modiloader | 6ffd546c1fa5b5e0bd0b5be08ef6c7d19efd4eca8de2f523fe23961a53d438d7

Resubmissions

21/01/2025, 14:23

250121-rqhp2axpfs 10

21/01/2025, 14:20

250121-rnp2bsykcp 10

Analysis

max time kernel
65s
max time network
72s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21/01/2025, 14:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe
Size

1.1MB
MD5

4603c75b3b7ae5c693adf7d08dfc72f8
SHA1

536fbca93073cbc2a19ed9be874086bc3acab2d5
SHA256

c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c
SHA512

237927752e93a65c93a6cfdbac6d6499a29c518a316d4fc3b0e6f1d736e84279ae1017e369b2fb0f25fd1970775622d493120a0792902aa6009fd91d5d4a4d81
SSDEEP

24576:WCcGj5EfZJsVJrjzh4dYEXvVzlFjG31di:Wi8GadRvVR2D

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral1/memory/4852-2-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-9-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-15-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-12-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-13-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-11-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-10-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-7-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-8-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-16-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-52-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-54-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-76-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-75-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-74-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-71-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-73-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-72-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-70-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-68-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-67-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-69-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-64-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-63-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-61-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-32-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-31-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-59-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-58-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-55-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-57-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-56-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-53-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-48-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-23-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-39-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-35-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-34-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-65-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-28-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-30-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-27-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-51-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-49-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-26-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-47-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-42-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-86-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-21-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-37-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-38-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-18-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-36-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-33-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-17-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-29-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-25-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-24-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-14-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-20-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2
behavioral1/memory/4852-19-0x0000000002AB0000-0x0000000003AB0000-memory.dmp	modiloader_stage2

Executes dropped EXE 25 IoCs

pid	Process
1608	svchost.pif
4368	alpha.pif
4972	Upha.pif
4904	alpha.pif
3772	Upha.pif
3100	alpha.pif
1424	aken.pif
128	hvphrsqL.pif
1676	alg.exe
2960	DiagnosticsHub.StandardCollector.Service.exe
3184	fxssvc.exe
5196	elevation_service.exe
5348	maintenanceservice.exe
5448	msdtc.exe
5556	OSE.EXE
5668	PerceptionSimulationService.exe
5756	perfhost.exe
5788	locator.exe
5860	SensorDataService.exe
5956	snmptrap.exe
6044	spectrum.exe
1556	ssh-agent.exe
2100	TieringEngineService.exe
1688	AgentService.exe
1576	vds.exe

Loads dropped DLL 1 IoCs

pid	Process
1608	svchost.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lqsrhpvh = "C:\\Users\\Public\\Lqsrhpvh.url"	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
3	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	checkip.dyndns.org
6	reallyfreegeoip.org
11	reallyfreegeoip.org

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\dllhost.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\msiexec.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\SgrmBroker.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\cversions.3.db	SensorDataService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\cversions.3.db	spectrum.exe
File opened for modification	C:\Windows\system32\vssvc.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin	SensorDataService.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\AgentService.exe	hvphrsqL.pif
File opened for modification	C:\Windows\System32\vds.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fc85e765f2cbde1.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\spectrum.exe	hvphrsqL.pif
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{17A6A947-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db	spectrum.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\AppVClient.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\fxssvc.exe	hvphrsqL.pif
File opened for modification	C:\Windows\System32\msdtc.exe	hvphrsqL.pif
File opened for modification	C:\Windows\SysWow64\perfhost.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\locator.exe	hvphrsqL.pif
File opened for modification	C:\Windows\System32\SensorDataService.exe	hvphrsqL.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4852 set thread context of 128	4852	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	93

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	hvphrsqL.pif
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	hvphrsqL.pif

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	hvphrsqL.pif
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvphrsqL.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1424	aken.pif
1424	aken.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif
1608	svchost.pif

