modiloader | c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe
Size

1.1MB
MD5

4603c75b3b7ae5c693adf7d08dfc72f8
SHA1

536fbca93073cbc2a19ed9be874086bc3acab2d5
SHA256

c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c
SHA512

237927752e93a65c93a6cfdbac6d6499a29c518a316d4fc3b0e6f1d736e84279ae1017e369b2fb0f25fd1970775622d493120a0792902aa6009fd91d5d4a4d81
SSDEEP

24576:WCcGj5EfZJsVJrjzh4dYEXvVzlFjG31di:Wi8GadRvVR2D

Score

10^/10

modiloader collection discovery persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
lwaziacademy.com
Port:
587
Username:
[email protected]
Password:
jB_PZJCJu8Xz

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral2/memory/2844-2-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-7-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-10-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-17-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-29-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-57-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-67-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-65-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-64-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-63-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-62-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-61-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-60-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-59-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-58-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-56-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-54-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-53-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-52-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-51-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-50-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-48-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-47-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-46-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-45-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-42-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-41-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-40-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-39-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-38-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-32-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-30-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-55-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-16-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-49-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-25-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-24-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-44-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-43-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-23-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-22-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-21-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-37-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-20-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-36-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-35-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-19-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-34-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-33-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-18-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-31-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-11-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-28-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-27-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-9-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-26-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-15-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-14-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-13-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-12-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2
behavioral2/memory/2844-8-0x0000000002960000-0x0000000003960000-memory.dmp	modiloader_stage2

Executes dropped EXE 30 IoCs

pid	Process
5068	svchost.pif
4892	alpha.pif
452	Upha.pif
2496	alpha.pif
3596	Upha.pif
4204	alpha.pif
1624	aken.pif
376	hvphrsqL.pif
4580	alg.exe
2016	DiagnosticsHub.StandardCollector.Service.exe
5804	fxssvc.exe
5960	elevation_service.exe
6048	elevation_service.exe
1244	maintenanceservice.exe
4564	msdtc.exe
2972	OSE.EXE
5308	PerceptionSimulationService.exe
5664	perfhost.exe
4684	locator.exe
1836	SensorDataService.exe
2104	snmptrap.exe
2124	spectrum.exe
2796	ssh-agent.exe
3364	TieringEngineService.exe
944	AgentService.exe
3500	vds.exe
3908	vssvc.exe
5332	wbengine.exe
5540	WmiApSrv.exe
4296	SearchIndexer.exe

Loads dropped DLL 1 IoCs

pid	Process
5068	svchost.pif

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hvphrsqL.pif
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hvphrsqL.pif
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hvphrsqL.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lqsrhpvh = "C:\\Users\\Public\\Lqsrhpvh.url"	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	drive.google.com
19	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
46	checkip.dyndns.org
50	reallyfreegeoip.org
51	reallyfreegeoip.org

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\vssvc.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\AgentService.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\32d3771d7cad7dd2.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	hvphrsqL.pif
File opened for modification	C:\Windows\SysWow64\perfhost.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\wbengine.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\AppVClient.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	hvphrsqL.pif
File opened for modification	C:\Windows\System32\msdtc.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\spectrum.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\dllhost.exe	hvphrsqL.pif
File opened for modification	C:\Windows\System32\SensorDataService.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\TieringEngineService.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	hvphrsqL.pif
File opened for modification	C:\Windows\System32\vds.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\SearchIndexer.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\msiexec.exe	hvphrsqL.pif
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	hvphrsqL.pif
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2844 set thread context of 376	2844	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	114

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\7-Zip\7z.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4E6AEEAD-B62E-4CF8-80E5-2A66138AEFDE}\chrome_installer.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\dotnet\dotnet.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	hvphrsqL.pif
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	hvphrsqL.pif
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	hvphrsqL.pif

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	hvphrsqL.pif
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hvphrsqL.pif

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025174ad37e6cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6005 = "Shortcut to MS-DOS Program"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007331c2d27e6cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000400bbbd27e6cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000275264d37e6cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000714697d27e6cdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053b9ead27e6cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc43d5d27e6cdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e807f9d27e6cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
1624	aken.pif
1624	aken.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif
5068	svchost.pif

