modiloader | 44d3609f5d4ff96205c75bd0b92f66117f37ac1bec16cab7312fba756e9be6b2

Analysis

max time kernel
300s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER REQUIRED DETAILS FOR COMPANY.exe
Size

930KB
MD5

3e0497676ffe40cc443ac29438f92b18
SHA1

042b14a498d9f8c2c7ad2a1127710e5e3361342e
SHA256

89882ef5b9491ab9897666dd3fa56f738a84e2ec474099e7564c78e562b91035
SHA512

5ada0f1b33fa0709302b8da2e33d23c549ba53442d9159cb6941f05b4f31dae9776bf3984545c1391bfdd1d196708a7eee7f341278d3c079235d59068dd76ec9
SSDEEP

24576:R7sP5Kw0G1OAc8msbN0o2IDGHfPMFQJQI/zN:R8o9G1bTcfPMFQJQI/zN

Score

10^/10

modiloader collection discovery persistence spyware stealer trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral2/memory/3788-2-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-10-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-11-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-18-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-30-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-53-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-65-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-64-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-63-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-62-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-61-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-60-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-59-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-57-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-56-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-55-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-50-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-47-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-42-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-66-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-41-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-39-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-36-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-58-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-34-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-32-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-54-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-52-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-29-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-51-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-28-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-49-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-48-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-27-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-46-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-26-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-45-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-25-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-44-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-43-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-24-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-23-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-40-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-22-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-21-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-35-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-20-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-33-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-19-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-31-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-17-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-16-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-15-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-14-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-13-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-12-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-9-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-8-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-7-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-5-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2
behavioral2/memory/3788-6-0x0000000002CA0000-0x0000000003CA0000-memory.dmp	modiloader_stage2

Executes dropped EXE 23 IoCs

pid	Process
4220	iovikpzU.pif
2068	alg.exe
4224	DiagnosticsHub.StandardCollector.Service.exe
4892	fxssvc.exe
2684	elevation_service.exe
1956	elevation_service.exe
4516	maintenanceservice.exe
3888	msdtc.exe
2660	OSE.EXE
668	PerceptionSimulationService.exe
388	perfhost.exe
1068	locator.exe
1724	SensorDataService.exe
2296	snmptrap.exe
2352	spectrum.exe
2944	ssh-agent.exe
1432	TieringEngineService.exe
4892	AgentService.exe
3100	vds.exe
3820	vssvc.exe
2560	wbengine.exe
1192	WmiApSrv.exe
5112	SearchIndexer.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iovikpzU.pif
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iovikpzU.pif
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iovikpzU.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uzpkivoi = "C:\\Users\\Public\\Uzpkivoi.url"	ORDER REQUIRED DETAILS FOR COMPANY.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	checkip.dyndns.org

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	iovikpzU.pif
File opened for modification	C:\Windows\system32\spectrum.exe	iovikpzU.pif
File opened for modification	C:\Windows\system32\vssvc.exe	iovikpzU.pif
File opened for modification	C:\Windows\system32\SearchIndexer.exe	iovikpzU.pif
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	iovikpzU.pif
File opened for modification	C:\Windows\system32\fxssvc.exe	iovikpzU.pif
File opened for modification	C:\Windows\system32\AppVClient.exe	iovikpzU.pif
File opened for modification	C:\Windows\system32\SgrmBroker.exe	iovikpzU.pif
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	iovikpzU.pif
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	iovikpzU.pif
File opened for modification	C:\Windows\SysWow64\perfhost.exe	iovikpzU.pif
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	iovikpzU.pif
File opened for modification	C:\Windows\system32\TieringEngineService.exe	iovikpzU.pif
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	iovikpzU.pif
File opened for modification	C:\Windows\system32\wbengine.exe	iovikpzU.pif
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	iovikpzU.pif
File opened for modification	C:\Windows\system32\dllhost.exe	iovikpzU.pif
File opened for modification	C:\Windows\system32\locator.exe	iovikpzU.pif
File opened for modification	C:\Windows\System32\snmptrap.exe	iovikpzU.pif
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\adf37c6638f5360d.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	iovikpzU.pif
File opened for modification	C:\Windows\System32\vds.exe	iovikpzU.pif
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	iovikpzU.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3788 set thread context of 4220	3788	ORDER REQUIRED DETAILS FOR COMPANY.exe	84

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	iovikpzU.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	iovikpzU.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	iovikpzU.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	iovikpzU.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	iovikpzU.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	iovikpzU.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	iovikpzU.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	iovikpzU.pif
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	iovikpzU.pif
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	iovikpzU.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	iovikpzU.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	iovikpzU.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	iovikpzU.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	iovikpzU.pif
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86328\javaw.exe	iovikpzU.pif
File opened for modification	C:\Program Files\7-Zip\7z.exe	iovikpzU.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	iovikpzU.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86328\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	iovikpzU.pif
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	iovikpzU.pif

