f00cb66cd4c8b43d17658c42179422ae0127913deb854db7ed02621d0eeb8ddff1fac221a8e0d1ca35

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_BTC.exe

Filesize
226KB

MD5
50d015016f20da0905fd5b37d7834823

SHA1
6c39c84acf3616a12ae179715a3369c4e3543541

SHA256
36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5

SHA512
55f639006a137732b2fa0527cd1be24b58f5df387ce6aa6b8dd47d1419566f87c95fc1a6b99383e8bd0bcba06cc39ad7b32556496e46d7220c6a7b6d8390f7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCCD1.tmp.cmd

Filesize
162B

MD5
6f88f35917994a8adb2e6269d740da0f

SHA1
96dc69ef6f6cff841cc86897f815fe868ac1ac1b

SHA256
10b62bde220196dd2784154098a0f5f710499400f1d6a5016ec88183da79c23c

SHA512
f1cdb2430f5864580c56f3399af22a407e4076dc619ec4f834212b476271512f0c1366f6bce7737a7e5bf078745fd448178ac3dbc8726eb8217c50037add6ea7

Download Submit
C:\Users\Public\Libraries\lxsyrsiW.cmd

Filesize
60KB

MD5
b87f096cbc25570329e2bb59fee57580

SHA1
d281d1bf37b4fb46f90973afc65eece3908532b2

SHA256
d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e

SHA512
72901adde38f50cf6d74743c0a546c0fea8b1cd4a18449048a0758a7593a176fc33aad1ebfd955775eefc2b30532bcc18e4f2964b3731b668dd87d94405951f7

Download Submit
C:\Users\Public\Libraries\lxsyrsiW.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
C:\Users\Public\alpha.pif

Filesize
231KB

MD5
d0fce3afa6aa1d58ce9fa336cc2b675b

SHA1
4048488de6ba4bfef9edf103755519f1f762668f

SHA256
4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22

SHA512
80e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2

Download Submit
C:\Users\Public\pha.pif

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Public\xpha.pif

Filesize
18KB

MD5
b3624dd758ccecf93a1226cef252ca12

SHA1
fcf4dad8c4ad101504b1bf47cbbddbac36b558a7

SHA256
4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef

SHA512
c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838

Download Submit
C:\Windows \SysWOW64\NETUTILS.dll

Filesize
115KB

MD5
fc9b64a2b1006891bf39ebf395b4eba8

SHA1
0e98ba291d77ff8a57b5ebe198ff0c2e6c2bea00

SHA256
1093d0809ed5223c8ea2d723032c0ee2bfd1d971ad6ac69904983ec545000b3d

SHA512
9d5a9716b71b436dd465cdf8ed8471747828420cec7c5dad3406072e53f8de6e31253968e55ef49dc19a8245993b00164f193a3752cc16fce3887c4737db906d

Download Submit
C:\Windows \SysWOW64\per.exe

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
508658466c43d5dc33a58c3f7c501abe

SHA1
0e12515b504c361963359b3bdbe5547ee622b312

SHA256
16d97376b369eb136728fb50a2f1b4cec4d59e4ede6f82f5b9e7c0cb0035a71f

SHA512
b8adf3a50dac457ebe7b17ddd8c8bce2442a24a1033d942bc9ada8ae1df5a46d4c9bd16020c50dff68e65e0f55df9face4d04c7f904ffc8c31bdf538bcc7b916

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
274f9ea0d9bbaf13382b1c19e61b5050

SHA1
770739c118f6ae78fe163937c443f1ae04e24749

SHA256
804a9d832a7cafd302853916c6924a7ef294c932ff08266ae60de843f9481262

SHA512
28825418926297d7fbcd780d427ae0f10c798f9fa2a5ef4b461caa0abd9c26bf0f7894339e9cce28581d3b85c812f6797689574f52884ac77cb3ad4cfa037a7d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fdd434da63ab6191bb440aae2558c43d

SHA1
be328e87b5c6dc7e8d08b7721cca462c0719de27

SHA256
7f530a43e7d2571ff05b9bb0c4c5657e8bb3dfc8160f13f1e268b07be2fcd3c6

SHA512
62ba9c396a5f988b9cd818aa949efbdd3a6a8e1e4cbf38d81048781d077346d0d5a925516cbadbf02d404523b1b83bffcdde0a98f58443359b03c1aba3980df0

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
2854cb0d261d75569aac218e7f4ca000