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
668	Process not Found
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	aken.pif
Token: SeTakeOwnershipPrivilege	376	hvphrsqL.pif
Token: SeDebugPrivilege	376	hvphrsqL.pif
Token: SeAuditPrivilege	5804	fxssvc.exe
Token: SeRestorePrivilege	3364	TieringEngineService.exe
Token: SeManageVolumePrivilege	3364	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	944	AgentService.exe
Token: SeBackupPrivilege	3908	vssvc.exe
Token: SeRestorePrivilege	3908	vssvc.exe
Token: SeAuditPrivilege	3908	vssvc.exe
Token: SeBackupPrivilege	5332	wbengine.exe
Token: SeRestorePrivilege	5332	wbengine.exe
Token: SeSecurityPrivilege	5332	wbengine.exe
Token: 33	4296	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4296	SearchIndexer.exe
Token: SeDebugPrivilege	376	hvphrsqL.pif
Token: SeDebugPrivilege	376	hvphrsqL.pif
Token: SeDebugPrivilege	376	hvphrsqL.pif
Token: SeDebugPrivilege	376	hvphrsqL.pif
Token: SeDebugPrivilege	376	hvphrsqL.pif

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 1596	2844	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	92
PID 2844 wrote to memory of 1596	2844	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	92
PID 2844 wrote to memory of 1596	2844	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	92
PID 2844 wrote to memory of 216	2844	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	95
PID 2844 wrote to memory of 216	2844	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	95
PID 2844 wrote to memory of 216	2844	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	95
PID 216 wrote to memory of 5068	216	cmd.exe	97
PID 216 wrote to memory of 5068	216	cmd.exe	97
PID 5068 wrote to memory of 3636	5068	svchost.pif	98
PID 5068 wrote to memory of 3636	5068	svchost.pif	98
PID 3636 wrote to memory of 4648	3636	cmd.exe	100
PID 3636 wrote to memory of 4648	3636	cmd.exe	100
PID 3636 wrote to memory of 4368	3636	cmd.exe	101
PID 3636 wrote to memory of 4368	3636	cmd.exe	101
PID 3636 wrote to memory of 2028	3636	cmd.exe	102
PID 3636 wrote to memory of 2028	3636	cmd.exe	102
PID 3636 wrote to memory of 4892	3636	cmd.exe	103
PID 3636 wrote to memory of 4892	3636	cmd.exe	103
PID 4892 wrote to memory of 452	4892	alpha.pif	104
PID 4892 wrote to memory of 452	4892	alpha.pif	104
PID 3636 wrote to memory of 2496	3636	cmd.exe	105
PID 3636 wrote to memory of 2496	3636	cmd.exe	105
PID 2496 wrote to memory of 3596	2496	alpha.pif	106
PID 2496 wrote to memory of 3596	2496	alpha.pif	106
PID 3636 wrote to memory of 4204	3636	cmd.exe	107
PID 3636 wrote to memory of 4204	3636	cmd.exe	107
PID 4204 wrote to memory of 1624	4204	alpha.pif	108
PID 4204 wrote to memory of 1624	4204	alpha.pif	108
PID 2844 wrote to memory of 376	2844	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	114
PID 2844 wrote to memory of 376	2844	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	114
PID 2844 wrote to memory of 376	2844	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	114
PID 2844 wrote to memory of 376	2844	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	114
PID 2844 wrote to memory of 376	2844	c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe	114
PID 4296 wrote to memory of 3856	4296	SearchIndexer.exe	150
PID 4296 wrote to memory of 3856	4296	SearchIndexer.exe	150
PID 4296 wrote to memory of 4020	4296	SearchIndexer.exe	151
PID 4296 wrote to memory of 4020	4296	SearchIndexer.exe	151

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hvphrsqL.pif

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hvphrsqL.pif

C:\Users\Admin\AppData\Local\Temp\c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe
"C:\Users\Admin\AppData\Local\Temp\c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\LqsrhpvhF.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows \SysWOW64\svchost.pif
    "C:\Windows \SysWOW64\svchost.pif"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\NEO.cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3636
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.pif
        5⤵
        