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
672	Process not Found
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	aken.pif
Token: SeTakeOwnershipPrivilege	128	hvphrsqL.pif
Token: SeDebugPrivilege	128	hvphrsqL.pif
Token: SeAuditPrivilege	3184	fxssvc.exe
Token: SeRestorePrivilege	2100	TieringEngineService.exe
Token: SeManageVolumePrivilege	2100	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1688	AgentService.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 4732	4852	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	77
PID 4852 wrote to memory of 4732	4852	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	77
PID 4852 wrote to memory of 4732	4852	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	77
PID 4852 wrote to memory of 1792	4852	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	79
PID 4852 wrote to memory of 1792	4852	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	79
PID 4852 wrote to memory of 1792	4852	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	79
PID 1792 wrote to memory of 1608	1792	cmd.exe	81
PID 1792 wrote to memory of 1608	1792	cmd.exe	81
PID 1608 wrote to memory of 3780	1608	svchost.pif	82
PID 1608 wrote to memory of 3780	1608	svchost.pif	82
PID 3780 wrote to memory of 4544	3780	cmd.exe	84
PID 3780 wrote to memory of 4544	3780	cmd.exe	84
PID 3780 wrote to memory of 72	3780	cmd.exe	85
PID 3780 wrote to memory of 72	3780	cmd.exe	85
PID 3780 wrote to memory of 3016	3780	cmd.exe	86
PID 3780 wrote to memory of 3016	3780	cmd.exe	86
PID 3780 wrote to memory of 4368	3780	cmd.exe	87
PID 3780 wrote to memory of 4368	3780	cmd.exe	87
PID 4368 wrote to memory of 4972	4368	alpha.pif	88
PID 4368 wrote to memory of 4972	4368	alpha.pif	88
PID 3780 wrote to memory of 4904	3780	cmd.exe	89
PID 3780 wrote to memory of 4904	3780	cmd.exe	89
PID 4904 wrote to memory of 3772	4904	alpha.pif	90
PID 4904 wrote to memory of 3772	4904	alpha.pif	90
PID 3780 wrote to memory of 3100	3780	cmd.exe	91
PID 3780 wrote to memory of 3100	3780	cmd.exe	91
PID 3100 wrote to memory of 1424	3100	alpha.pif	92
PID 3100 wrote to memory of 1424	3100	alpha.pif	92
PID 4852 wrote to memory of 128	4852	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	93
PID 4852 wrote to memory of 128	4852	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	93
PID 4852 wrote to memory of 128	4852	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	93
PID 4852 wrote to memory of 128	4852	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	93
PID 4852 wrote to memory of 128	4852	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	93

C:\Users\Admin\AppData\Local\Temp\c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe
"C:\Users\Admin\AppData\Local\Temp\c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\LqsrhpvhF.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows \SysWOW64\svchost.pif
    "C:\Windows \SysWOW64\svchost.pif"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\NEO.cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3780
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.pif
        5⤵
        
        PID:4544
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\sc.exe C:\\Users\\Public\\Upha.pif
        5⤵
        
        PID:72
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\aken.pif
        5⤵
        
        PID:3016
    - - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4368
      - C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        6⤵
        Executes dropped EXE
        
        PID:4972
    - - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif start TrueSight
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4904
      - C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif start TrueSight
        6⤵
        Executes dropped EXE
        
        PID:3772
    - - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3100
      - C:\Users\Public\aken.pif
        
        C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
- C:\Users\Public\Libraries\hvphrsqL.pif
  C:\Users\Public\Libraries\hvphrsqL.pif
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:128

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1676

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2256

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5196

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5348

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5448

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5556

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5668

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5756

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5788

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks SCSI registry key(s)
PID:5860

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5956

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks SCSI registry key(s)
PID:6044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1004

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4560

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:4000

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2216

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
f6004c6c90f739d9b93847020a165040