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	iovikpzU.pif
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDER REQUIRED DETAILS FOR COMPANY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iovikpzU.pif

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6005 = "Shortcut to MS-DOS Program"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f21afb563d51db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000acefaa553d51db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007f8b5563d51db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c8e2f573d51db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082207f563d51db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4220	iovikpzU.pif
4224	DiagnosticsHub.StandardCollector.Service.exe
4224	DiagnosticsHub.StandardCollector.Service.exe
4224	DiagnosticsHub.StandardCollector.Service.exe
4224	DiagnosticsHub.StandardCollector.Service.exe
4224	DiagnosticsHub.StandardCollector.Service.exe
4224	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4220	iovikpzU.pif
Token: SeDebugPrivilege	4220	iovikpzU.pif
Token: SeAuditPrivilege	4892	fxssvc.exe
Token: SeRestorePrivilege	1432	TieringEngineService.exe
Token: SeManageVolumePrivilege	1432	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4892	AgentService.exe
Token: SeBackupPrivilege	3820	vssvc.exe
Token: SeRestorePrivilege	3820	vssvc.exe
Token: SeAuditPrivilege	3820	vssvc.exe
Token: SeBackupPrivilege	2560	wbengine.exe
Token: SeRestorePrivilege	2560	wbengine.exe
Token: SeSecurityPrivilege	2560	wbengine.exe
Token: 33	5112	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeDebugPrivilege	4220	iovikpzU.pif
Token: SeDebugPrivilege	4220	iovikpzU.pif
Token: SeDebugPrivilege	4220	iovikpzU.pif
Token: SeDebugPrivilege	4220	iovikpzU.pif
Token: SeDebugPrivilege	4220	iovikpzU.pif
Token: SeDebugPrivilege	2068	alg.exe
Token: SeDebugPrivilege	2068	alg.exe
Token: SeDebugPrivilege	2068	alg.exe
Token: SeDebugPrivilege	4224	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 4816	3788	ORDER REQUIRED DETAILS FOR COMPANY.exe	82
PID 3788 wrote to memory of 4816	3788	ORDER REQUIRED DETAILS FOR COMPANY.exe	82
PID 3788 wrote to memory of 4816	3788	ORDER REQUIRED DETAILS FOR COMPANY.exe	82
PID 3788 wrote to memory of 4220	3788	ORDER REQUIRED DETAILS FOR COMPANY.exe	84
PID 3788 wrote to memory of 4220	3788	ORDER REQUIRED DETAILS FOR COMPANY.exe	84
PID 3788 wrote to memory of 4220	3788	ORDER REQUIRED DETAILS FOR COMPANY.exe	84
PID 3788 wrote to memory of 4220	3788	ORDER REQUIRED DETAILS FOR COMPANY.exe	84
PID 3788 wrote to memory of 4220	3788	ORDER REQUIRED DETAILS FOR COMPANY.exe	84
PID 5112 wrote to memory of 2400	5112	SearchIndexer.exe	117
PID 5112 wrote to memory of 2400	5112	SearchIndexer.exe	117
PID 5112 wrote to memory of 3436	5112	SearchIndexer.exe	118
PID 5112 wrote to memory of 3436	5112	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iovikpzU.pif

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iovikpzU.pif

C:\Users\Admin\AppData\Local\Temp\ORDER REQUIRED DETAILS FOR COMPANY.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER REQUIRED DETAILS FOR COMPANY.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4816
- C:\Users\Public\Libraries\iovikpzU.pif
  C:\Users\Public\Libraries\iovikpzU.pif
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4220

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2256

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1956

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4516

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3888

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:668

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:388

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1068

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1724

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2296

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2352

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4144

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1192

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2400
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0b18d39c9b2bf597f240cc2f1f6c19ff

SHA1
536e5ded83f1cd1486b9314a474b9e2218846a7e

SHA256
dcedbd6285bd78191762a5cec70122848a01c1b5e02706f045656a1055a3eeca

SHA512
73fecb10f72be442afa7a89223ca37ac590823870327a15f26261b35885cf81ff14d470a1942e860d7b79a604d156883657339a97f941271ecff16373f6c5cf3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
502aa9a301783aba505f4399e20d9de0

SHA1
ec96fda8b8c2055fd130113a4c31503e2ca03c32

SHA256
7ade1c80cefdf6756cd36b6e66c69fa70bb4971e5fcc79299ea9426b8207d6a3

SHA512
bd50416c43c593340a3e521df9ea3482a1ef265fc388129ee81583dc31b1d16a6a9339dd0a7571d90686413e7999f77708c06f33c94d44d17d283e1277fdc264

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
e5532b6ee9c35b880babea02591983f7

SHA1
2f4fc7937f3c6f9d5b058877f434a86b8359675b

SHA256
16dcf0e5f82c10b542ca549f4f2c6c9f9a5329de2bc46c49db966d48c08a53b1

SHA512
c4f0b9509412fced87ae3f66cd3283f3d95434707a303f46624e3b63e7779092438994546dc7d9d239a036d25841ae3574927e08606e83d339447d480a8e84be