        PID:4648
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\sc.exe C:\\Users\\Public\\Upha.pif
        5⤵
        
        PID:4368
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\aken.pif
        5⤵
        
        PID:2028
    - - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4892
      - C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        6⤵
        Executes dropped EXE
        
        PID:452
    - - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif start TrueSight
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif start TrueSight
        6⤵
        Executes dropped EXE
        
        PID:3596
    - - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4204
      - C:\Users\Public\aken.pif
        
        C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
- C:\Users\Public\Libraries\hvphrsqL.pif
  C:\Users\Public\Libraries\hvphrsqL.pif
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:376

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4580

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5708

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5804

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5960

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:6048

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1244

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4564

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2972

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5308

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5664

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4684

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1836

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2124

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4040

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5332

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5540

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3856
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6be52ba2e133a1eb65479c8c248f3ecd

SHA1
40b645015d70ed078da05eb421dd670fc3dc5f92

SHA256
2912600141b8de76c5d5cef6bb283b21e57493e81cc6c5900c71d9fc5b01357e

SHA512
67c743b06578c1b58c87b0dc05b51f2c95cf4caf6bafea541d1fec54c223b4b45d433b610ffbdde5261873afdc6c7248ed56907f98ef9986dc7e4513d31bcaf1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
65d4aa7dc567da8d601ad743ec22001e

SHA1
395a14f5a90023402b7f0e8903166790b654f365

SHA256
c73093f0cba72c8f13a06eb84accb5494930ddf1b092dd1db068ac2cc74f9539

SHA512
0cedaff08307c544f44c620c06021c57b7b17d1dacd0786f32b28dfc55d4826582888ee2c2ce03b99bd219f7f127e0764d431c51681bba33faa6fb9e4e0a2739

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
192KB

MD5
34460520e7dbc4f5e958a2c6d8a84d2d

SHA1
e6a81de53deaf895edec7d6022f92fde40aef428

SHA256
d082a8819c813a8ec335a66e70cba3b8ab41bd4261fddd69dad00c339482d263

SHA512
86f764a6e7157103e246c5f71eea96cb8ebf0a2930259de7bccb7373c00f0b35f6e452fa24aeb210f2ff0fc917b10c4781a392f8266a832c9c18e7ddb30ddcdb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
14KB

MD5
005a697863e6db590a82b17a65d52b5f

SHA1
fead293cb6129f283d5face25ecf865e0057b3e8

SHA256
770a3c5b0fd029462c568bfb7ea5209ce788ec3d498670334e9cb49fe4024d79

SHA512
94da5e51ac3fa17bea7b6f9a6ff4fbbe339fe60db3ca7ea607ae08429e67505e9dd35197bf64420f1007ab4384cabcec2d574f4e9efabed5f0af72a19cd0a18b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
14KB

MD5
6d97a06270f7e6bdf27fd0884fb835d9

SHA1
8df54d1b76311eee50a26729d3dbdd1385dcf551

SHA256
161070c64e5ede49121b44690ebc682444bdf0f179fa9d134a4bf2309760d714

SHA512
c2d11af51f8b84f73815fb1ce6da32efd8ffbdd3cd9c7aa36959f3fff8904946f1c60761b8ffa0f9a9e7a5d5a4024627fa9a290d142cc734d9f4581bb1409997

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
14KB

MD5
1734923787cd732c4284deb77b94a75a

SHA1
ec86c6d66c0644e8cf0110ccd40b4b436fa7f018

SHA256
1d39af2079d3612dc401d0e9402520b2a9971566c401eec30b61b57eb5df7173

SHA512
fcbba42854ccf257efd1aa67e8dbbacfa2c16e94c183fd5826791fdd85931d340df63e0aa196331b7e163c9b37190e85bf85ea2d11f6638f2cd3930e7e115261