SHA1
9b3b9698dbe4e475a686cd521d1f11d94d369979

SHA256
2409a4f76d229d8633c58df56ee3e998a4c80173cd161f7b522848151129a9cc

SHA512
39d522c58a323149680af14c6ff39e91680189b856f24a0fccd461dafe590ca1b6353481340f5f731df5fc516601e5979927193db307c28486813008ec7d5b0e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
f5938b364609094ccb96b9ac32849320

SHA1
422e1c5ad7e09ac64b35b3ef0566c7818860daff

SHA256
15b343594f6c4d40e334158d2c219876779afb4b84a3bbcdec3df871a657af42

SHA512
43ff86eb2185d58b3163ede07939258bccabd1920103fb55f49e23f694000e87367da92d2efd09e7ef1e889ac6084f06d9ef97a6bb4fef5b2cb76902933c1136

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
dc6466aee0745c37bc067b601499cbba

SHA1
9dd6cc54b187581f9302ec2e40a5e5dd7b9d5e7e

SHA256
3868926381d5821b689f463a3306203b63f2110d633d9b7b7566401589e7e437

SHA512
00bacfa2b9a84fe59de6fb7f4f0548b56bfae0c87ceed50e77c04225325570f59f1aba343db2026299a115a62f15bbe6479eba0a6d5a83e84ba858caa7d38f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qaddmsfh.nde.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
7821e3de3812e791cf3b223500d73bc9

SHA1
5e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d

SHA256
3daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74

SHA512
6eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26

Download Submit
C:\Users\Public\Libraries\NEO.cmd

Filesize
55KB

MD5
3c755cf5a64b256c08f9bb552167975c

SHA1
8c81ca56b178ffd77b15f59c5332813416d976d7

SHA256
12e0795aa1408bea69bfd0a53bb74558598e71b33fc12ffec0e0ae38d39da490

SHA512
8cf0f1a368089e2e3021ce6aeb4984821429d4bb9de3d273a9d0f571a847bba3fc429b84a877afec6decf40e6b94a69d52e8eeea55e042aa9773d3540dbe6bfa

Download Submit
C:\Users\Public\Libraries\hvphrsqL.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
C:\Users\Public\LqsrhpvhF.cmd

Filesize
11KB

MD5
f82aeb3b12f33250e404df6ec873dd1d

SHA1
bcf538f64457e8d19da89229479cafa9c4cce12f

SHA256
23b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6

SHA512
6f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977

Download Submit
C:\Users\Public\Upha.pif

Filesize
92KB

MD5
7654e408563f6a4150171dd3877f8ec7

SHA1
7d4736b3906e6b991f1070b0718063f134e7dae3

SHA256
8a5410d1a08fcc5cf03b9ce98e62e0049e8e8295cd35b845eebdc882ca657bc1

SHA512
6fe0479d5f7ca02dec15d4d69ca2f8effaa3cd431723d403cb033f564da45e9a44c8169074785dedec12f413a67c827fdc1cd50204b4756065b99503f7b0a3ec

Download Submit
C:\Users\Public\aken.pif

Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
C:\Users\Public\alpha.pif

Filesize
324KB

MD5
c5db7b712f280c3ae4f731ad7d5ea171

SHA1
e8717ff0d40e01fd3b06de2aa5a401bed1c907cc

SHA256
f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba

SHA512
bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89

Download Submit
C:\Windows \SysWOW64\NETUTILS.dll

Filesize
116KB

MD5
0f088756537e0d65627ed2ea392dcaae

SHA1
983eb3818223641c13464831a2baad9466c3750f

SHA256
abe2b86bc07d11050451906dc5c6955e16341912a1da191fc05b80c6e2f44ad6

SHA512
d7ec6126467fd2300f2562be48d302513a92cee328470bf0b25b67dcf646ba6c824cd6195ba056b543db9e2a445991fe31ebc2f89d9eff084907d6af1384720d