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dadb9fa8d27d4e0e46a318347007705a

SHA1
8646aeee196c3cbe7b11ca5573aee89ce7f3d846

SHA256
12139eebb6bd91dc2d300afac2bae7861ae3bca36bf11fa485c31b9a5d16e50c

SHA512
c4a693c8e9c9cda2e2c13280a7ce3c4b9eec3f8b04725ea845f505a45591b6a45035f3f5720103affe4fac4f6790f1f652e5403c784a310142a5d206dcae9cab

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
50cb4c39ee25fee913ff134e8fe8596b

SHA1
ad74acf154864a2b294a4b8202c4601791250d70

SHA256
90c501644aa1da65b582aa2dcd2e2d155783f5573a4623c9dab1cd40d4eb391d

SHA512
7c7a870df1a0d523e711ce956428427fdace1035fc778a929e363db8e923c4fcf64284b0e70153f7937b7e7da099e98b71e00018b24a20b988bcabc3884a17bb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
85af19d40b657bb52e8df9a730e7653e

SHA1
d4f5e75ea0ce09e1247789728dab6f85ea61f97e

SHA256
4305f497929527af9deeba6ab3db88a81971db58f88505ee85f7a201ec0cbd68

SHA512
748562a40f7bae9b5ff22d550f1bed961e23a532455d1e24c8a577e59317577cfd4deda3107e1c5bc41c4013955786acf57f09ee4084d4c1fa4f9b8b9b4a1ec3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
a51bdc2a9152e4e60c318fc7cd2bcd12

SHA1
30809af33a647ec0d267cbd4c930a64f4719197a

SHA256
82bb36cf3788a20b08cfac5689d2225c02868d71f5fc75d9a88ef7045ab7e21e

SHA512
c89401bd19432b726b9fe05136070a265aad51eaf7a534cd6f8976c66b9571f39a0c668c4c270205418e5856c118ab7e6a6084700cb8e91d31bec142249904e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5e1d760657af259b4f7554edb684d88f

SHA1
8b49597df700d0807caad365b476a171ca07324f

SHA256
04259924738e5435813434e33201694540dcff280c0bf0b65119de73f1f7419e

SHA512
77e944f36424c8fa16412d043830e5cae053e7f67b1162edfb295b2847b826dfe9e0e927cacf243492a758f0af087b4bcf6f08849540773eda52cf7a03e48f3d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
b3945d69f89796dc6e530d21c2aff304

SHA1
da1a59abf612264b75b842e6e3590f32961c98a1

SHA256
677f030d7e1c87ca65eaa494780d1fd86137f6cdd18e96d273d8e8f7a1d4ab06

SHA512
c6b892b04e49fecc9c629b4f4ef262217800237d45796931a70eb7c38d71bc05f3b63fac23ed7ae2c87cae58fee3482de6d72aef5ac9f1aeff6f76ae3c233510

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1aa18648d270e32c90057981707225ae

SHA1
2915e88835b6f06f027b2f1ea81d1fc743dfea02

SHA256
749a81f1372c02e54553086bac5a0a87fc68f929f6ea6eef0a28d4dbbe4d700c

SHA512
7b3fde9121796005b7f46fb16503f7cfee5a6ae961821745e833d8ee492607e504668658da2427697e96fbb9043a5f98547079532e897f1340cd1a4e1126a521

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9aedcff5248826d6873423432b72de92

SHA1
b0f21d85306c931789d24800ccbb90b8dad868db

SHA256
0f70e14cfa3fff37f0a5846f6ec74178d63e8cb6b356a647dae9080c0f09b6a0

SHA512
392b8820c9fcb110dbe4362368d5cd4379c6621f67e93505584b4e00b022da3599242f2692334f4915735e6dca0b133c06f28b01689236e7f6e2a5871fc3a25f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a17ce619e4c5ab38657d5005cba07e91

SHA1
c997c7e20beaeec43fb00a28dad511aa4213d65f

SHA256
5a1aa633736b69eb1bbc474b788851b62bf2b7627e82956e72368f4623b84915

SHA512
ca44d8d1d9fa6a74ea95896e4beeb2bbf54683a715fa8571b5559d403df2fbbbaf39db670658416d7b6c5fd5c56c45b2c7c1747f787d7ab583c168e610d124a9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
c083c14aa17375c46e372ff313b46cfc

SHA1
e3475f769eca7013cb37f2a8d44a3ab0469de53c

SHA256
74b166d175e839455fad86a6c44ce5aea2661c3ce862a32d9466802655bc72a6

SHA512
eb0eb09bea733e30f06170088393216b4f63db0ccf7b2b1ccb518673c500a1e57e59220b2b693279c9aa50b2cc31fff40f685cd028cbb264e425563fa357b3a2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
bae1ab4e80170d462080a4d7826fef44