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
14KB

MD5
3fed11ccaa8b60621d8bed4bfacc95d3

SHA1
f8d931c3d16128d1baefd2c48e698706fc141f23

SHA256
2026a6e39548e6aae49d36bda8eccd53783fa5dd665045cc3e4026e917cd2c18

SHA512
36ee4b735bcfa954fff806dbff129698a37cb1b58a08687b9fb190323804e7178ccc737d625cacb5855a2ff44b418016c8d1251862c449c7ec2b4c2ca3acf0ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
14KB

MD5
f2d2ebedb8355737fdcc3ebac1e3d988

SHA1
4d805a646f36d1c604e47ddff2958856e70bc656

SHA256
ae02488729fec112399dbd60b48198b8d8cca47fe77280f69091b2026cd6b118

SHA512
72fd53271dfeb25fd2b653ad1e34020c57d2bd5e0775d8dea2e9969e4bffa3b044900ef07d41ac0dc1dca19ae8396abfea1e6217cf903082dbab34a14cc0e297

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
14KB

MD5
f242ad3fd210f2b915114ffdd6eb9729

SHA1
b64db526965ae928410a2fccd7a32830697ff1a0

SHA256
2024c4aff83b9cb1eaba1db8bf18ab2af3213e5ce409a005e1fac25af7aa2ff2

SHA512
ee1cd7e28daa58f2a790452350c6c1a14ef5e1a3d007afbf0fc4f96b29f80fbeb3ac36c64f38c9780143df30af404a50a2bc576c071fd08209762dbe209ce447

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
14KB

MD5
e6b316be749e6a2cfce4a5cca2cebd58

SHA1
fcca429221f76baf69b796856bc658a1da50847c

SHA256
b7e1be9875062380dfc21a905f3ead664f4baf578ef25c2b0bd9b2291b8516dc

SHA512
954514e10aeaa7415f8a437c5e5a0029c33e3bf29333ed0ec70dbd44dc6d2863d78f187334f933ea78bf63d04549836469e8d125ae990e2c2434d595e43369f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
14KB

MD5
ec1e2a3cea75914a413169d64c09ed08

SHA1
0d0cdeadf7253dc88154dfe2525c08f9de307307

SHA256
40273f026d68b04a49706c6be74d2aeb51c51c5a0356bd44bb092244d0709bad

SHA512
eaeb4899cda404a16df98c9a31151d0f0252e0a8d6974df8d7d860eb95a539157b73ed0c07d0d64a4c04e0bdac7d3a3a0c83288dea3f2e0f348eb7e778e56d85

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
14KB

MD5
795cdb279dc465a90b3c4354e6dcab0c

SHA1
4cec7d1047c7da2f953000a4881b343efc1a197a

SHA256
dbebb6df922eb3f4b4a36d3db6dd6f799afa652f0148d02d37d324758b6f2d17

SHA512
0ed57e2c77ac06802410e06b046af2eedda764931d1fd176edcf0bddc235364ba546ca7a0d91288d590f009222c7f704dc69f603dd4fb08c7dc33a01a5a4d46f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
14KB

MD5
56814df54c39932b06e9fc4f95e07362

SHA1
8f4ab474554ea2d6b57a8b9a00fafe2bb9afe384

SHA256
a69b97ed70a2fdacdd550c831b5e9f56756cf560a2fd701a6729ec26d32490af

SHA512
c7033a9d2a40963054cf55b72d0ec6d33cf7af09f4c1f29a71db3c00f8adaaa3660069d5ac9eca0d8892ac5848822694d6eefe9a160dac5dffebd69e576eb428

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
b9107e2647addad6bb51bcb5a710066d

SHA1
253df136fb939370f27991c6bcb5a0491b8254e2

SHA256
30fa24e46da27d072c849d55a0ab4ed0918f3250ec3590f09dd475ac67c6e3f9

SHA512
665fe54bd1f9002a1a98f9c61fdc6cce00506edd9b4b4aa16b78a21c97d81c8a17d12251e08cfa0e13ad7fc59435221e868b53f3169069505f7f4169b6f70f65

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
14KB

MD5
cb307c2cbef8c99d8985ea6c19d58206

SHA1
f1a5d8517d7ee11e4528dd200d8bfbc3042a6a08

SHA256
0f6b3b326427a05c0a82c379a17239738ba739bafb5a4bdca4b22e0d624d5f2e

SHA512
ee42073ea6b3bce0690e39a59032ad3c6e8236e81a5ce8d535f71d3fd96a82035c16c31639089d349bd2dccc67c94d516aceb528cfedcb3b2da3979e2b7909e5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
768KB