Download Submit
C:\Windows \SysWOW64\svchost.pif

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
824deadfa0f4d16c839ea9164bd2d938

SHA1
37da24f087d317b62cd585a8757bdcc7ba5019a5

SHA256
69dbdf5d0d309167210bd7425e59e53efb3bfc13d9bdfe3fbca8030de8833687

SHA512
adbcb9bbe0d9c54070dca735a421b749efcba4ae928b8c6731560a774561f4cb31cdede1b1bce003cbc97f43fec9b4be38ac90e024439190f1d6723b829e054b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
dc9a018172421f710c99bf44d98ce3ff

SHA1
3551f9068eaf17b78bccab152453ab904183db66

SHA256
3f2e76e4baea443058b0abcde864a2c475722ebfb9559a90eb47a4d39f28a1e4

SHA512
a55c50d2f096eb1b1e9f96fc2fdd9e714ab0c41cf06ef3a797609fc75ac4f8da8ffaf177a5c028d582acddc550a38e301dc3841efc7ece629a71008bb80b1613

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
28ba6327ce34251c154a82b103a2dee6

SHA1
0221bacaa7ca899a6aad9d07e8e304c5bfe94ca1

SHA256
4e617918cc19d5c0778bfc580406ebcbb2f5404e4b51535f0fe85091424c7f4e

SHA512
15d7422db90de061a2edc3e60843ce8ba0624730662c0656afb1a07fd40ccce3365f6905bd0fc2a98f161caec977281563ce195443805b64967d167aa21fc419

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9c17ac6f846922d2544a25df51f006e6

SHA1
32c69d2836e7d8fefb628f37a977baeb7a6da94c

SHA256
f62fc1b4a9904f08fba41b964166ef8ea1523a51776ca07bec91234e28a91e3d

SHA512
b50ebfda2a95bbea317721ea3c9795f23a4996304c35e37362e7faaea86c6950e79232c0c4537b39b60d8f56a333c6f1e5110f4589ab27239272d64bbe750712

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
73131a5766a112b224a1be595974656b

SHA1
68aba4d9d6d7163146d8e97a75fa3685bf8a37da

SHA256
92c425df4c7dd93cdecff3d17d22df12e9c24c4c291587645046949513ef5504

SHA512
42402e421e8a0979f9386d8bbf7a534dd17c9470666c7a20616c6540ad60d5c0de1b1f28f82b4da231d1de78287831705948ddfd02eaeb406f825f70e99e604a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
157893321e6fef20f6a66eb268bd9fb0

SHA1
c93e9b86dbb1f3a9d8fbcfadebadf3033758d753

SHA256
d9cc9d6882c48af97c330a87c175de8a6f4d417090b943b872e231e8899d0311

SHA512
f4365c92263e453f067257aa6b0e9fd3607f863b1f511dbbdccc0319b98f128422601215f4bca6f25dce08467cd3f48d79dcd1be2d58eecf85652cb006bb26a4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
5ede6f56962cc46db69123184b9af387

SHA1
6f1ebd0b55d6d7e6c1cb4b8b781c6cb11031db50

SHA256
1ae9787fee73d933c4f54e5e85777d98a112a4ac9e8b549b5d9ede0b57def64d

SHA512
1e99657075dad51818ccbd717657c69f3f0ee4c9dc864d87ededc376a3c66daff660e1730017b5cda1f62fb2407b345229a03e36ac6404811d29e431ac04754f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
239d356e217239098614937e7a867a66

SHA1
96a93b6bd1c6dea247a42ca6ac702c27826712bf

SHA256
630eec579732f922cabf689fd38f1be384069e391d0f2d04ac8fceb58adb1a13

SHA512
4819844be0047ea66850b2118f79752e7eefbd9e6acf5f4b93ca92f6ca36f55677c41192fa08f071d4c7ff0ed446fc46c0b8d016f0fcdcb52a85a31e5e9150ba