SHA1
cafc412ff68bc0aa32b4494750e8bd122d44933b

SHA256
73f5b944b578077d19e7ca096f2e51a4a4ce1222270e940e422856c52ccd3ece

SHA512
156f1d21a1db23a4d69485665bd0dbc08bf6e17fc02d43a6bb2d10dfc20e400c7c786e86b5de1ed221df3251ca60e143bb85770cc903298b42c961493435d2c0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
e96428881e172005f70581c903d9d98e

SHA1
d1f73887b3ae15f762057aab17caf84475f37ba7

SHA256
4b6cef1049e9a344b57831f5905d43798236d4b3c39464d8077d1d19fe97e89a

SHA512
1e4c7257e35ba84c09bbb126531a18adb3120b2c5779c11f6c386be7e25593539f964284866ac26b71b9219899291fcbf1dbb284ddcd859e8a7bc1612f323351

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
71bc4130d0bc65da554ccab4902a4e52

SHA1
5ca47eb393278539f1cd2973a9f4ca517ce7ddc0

SHA256
39a72832ac9f4e1cd057835f8bac4f2dd851f75e140995a4487cc6f13102af94

SHA512
16a728306c14f4dcd36c9e9c6d05cbd0ca33f6e88eaeb7c2add898c719ea209f1a249ed2b5d74713fef73f9fc50b9a727325633d2d0844e96082830bdd54b09d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
e943cbd03aebb2d91cda2af236ae4cdc

SHA1
9f1cb46c6046d7f4161a30a80530a768f0ef2647

SHA256
c12bb090357e3b460695922dc2bb1c84f1d1d0c633fece060e12c5e74320d23d

SHA512
eaaceea89b666891c8afd2aedb6403c907d674cdd49bf95deeaf54f5c80db0d8f57450a58a3edabfb2daac1fa7cd78d1a6a9f3dba6aa36f837fcbbf196e62311

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
d1641e6742f9d42fc11e549b73df4dc9

SHA1
f5f0b326cecb1c19062c29bcac9e6316331a9161

SHA256
afad4472bd73754d76d872c9efc881278c95174243028fc871296967c251792c

SHA512
4583c4f9664a558471e450020f3215b9e51420b7b8b4e5ab9f18bac7f992b1b3523c836d3d8868ca16c21b581a244212c306ae4dc875d3bcfa47332b297a0be9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
1d9dc4430de2c2c31bb279953f446f17

SHA1
b1a93f2daff29f316bbb466c6efa9ae834fd1dc6

SHA256
46c6a6c3e13112932a30582ab254368c9ef2893db183143666d39e11998c8eba

SHA512
ca34bbe5d90114bb94ec951fb0fd1bde95c4e5081c62b1edab3f0bb0029bcba28e096e457a953a2010748685c7735ade1bda2b114516e5347e2876ac09e33791

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
685ff7973c76f8e72a4a144f92517430

SHA1
3e11826876841c44edfc96aba042547577e578c7

SHA256
9dd8fba68e9b9a62618ed0f56c18a22bc35f2baa5b452d1d48867000f0d22a62

SHA512
c6bf146db2990b5260cebee39bbf653e0b1bd2384526c7537719e6db616aac1b3113b7c1d131bd90e83cf1caf445495c9290f05bb29fc1557b3d4f2d3fe64677

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
a86988dc78b7111df8271dac87288699

SHA1
c3aed2cc06e9e37156a1c42e7a826f33d8780bee

SHA256
08c982dc2cfcbc1d14b81ce4095b70ed109ca94e6cf8bf18c0c509cb8aa6bc44

SHA512
d2822698979937777849d92bd7716f97a3c14769733405c5bdeff196012971968f32f9d83039788c17f74bd3638f07e799270085bfcfbd219f7e2368e0ef90de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
366381ea4256645897c6ab865121c63f

SHA1
8f91eae3e4c65355690943ea71adbd6bdb07716c

SHA256
cd6d6de58ef875e9c5ff0f71e8433234fc6feb401eeae916ef948c5c22710b66

SHA512
6aff957922bd8f99690744267a5ee40ef622b6450873905d8b9769a93f8f33a415d190d82866571768ff4c0b06e5d44b87bc696253b74b83443a2406ffbdfbb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
11df0fd26282f5ef798efb2c61735731

SHA1
cbc5f19fbda65092e99738cd5b34d8c0eeb4d83f

SHA256
662a7ce33bb8563e642dc11dc5aeafbff8451f35a42a76f5a4f4c10ee5da2738

SHA512
a8773cf6b47f821412f6ff4e31e6f230522f554f13e6dc6b97c089f411058b246a443dc2c270a3cb8ee7ffb30d4ad7311edd6c28aae4acaf3223c609115c509b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
12d260ef08dc472f07f9faf7fcdb1f5b