MD5
149c20e7d58600b767c80610f8018121

SHA1
8f249423ea23f0913f1f3892e01ae18608015e30

SHA256
11545e755ddcb4e24a42c04c294f0b561bd0725c5b5fa4b0a6b65891fd36971a

SHA512
a6d59769129279e8ec1ae56478676f002bd8dca4a03f3b109cf20884a3e63925344d4cd3182d8aa25b3561c60587c9cc7f194eb2643bba30f855e745a9178419

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
18b44600942ee2db3661dc04632a930f

SHA1
0d3576f359e199ec8abc91b05e452cc6c4bbc23d

SHA256
2d2ccfb1144854e8ad69367eb092fa5768025e407c29146415f99ef78e0ef104

SHA512
df6826219fd9073732c44f49e873c37e9b6691cf7b226418de8d259e5a061593580dc10862b44a2cce7ce24474c4add7276d65684714c2a404ac63f0a998af26

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
14KB

MD5
4313c5030d48f8bfe01c5d8fbbf10e0a

SHA1
451034ca4041fecf3adcd58fd58bf52e057e38c5

SHA256
d112c88e1adc54b18e622d0f9850659363bf545567771b1b32ddf1a6e85023be

SHA512
19876a40c96b10b64b22ef1aef36075013e518e1a3ccd63ae28980406efd64d4902f3611f79a7d0490e7235d5d3ccffece49c0cbc771531f13527da9f7564918

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
192KB

MD5
813c59dc6f2e701833e5261483b23c8b

SHA1
86c163b8b768095ee19b5da3a12a74aa82dfba7c

SHA256
648e2b23fcdb1c410d0eace70d995f4e49670d85f923429cc5561111bd123986

SHA512
3d7de219d11d99d7888f32f2ffa6123d480c5cb7301519ecd1f322e6d082ac6398ce4f4ec0e3354ceb43778464141c4475473184b2a482ed5062c4803af3a09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pwlx3qy0.jnj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
7821e3de3812e791cf3b223500d73bc9

SHA1
5e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d

SHA256
3daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74

SHA512
6eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26

Download Submit
C:\Users\Public\Libraries\Lqsrhpvh

Filesize
1.6MB

MD5
8b3e0ead3b90f0f27f518ba1fe5bd5f8

SHA1
303f1dcc4afc7d701fab13c2215e044f36611608

SHA256
19ebbf53a6572d81a5ac2633702f702cc1ca12ed86ca56345875a3700988dda0

SHA512
b2e89c1c95623d597d6bf2de930c90288f23d858a503045d3923700fa19e39c0f3fbee252d2aec3faad586bebc0789413868ed07bbb2e0f7a8fed0cb4b99352b

Download Submit
C:\Users\Public\Libraries\Lqsrhpvh.PIF

Filesize
1.1MB

MD5
4603c75b3b7ae5c693adf7d08dfc72f8

SHA1
536fbca93073cbc2a19ed9be874086bc3acab2d5

SHA256
c9bac4ac565d31203a6de79955a300771c1ee41f72c227bebff984c83eaa409c

SHA512
237927752e93a65c93a6cfdbac6d6499a29c518a316d4fc3b0e6f1d736e84279ae1017e369b2fb0f25fd1970775622d493120a0792902aa6009fd91d5d4a4d81

Download Submit
C:\Users\Public\Libraries\Lqsrhpvh.mp3

Filesize
52KB

MD5
f53fa44c7b591a2be105344790543369

SHA1
363068731e87bcee19ad5cb802e14f9248465d31

SHA256
bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c

SHA512
55b7b7cda3729598f0ea47c5c67761c2a6b3dc72189c5324f334bdf19bef6ce83218c41659ba2bc4783daa8b35a4f1d4f93ef33f667f4880258cd835a10724d9