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.7MB

MD5
287c8fc6eab87852932cb85abdef6233

SHA1
036ef94da20f41e4322ddd67d140b1a2d05c3bf7

SHA256
fbb05864f386d78949a611d4c12236c5798d3d4d0bee0c52265170ef5b8c86a7

SHA512
bd673076de11a63a335f79393f67f42ccecb154a8fe469c8b5ccacf8c62576c5a52ada31f65e9e50da5c9709ff7c5432381db61ace36a9e8c20f0fdb74e6bd33

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.3MB

MD5
5ec407c8a54a0320eff7053b8191b919

SHA1
a42e12a4c78c56c1f1a160e9328820fbd232fdd1

SHA256
01c8dd0fc3ff3ea2a8692f01e6a7d42a9b2b6fe19ed1138dc66d23f6e0ee61bd

SHA512
35168f38c5b8e1cb6da739cccf782993d44000bb81158596ec836e7ddcafefa7bb3325db6d49c576adc5dae785d4693372493fa84c48e2e2416cdc3d27f287ef

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
8da37b96b0833ca9a5d6d248713284d6

SHA1
74c41da9fdb1cb7c3b83cf5e3032024c36ad25b6

SHA256
7b28e1d399a690aa6b363d9c10d40b2dd6445aea266f18b1e72b1799a7a82805

SHA512
09875a881a7a4bc2dcfe26e3acfa30a279ee727198ec091ce5a54d1d2337657c4471d5aaf2c653a00de1eb03bcc061803d2595c86988f599e593f2171efe36ba

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ce41bd501f823ef55778dd6e29b64a32

SHA1
87f3676b4ab51dcf3d82337c37820e3472ac0ae2

SHA256
dcec1b539e8b94deaada237bdfefa41f9e435d080da1f18c3f6ed8345e27d0c0

SHA512
0041bf17e18255afea7d28a8f832e8a3af1f8d4ea90174f61c60b7906a332a149977d3fd283696821037a28549fee2ddc7660caef57b64f15dca3349df41244e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
f59804cc99b011f142b47f9c2aaa43e3

SHA1
fdfc46db0203ceb39227af0a435bc0ead142eaf8

SHA256
b48ba838d1f029fc5c414e18b28de59028401bb83aff75e25b9835a3d92e88fc

SHA512
e80941ce7b63fead3190ca78685770da755fcb9c02284bdf938b5f2284b1321279c70d02b5e3c85c251b4b9541a64301fce03d46439fec01b11bb1adc5853857

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
95ba3360652a26fd3e0aa63ce02bd2f6

SHA1
2f00e726d26babd5e0ebf61a93e8103743537080

SHA256
bf04d68d547d5658664f83e91520fd8a1b794a4b719055a9794f330f38cbc821

SHA512
c79e9160b1210d5f6602c580b2e43c36848d7f3b9f5a09749fc8585bf62f052c7aaa95fa6056089b5839ad22995d32a81fd498060e0eb5d1fc3aec07949a6eb6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
3e44bb6c0ffb80fe9d8a1cae1910283a

SHA1
26c3780849ab2c7bab802fdafaba32ad0171c5d3

SHA256
ba35c38ac2ae60d317f16e557f290ac9d659b73e8438f2e8d0fadedd25d0df75

SHA512
b5e7b0990337eb1baa266409665d17798d6b5bd4e9adb42216099ef63d15464ea217b866f688be70dcc8c0217a219449cc71a4ff1353f23e973a490196759317

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a7dd9e9f8856d61d355cc5fefbcc9ee9

SHA1
a6b9b8b117e09e3b0ed85a7e34051625c0b9581a

SHA256
2d20fe4666e5020c72fd147da2e1293739f271a7add145d14bcf2d663a1ed6ec

SHA512
a2b07b2ffc33c7f5234e4b8002bc19b194926f80622563438979a0bdf18925ef4546dbae90f1921b20b2eec401e25a8a8cc597927a51fb74005f5b599d970587