SHA1
f22ab664dbac499c3d29e38254246b2cab5ead44

SHA256
3881b609d31e38c735dead13f68c62c468e0faae0f5edd48f27fd2152f4979a7

SHA512
55113daeb1b222e3567b76859af80d1fbaf752906eeccf17b0c854ee09d2c47a60855ac293eb1daf8921649729fa0cf5aaa49f58e4e4415a15ecf0efe3dfb591

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
d6f46e75fc2f52e6fd41672380a125cf

SHA1
d7a5a6ed7285584b9d8da9d7b9d09d9bc08691f3

SHA256
f6e4e94e033b1a59d0b7d079cfbdc568b7279edb8bce2849b29f9a3ec6da32af

SHA512
4a67ce8c904898ab114219f8fc63eeb8b50f6457f559e26a8b44aaaa82bfe1e39b2fbda75f7a0136551123d1e5dc1037cfc542e1a5633b9ebf77fa8a2832f43c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
59e51e4b32173c5980137b06002510dc

SHA1
392fc247932418c27793ef5a5085b0c4e36a4c60

SHA256
088466be6860baa32351be064c05dacd61f8816f9f4725c0aaa1e0203e49c68c

SHA512
f3daffc2383fb52ccaa111241c1fa5e125167e0805f12eed1474bf56ab8fbcc2df89e1a9050f06d996990d291f6bd98108d76c1f523ffb9e6816886a5e64be9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
19517bcbaca614057b0af5b966f2ca95

SHA1
d005c782f5feb899b7c4181936089cb52e881863

SHA256
dda68ed07c534c4dd04230ed5bc3c6dca24f631f4f2d8405b97114014d97420b

SHA512
3be9ff2c670ba8530f40e53edc0e57e8038239934e7d7bf3775cf186d870d0045f04b9bc68287404c1c925c4d25685cb51c5561334b0cc193a0e7c5d3094f028

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
542b50f366db46dce9278a17b9e45c00

SHA1
e3585092090f944cc2e6f1de69a3ef38f0ba4bc9

SHA256
9178587cae1cad0495459a2949be561c32db5fe35961573ed3c09f536f49598f

SHA512
3b48537a7ae8c4b9aa767b268c4f7466c3df3f736e3f91c871f8be6113322a3cd51fda628dd2a2938a22331fbda9acbd2106bdbc74b6d9853bfe13eb985f37ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
1c372290c7f171d17357e6cd494ef846

SHA1
5d386b8cbeb7675d916fba784fe2f780f2805ade

SHA256
defab0909cb35936b391ca94a645308bcbe180fde2375dc5b2d474b2bf1f8601

SHA512
d2e73048a581d3f4faa22d0b35f9712129899b42a6e057f37fe88919a8e5516bab9d2d6de74154c04700f98e08060a0b5cfc7981d3b2531f1dd7d519cf240d13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
c2b927563bd864d15c0e4bd4cbcfa71c

SHA1
e7fec6ffcfbbb13f298ddb34a7c9d927022ef1c4

SHA256
9213c21d7d645605349df7f4170df3cb73716046ec762a1cccdad5288bff0be9

SHA512
4948a4e4d3b47666e53b4a2dc8663db3610d2a2c8bf7e3839158935adc86e48b67df012aca8d76cb7633ce5564373e10965421b8eeec9eab51d0fd53fcbe15f0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
691dcd3a0c4a88317e534cbda93967a4

SHA1
800730ccd6bcf3bd2df838375f5b0a58a7a9a2c4

SHA256
14cce515dadd59fecbde127d37bdea1d7556d332a62934b2b6a4aff2298e9fd5

SHA512
3437a767e53206182bf90317dcda625a8d26be380638a5334f9cb094f55bb25b5705b9d2a6412152b459ecfa45025bc6dd0af772cb6b0a7c61a1503bb573ea50

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
17ae99d39f7b30d48506a1b770ee0bc7

SHA1
45d96fb54b1c9a7c56e0e4307b743b5ccd677ecb

SHA256
d66366bdee8a926c5d7ab484c3e38a0418b1a9e17c1bbca47dea486c6d824f3d

SHA512
072ae1123d8b84fc90d980ae9831f0447a51e2e8bb374bfba1b537595672d4e256c9ce6477f1213eaf6b6f775d94e9a9c9549b6ac072980675672de6f78820df

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
60cd0be570decd49e4798554639a05ae

SHA1
bd7bed69d9ab9a20b5263d74921c453f38477bcb

SHA256
ca6a6c849496453990beceef8c192d90908c0c615fa0a1d01bcd464bad6966a5

SHA512
ab3dbdb4ed95a0cb4072b23dd241149f48ecff8a69f16d81648e825d9d81a55954e5dd9bc46d3d7408421df30c901b9ad1385d1e70793fa8d715c86c9e800c57