Download Submit
C:\Users\Public\Libraries\NEO.cmd

Filesize
55KB

MD5
3c755cf5a64b256c08f9bb552167975c

SHA1
8c81ca56b178ffd77b15f59c5332813416d976d7

SHA256
12e0795aa1408bea69bfd0a53bb74558598e71b33fc12ffec0e0ae38d39da490

SHA512
8cf0f1a368089e2e3021ce6aeb4984821429d4bb9de3d273a9d0f571a847bba3fc429b84a877afec6decf40e6b94a69d52e8eeea55e042aa9773d3540dbe6bfa

Download Submit
C:\Users\Public\Libraries\hvphrsqL.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
C:\Users\Public\Lqsrhpvh.url

Filesize
104B

MD5
9f73a7b29c042b5e611638671deb7019

SHA1
d834a7ee766ca087c5f0a79eebb8fc6e28096258

SHA256
3c0d5084d79ab1ccfbbec414155cfd893ef273239b443fe94f09437d8b84bfed

SHA512
1b286a62e646ed9602be1325d7024dd6b2aa8cda4ae52ef54c53359608156e7f87a59c84f70abacd7e5588b2e913dc75506ea20ec379f9ec662a72f0bafc5f80

Download Submit
C:\Users\Public\LqsrhpvhF.cmd

Filesize
11KB

MD5
f82aeb3b12f33250e404df6ec873dd1d

SHA1
bcf538f64457e8d19da89229479cafa9c4cce12f

SHA256
23b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6

SHA512
6f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977

Download Submit
C:\Users\Public\Upha.pif

Filesize
70KB

MD5
3fb5cf71f7e7eb49790cb0e663434d80

SHA1
b4979a9f970029889713d756c3f123643dde73da

SHA256
41f067c3a11b02fe39947f9eba68ae5c7cb5bd1872a6009a4cd1506554a9aba9

SHA512
2b59a6d0afef765c6ca80b5738202622cfe0dffcec2092d23ad8149156b0b1dca479e2e2c8562639c97e9f335429854cad12461f2fb277207c39d12e3e308ef5

Download Submit
C:\Users\Public\aken.pif

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Public\alpha.pif

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Windows \SysWOW64\NETUTILS.dll

Filesize
116KB

MD5
0f088756537e0d65627ed2ea392dcaae

SHA1
983eb3818223641c13464831a2baad9466c3750f

SHA256
abe2b86bc07d11050451906dc5c6955e16341912a1da191fc05b80c6e2f44ad6

SHA512
d7ec6126467fd2300f2562be48d302513a92cee328470bf0b25b67dcf646ba6c824cd6195ba056b543db9e2a445991fe31ebc2f89d9eff084907d6af1384720d

Download Submit
C:\Windows \SysWOW64\svchost.pif

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
d81af0c11b2afdf631561b5df678da2e

SHA1
32829f0d68eda722853d2e20fd76c03584515a6a

SHA256
630f58c6cb603f94a8974b8a8c915a86ddefb7370bee696087992ba96e1a439e

SHA512
cacd11231a5e02e558980769991b73c5284e88ae9d5ecbf07bdf818e7ccf50c6e3a9d46d4510809c8bb1a2dff50dcc372a9081267a914303ffc27cdeef6486c5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bb7f1beafd68b97a5b45aba08dcd90ea

SHA1
7d83adbeb656c6c40595abfd3d5137b4232b08fa

SHA256
2c00717758dcd404292afe9d4c0751c9b3d5b8f2b011a46adc073f21b4a7bbdd

SHA512
a9ce145f3e9688406f97b11e8f4f778443bf3db3c566b1d5b9010ad912d7e9c8de9631b64a43da342a8e8dbb4c0a58027cb6abb2182aeda2a2ded823d469b2c7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
31ecbcf5a307afb24dca1aec99e8cdf7

SHA1
b7b709dffd05487a07b51cd816843b1af79228c8

SHA256
356b081a2082cddfc31eb6d607cfe56767458a683c18b344317aeec35e555286

SHA512
ae1da0955e3a78c27d32881d6619fa981a4de4d6d5824031498bae6547ff3137d05991985a007956030f0bbf9c4504220fd72d44eeecce10d8a4afa914a3a2fa