SHA1
efa390c11b80777e0529cbdf07a4fbda93ae00f3

SHA256
4a15fa30cb723e1d7b0621bc8fcf280384e50d5357ae7542f239e5d23adc4f91

SHA512
0a9e8be90853256f5c7a8cf45690d99815cb15f2852d1b2d6a7010c044001b3af9d7f6879b0639f0b57f82b2e8faec532d0b8d243f11a9ab2d5c620f71a467e3

Download Submit
memory/792-680-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/792-675-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1232-654-0x0000000000EB0000-0x0000000000EF4000-memory.dmp

Filesize
272KB

Download
memory/1232-906-0x0000000007050000-0x00000000070EC000-memory.dmp

Filesize
624KB

Download
memory/1232-692-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/1232-904-0x0000000006F60000-0x0000000006FB0000-memory.dmp

Filesize
320KB

Download
memory/1464-702-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1464-707-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1492-315-0x0000019B3CAA0000-0x0000019B3CAC2000-memory.dmp

Filesize
136KB

Download
memory/1636-691-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1636-938-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1692-717-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1692-939-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2260-923-0x0000000005A10000-0x0000000005A1A000-memory.dmp

Filesize
40KB

Download
memory/2420-664-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2420-937-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2996-622-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2996-936-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3944-926-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3944-592-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4308-922-0x00000000076F0000-0x00000000076FA000-memory.dmp

Filesize
40KB

Download
memory/4308-830-0x0000000002A30000-0x0000000002A66000-memory.dmp

Filesize
216KB

Download
memory/4308-932-0x00000000079A0000-0x00000000079A8000-memory.dmp

Filesize
32KB

Download
memory/4308-931-0x00000000079C0000-0x00000000079DA000-memory.dmp

Filesize
104KB

Download
memory/4308-930-0x00000000078C0000-0x00000000078D4000-memory.dmp

Filesize
80KB

Download
memory/4308-929-0x00000000078B0000-0x00000000078BE000-memory.dmp

Filesize
56KB

Download
memory/4308-925-0x0000000007880000-0x0000000007891000-memory.dmp

Filesize
68KB

Download
memory/4308-924-0x0000000007900000-0x0000000007996000-memory.dmp

Filesize
600KB

Download
memory/4308-920-0x0000000007680000-0x000000000769A000-memory.dmp

Filesize
104KB

Download
memory/4308-919-0x0000000007CC0000-0x000000000833A000-memory.dmp

Filesize
6.5MB

Download
memory/4308-918-0x0000000007550000-0x00000000075F3000-memory.dmp

Filesize
652KB

Download
memory/4308-905-0x0000000007310000-0x0000000007342000-memory.dmp

Filesize
200KB

Download
memory/4308-917-0x0000000006900000-0x000000000691E000-memory.dmp

Filesize
120KB

Download
memory/4308-907-0x0000000070630000-0x000000007067C000-memory.dmp

Filesize
304KB

Download
memory/4308-871-0x0000000006390000-0x00000000063DC000-memory.dmp

Filesize
304KB

Download
memory/4308-870-0x0000000006350000-0x000000000636E000-memory.dmp

Filesize
120KB

Download
memory/4308-868-0x0000000005F10000-0x0000000006264000-memory.dmp

Filesize
3.3MB

Download
memory/4308-866-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/4308-861-0x0000000005BD0000-0x0000000005BF2000-memory.dmp

Filesize
136KB

Download
memory/4308-849-0x0000000005520000-0x0000000005B48000-memory.dmp

Filesize
6.2MB

Download
memory/4452-18-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-60-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-35-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-5-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-19-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-38-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-39-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-20-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-50-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-17-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-1-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-25-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-3-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-16-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-12-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4452-26-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-15-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-30-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-53-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-27-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-14-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-24-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-13-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-23-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-22-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-21-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-0-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4452-28-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-9-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-8-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-29-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-6-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-10-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-7-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-11-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/4452-34-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-65-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-31-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-32-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-33-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-36-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-37-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-40-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-43-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-44-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-45-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-46-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-47-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-48-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-49-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-51-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-52-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-54-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-55-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-56-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-57-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-58-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-59-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-61-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-62-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-63-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-64-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-66-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-42-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4452-41-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

Filesize
16.0MB

Download
memory/4776-672-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download
memory/4776-677-0x0000000005150000-0x00000000051E2000-memory.dmp

Filesize
584KB

Download
memory/4776-663-0x0000000000840000-0x000000000087E000-memory.dmp

Filesize
248KB

Download
memory/4812-547-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download