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
568147d3f315324ad86c7c34cb6d81c0

SHA1
33b7c2f2e717cd5f14130e8f4f222218b18457b1

SHA256
62662f306a4f9187133eb020ae6d401e61458a3615d7013276cfe60a74532ed0

SHA512
09f41b082d3b9bc75b0b94ef82cfc2ffe86a2a900fc4233649a4e786970d2a839b589e42d738a2aaa1761fd399b5e86e7fb43e756318432d05c67fbba1ee5b8a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
48fe89e0ab109c9296c3d4d446de28cd

SHA1
4bc9df2182437a1498f375e0ca98291c6edb4aa1

SHA256
f4330d837138a87647420ffa91c32596732a1d505532ba40575467a901b713b5

SHA512
e36f3966ffabade217f62115929ac4737bbb11db9e4eb997f3d343a8d8dbf5afa90a3c44f4d422c62fdb48452082e9cc810c57c8c6f79ec661bb676e0c2b46f2

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

Filesize
414KB

MD5
16b9618962f5623ca791a1366eee5708

SHA1
f0d257511952f075b2a0ec7d8e8730c3e464461a

SHA256
e67e330837a6b2f6d5f76815e7235a512b54b1c90f2ad62a3e9d142ae6939c8d

SHA512
18e1d5a105b87fc72df94645685f5a8d3f593df2d3a9b8652b3b4a4ceaf92d3c7a67b0c08847186149dd608428cae8f1b3bc844bc7aacfc9e3219da823ca2fe2

Download Submit
memory/128-994-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/128-413-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/128-505-0x00000000333B0000-0x00000000333E4000-memory.dmp

Filesize
208KB

Download
memory/128-517-0x0000000035D30000-0x00000000362D6000-memory.dmp

Filesize
5.6MB

Download
memory/128-518-0x0000000035B90000-0x0000000035BC2000-memory.dmp

Filesize
200KB

Download
memory/128-977-0x00000000362E0000-0x000000003637C000-memory.dmp

Filesize
624KB

Download
memory/128-1305-0x0000000036850000-0x00000000368A0000-memory.dmp

Filesize
320KB

Download
memory/1424-243-0x000001CCB3970000-0x000001CCB3992000-memory.dmp

Filesize
136KB

Download
memory/1556-1109-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1556-1335-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1576-1147-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1676-1061-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1676-493-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1688-1136-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/1688-1124-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/2100-1120-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2216-1185-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/2960-1082-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2960-507-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3184-991-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3184-520-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3288-1198-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/4000-1173-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4560-1161-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/4852-10-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-74-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-17-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-29-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-25-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-24-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-14-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-20-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-19-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-28-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-65-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-34-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-35-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-39-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-23-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-48-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-53-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-56-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-57-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-55-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-58-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-59-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-36-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-31-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-18-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-32-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-61-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-63-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-64-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-38-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-69-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-67-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-1-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-37-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-68-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-70-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-2-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-27-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-72-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-5-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/4852-73-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-51-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-71-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-4-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/4852-33-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-49-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-75-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-9-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-76-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-0-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/4852-26-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-54-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-21-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-15-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-12-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-52-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-16-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-8-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-7-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-13-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-30-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-86-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-11-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-47-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/4852-42-0x0000000002AB0000-0x0000000003AB0000-memory.dmp

Filesize
16.0MB

Download
memory/5196-1108-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5196-988-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5348-997-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/5348-1007-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/5448-1123-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/5448-1010-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/5556-1146-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/5556-1028-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/5668-1036-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/5668-1160-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/5756-1047-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/5756-1164-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/5788-1058-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/5788-1184-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/5860-1070-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/5860-1197-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/5956-1264-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/5956-1083-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/6044-1299-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/6044-1094-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download