Download Submit
C:\Users\Public\Libraries\Uzpkivoi

Filesize
1.6MB

MD5
893054df9d74f1fb81d024f8ceaae022

SHA1
63d178681df3e7b31930c8afa0fc9a92fd7e7abf

SHA256
0ad8ca1074e87f6605ce28e07db7ce9a64ae2370e111b9dfccf664e02149248a

SHA512
58d9441f4c967db9ef1570827a223a3c4a3c8b9761d341ce66f9402a22d57150f811b526cd0a9efb9d0ad219312626c8aea2b659804275e04f96fa2220ee80ac

Download Submit
C:\Users\Public\Libraries\Uzpkivoi.PIF

Filesize
930KB

MD5
3e0497676ffe40cc443ac29438f92b18

SHA1
042b14a498d9f8c2c7ad2a1127710e5e3361342e

SHA256
89882ef5b9491ab9897666dd3fa56f738a84e2ec474099e7564c78e562b91035

SHA512
5ada0f1b33fa0709302b8da2e33d23c549ba53442d9159cb6941f05b4f31dae9776bf3984545c1391bfdd1d196708a7eee7f341278d3c079235d59068dd76ec9

Download Submit
C:\Users\Public\Libraries\iovikpzU.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
C:\Users\Public\Uzpkivoi.url

Filesize
104B

MD5
a219d91dac95bf00bb4b0a678663d6b4

SHA1
445deb9b26f33fd38fa409f0d00ed66658b2f3f8

SHA256
c4eaf196881f8860fe4aa225e5523b6b4298285a241ade11a886f61d2cb41797

SHA512
9320cf05a558c72f15374c8e703b7d9ed74d0a4edb614ca6e4cc717ae615d8f822bcbca6bfcde3f2b5729f95d425f9b0659b3bd694a68eb4534b62b3de88db9f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
0a26d5d664c8bf99403eb094c347e409

SHA1
8b8ff5346435bba2f3ad75bd875351119c370f67

SHA256
026209af4808bc45b6646f870c47107250326d983e7fae84caa0480e0826364f

SHA512
577520431ea86c65d8d59ab8a2493020177dcc386318cbce046097ec99431c6294a3ac1a1d7ad1d1335804ce4c083d101842ea97e6d4920eeed6f98aca6b7397

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
dd7b93262d01595d7778b1904336d114

SHA1
2344200e95682d0c7d856912e30ee7eca54a2b62

SHA256
84f794cdb9df466048b4d584d1982fb65a2343ad9f344b811ee9abc2c8ef759e

SHA512
761d99388cdde67edafc7ed83e4216475278bae1d23a145133b921650257364219ce2f636e7e056758ecd3c0bdfa9a5efe3e814f78b1bbf5be0ee3e297c46794

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
2139e1abdf2f8140ba1f9e534e18ecf2

SHA1
0d7e209c153d0885215960da9d96715f18f7d79f

SHA256
8d14ad396178013820a7af4207c3896196c68aea938b56f469667809df2b341d

SHA512
55923e6c04bdcffcaf3725ddc48bdeeebdccd412fd4cc6f6096edf4240a9f33a2dd133eedbdf7bca450bc3c6611d58cd17f9277d1f268bcb6ec87f9a89942caa

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3d866d8a9be867e8653cc9d7be57c885

SHA1
24f35f2eaa27cad0e8673cecfc8e64d31bfc1df0

SHA256
3ce2cfea944ce72dea72c1824fd535b080f841ac6c7a324822849685838dc58a

SHA512
43554feeab2ef093c078ed94e3a4f17c047e33d716f06b3634c6e41206329989a0778f765840dd4a5447241ada96c263b6ec7cfd1629a21da40165471edb92c6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
d9410b0a76aad597c33ac22faa05931d

SHA1
b277207aa0a0b4d7d6ba76bc40a5e149da5bd4a9

SHA256
d300b9afc02133659d1be48444a62ff8faba74290d40520c92142474f02ae4d2

SHA512
e3b180c957da3d5f00c5f0c58d3637fa4f129c07052c2fec985294f132c4d9b85b944f7153281bccf301f1810c0accb9565830386aa92c686a934a0d9cec881a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
4e5820a996f03e28f02cf0ff71031f52

SHA1
f8a401510bd18af213615f99825c52d4958e376d

SHA256
98e2e45da11a2a969942348221ca1ef2e8aee7cff526a2ab1fb5aaba900ae6f4

SHA512
d6237eb15835ddf2303c0719aa4a0be8a2fc0299e5f5ca52a171b1e53a7326f9c10eb76e7c42e592319cfcb0c27103a46851b06c687ecd78a31047d8ebb635cf

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
c7ef02730f461fde83a9ef262a71fbd2

SHA1
2ce1e19596939843febc7793271a5a5d265f1c2e

SHA256
c546486d6b9649a1c2839788ec3c54a5b567b2c4fc641225b577b810032cd172

SHA512
e7465907e9b578feb9911d5c9ad40a5c4d8f8cd1ebb57c7f4b1704a9ff51ca54d752924fb7a4ea30f1a2f24773566228139d12548189376d12100638ec54280e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
98662f1b863cc97e83b021c698208fd3

SHA1
dbe8526d4a2594749e88c0b3d541b0d6dfb00298

SHA256
53fa325d3050d41a27274999076ea1221fcdae3f72241643ec91930db785064d

SHA512
237c95b53f371872967928988d4d1b0b2d1fd558c7427f3447a28cc2f2e748a12b300f75849a561821ea9bdd107f6af2549d043107e3c560fb74e337feb064ac

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ac121a47b6337387b6efc845a08b81a5

SHA1
027f67f8988c1eb78f5f420fed6689f7b98ea669

SHA256
d76a33dbf37569842d0efe8bc1eb0f9d85dbcb12cc29469f0aa919af0c2b093c

SHA512
8b348276c2d6c4473efc2c2c3bd2da895fba1db108628d80af7a00d89bc6cc21606c8446ce2ca7e47b667f3af2b4a7bfb99ee0d75ea5028cd43bc829d826e173

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ff501a6cdc6cee750c4b71377844ba65

SHA1
847a92c17b4197de09e1205d5d60f5cefb81c730

SHA256
60239d3ded5fb5aed553bb6e6991f6c4615f972ebb59bf54efaed9d57cddac96

SHA512
20f105a92973f6d3a96f5014e59b469b5864ef841e2a8b6ef21f63bb9dba885cfaccd94d89ff0d93e4197b620ab7d98084d23e3b0a9a3255492e6c8b6b2b2d98

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
d037ca4c05cb80df11e44eec1d7d1337

SHA1
0cd0dd9db537d4f27d1cd86755a56fac4fcb3c10

SHA256
815228ffc2780b2228886a83e49a97bd132cf6e3a6a5d6634fdbe35b52ee6358

SHA512
670177a8390dbe56a5d2e951d6df34919a8c9ebd62a7c5fb7f07615624d4a01bff14855d665aa50187f5d21efa336cf5518d7df1fa02cff89419206fb51a04fe

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
74ec0a83ab4d0113224e5cd6b769debb

SHA1
b4b8f3589a7968d8e7a7c9b144b2a226597fcd7d

SHA256
a895e6f18413ec537ae671b68a6b1ec8cddb773518701f36d23f65162bfebfcd

SHA512
b5884eb159fdd87852fd20ecc67a74c732cd6deeafa342adc850f78825f27683edc41b59aa2a0b2a8b3ca2e19980fd633b3fa01c34993187e2c4269746a5ce10

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
a47e032725cd4fa4a36f1fd587b7f41d

SHA1
f064aafc6181119ea051289f72e69dde2b792d21

SHA256
af90f217ee718a7148e4c908575032c7331f1dac9e41ea4fafb1b3afe85cf0fe

SHA512
f95eb1d9cc6595e3dd0dc5c4b6e6a29c6bde8b5e35e5d9137e08519584c615a7e1f76518439fc2865e2a93fba429ac26d0315330e4bcba374762e31ff8817c80

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
a85ab77efb362d9245bd330bd0432dd0

SHA1
50104b9fee44db06e6d8341b882cfc6fe002cdfd

SHA256
a90a4cc1760c2b4fede1ad3e6806fe009abaeb86c4b4ca5932b648a60908d753

SHA512
baa5bf7c0b83288b354fe7f96811975f23cac4c89c12a9aeb2f3bde0b9ca43254bb79333a3461eac477aecba1036abe0b5464542639b0cd651fd70814aac0598

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
3660f8782ee1f31e38eb07e7a7d416a9

SHA1
e0315e9f5f69f0f6e02e867a158ac582284b1acc

SHA256
ac586610566aa1f903fde5faeca27e44fc92d88e1361a81e55db902a63d84986

SHA512
25f6ef56d977613572fc6e4fc1dbb177b12e9f48bd9a869c56f8868c58409e3c4dca1d07e8e88546f0678e21d3fc2d89560024b480ad15ee665ffd4a0ae8caee

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ab8d830f6c4e6abe1eb8bbd241986497

SHA1
7db14fa4f0b0d23a00487e91f08485eb539d42c4

SHA256
327d8caa01435fcf6d375688ac154037b42390d4d7d376402a38654196a10376

SHA512
a25497d6b52531bbef54378eb2c6185b22793201ecb8896d3c57690f37b6c4f7c6b1d58dbb4b39882f1771d60ef526491bdd0d48a1497d9a690a13ae30b40edb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
b9d1be44c8adaccbb70badcea40df208

SHA1
8edbd39befd2b5188e60e87266a9580d0c801331

SHA256
06b07e61ebe65e0dcdd33e94bfb37b5f62cc8781497e72e24c530adfd538019b

SHA512
a2d5817a54690b6d7770407e9a9aa967b5110bd8ef1f173d62f05b18475f027fbc1eac0523590b020dc3c1dfe33097f2beefbf62b79756eaf79398f230b611cf

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e3e4fc279c4169d6bbc6f73de150663a

SHA1
137d49ad1973fef7d92426ed21b912ccfebc16b7

SHA256
b8cf7e724b1e58f0e67441e30f3dfb5b88784db48906d78b49de1f0951a279be

SHA512
521df615383cdbedefb4cc3a3e88132c2ad933512a648ae1190328d924eafd72245180d88eb700bf692ca953fa0025bed34b41c1003799661e974d9c1fedf9df

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6f97c49f40ff91b0e6011660cdfcc8e8

SHA1
1b75fa058605d31cca17c6ca9786f573a705681a

SHA256
00e8609a4baf6835d6b0fa696fdfd3c93136ea86cb546e41c3a24a87dd8b970c

SHA512
f7903417d6a8dc301f92cc41c01b0ba06045015e5e3c664c72dc86932e20d4710fec2ccf750d60a06354f8d607c2e8bb581cd85abe81426316dec592ec29b2f8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
139b0835b744cd0cc0c451c631cc9f67

SHA1
4c5f8234361e9bfdd3e13b8ed4b4dd9c6dc89737

SHA256
e9a3d15f8063c1ace4e53aac749e7b2ed923fa10982ea660a6b95825cec60a80

SHA512
5a7a9ca500d40354da56ede1f3c809dd872034e16de55f9c718c8ad73b504f593bc6e8317bf554cc81e0658ca26bbc8626728374a5d464b9a1e64695ff7b5ec8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
ad85f183c9d5fd75e3f650a63f46910e

SHA1
c0b5f4c150d09f96ac805e9c118318120f8522e1

SHA256
56af410f436d8eabfedd87760331e73ea245fd873ced2f6994c02b7d5cd9bf48

SHA512
a99cea54c83a0ee273fef90865079be07f1e45ce7ab15f499373a4e79883264bca49500f7c6d2c80535117753ba930b742e5076e611c7eff58b6a369a8d9d2ee

Download Submit
memory/388-681-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/388-569-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/668-556-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/668-669-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1068-572-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/1068-693-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/1192-1020-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/1192-694-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/1432-632-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1432-881-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1724-584-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1724-706-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1724-967-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1956-511-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1956-620-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2068-461-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2068-555-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2068-451-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2296-781-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2296-596-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2352-820-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2352-608-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2560-682-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2560-1016-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2660-549-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2660-657-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2684-607-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2684-498-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2944-621-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2944-855-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3100-959-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3100-658-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3788-22-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-43-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-2-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-1-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-10-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-11-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-18-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-30-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-53-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-65-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-64-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-63-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-62-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-61-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-60-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-59-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-57-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-56-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-6-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-5-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-7-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-8-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-9-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-12-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-13-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-14-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-15-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-55-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-50-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-16-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-17-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-31-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-19-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-33-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-47-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-20-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-35-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-21-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-37-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3788-38-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/3788-0-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/3788-40-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-23-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-42-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-24-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-66-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-41-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-44-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-25-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-45-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-39-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-26-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-46-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-27-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-48-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-49-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-28-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-36-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-58-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-51-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-29-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-52-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-54-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-32-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3788-34-0x0000000002CA0000-0x0000000003CA0000-memory.dmp

Filesize
16.0MB

Download
memory/3820-670-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3820-963-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3888-539-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4220-447-0x00000000342D0000-0x00000000342FC000-memory.dmp

Filesize
176KB

Download
memory/4220-446-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/4220-476-0x0000000036710000-0x0000000036720000-memory.dmp

Filesize
64KB

Download
memory/4220-557-0x00000000379A0000-0x0000000037A32000-memory.dmp

Filesize
584KB

Download
memory/4220-558-0x0000000037B60000-0x0000000037BB0000-memory.dmp

Filesize
320KB

Download
memory/4220-452-0x0000000037250000-0x00000000372EC000-memory.dmp

Filesize
624KB

Download
memory/4220-421-0x0000000010000000-0x0000000010067000-memory.dmp

Filesize
412KB

Download
memory/4220-419-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/4220-583-0x0000000036710000-0x0000000036720000-memory.dmp

Filesize
64KB

Download
memory/4220-1028-0x0000000037E60000-0x0000000037E6A000-memory.dmp

Filesize
40KB

Download
memory/4220-448-0x0000000036720000-0x0000000036CC4000-memory.dmp

Filesize
5.6MB

Download
memory/4220-817-0x0000000037FD0000-0x0000000038192000-memory.dmp

Filesize
1.8MB

Download
memory/4220-449-0x0000000036D10000-0x0000000036D3A000-memory.dmp

Filesize
168KB

Download
memory/4224-474-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/4516-522-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4516-526-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4892-643-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4892-655-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4892-478-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4892-490-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5112-1021-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5112-715-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download