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
94e13eb3393a3f80078faeb1b7bb7f29

SHA1
5c6da4d6f3b715ff967733717dd4da82c81f3af2

SHA256
1d1155a44763aa5e7e675fdf57bd9b820851c6f853114ef04054e90c88cd081f

SHA512
245dc5cbdaacc2138b63b222ce52dea96c1f201d67bb52271677d0bf5d5ed1d443c35814e0c1c70c1e3893bddf9c3bc642fa1592ad68a6006e933ba66c33daa9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
d27e5009e17502fd46e853662d10c237

SHA1
c1e78f905e559e95d49a63362e7dd996fb71eea7

SHA256
400ba64dc77a2cf164ce7dc6e35570af87b0773926833e43923c232f48fc24c7

SHA512
4ca9872f1a5c645785bfdf880356654b6b969068079d42f7c57469ef90a923d0ac6883ef8119cf87af3aa3011e0d74e790b5c3204caaf778336406e45ddf4d3f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
838ec96a3ad76ef2531d9ba5714d77c4

SHA1
0e3c44a0a2f21a9894646fa3b74adbc1c3d8957a

SHA256
762218dbff21bfcd2bc80b0bd339c9912c3ba051841ad9bdd3cd68de431b53fe

SHA512
1d31c15628e3009d57dd6de965348c0d128ea613af8ff6468f5e9d2ca53210aa0ff3f5de953dc4597d6578e90d8bb22e512b35fb507a96496926f3ad554ace08

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
5af5e8959c60ee7bf3dc38266c39a6ee

SHA1
39261e96a0fcd719c6dac5e9b30089a45a5f1827

SHA256
ce7a0a45a6f5f432e5993762b37097b7d63c7d5852f54fdaf380c3a158ca1327

SHA512
013bb164acf8a4f3f7404ef69d5c4ffa5043c0421eb5804c4e8335e89cfc7d56aa0af09ab4d67d1c3eb06e9ea38b23d46f113678aa1860ea90d1345cbede79a2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b2b5e11a2e3393fab27bb9d32066c055

SHA1
b75a63e890b56794a5c721413dd95e0c2cc3a3b2

SHA256
dbca9d08aed1b3ab5ffdc1d4199501635083aee0bb8c21edd80368e4b2a0f93f

SHA512
501b3fdacdc8deba6f99516091ccdf41189af24f59a874db06dd535711a874b310461648d4bd2c56afa576747c92aa497450947e4b0c36b8d91cbf49145dad25

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5f04ce5a263757096e5072c93829cffc

SHA1
c2fa565ef8e98924af1599eebd6d6bda035b3c99

SHA256
e74c30451e3adf8b9e8a6cf4cd9899f1c32cf6e6e4aa721b20ec3699bb91977f

SHA512
b73c5de41aaffd408d49f16be769e7ec182a0d28e3aca3ead81766cf56e69effabfd3193faf8ffc0aa4e6ebbd74fba629caaf828d24b434c2f93311647a6261f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
42KB

MD5
c7ace00eb6fc3b5e239018f757e5ba2e

SHA1
bc22fa6c427079bb6b5128a5c6bb4a241c13fe7d

SHA256
28536f29aee407ab8055faf9d7d6e9242c539dddf5769810b816a67286864472

SHA512
c16043798a09b008471e326c83adda6e3aef81da322a2f3901f67ca662e5f358790f61cd7ce86599d7854a23ca88654eab9f28eef65721a9f409a29180eea58c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
79cef35de39539a77069684927f44e0b

SHA1
f707267cd53adab9927613c827ad3e9135514153

SHA256
8be85393b2dac5554d7c5a54ed3504a4fe11d78d8549c697882a3daf3eb19fd7

SHA512
42e6e89050faeea10468bb7273bcb2a858829aae2da5259a2323728a10023363e97e0ed8e5554f534af002bb3727941e92c840c46f1249b4de20ebe1e4eb0c9e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
efafb08f2f471d58a97174abc0027560

SHA1
72f902b0032720b71ac0991eb973ffd6595ea8aa

SHA256
ef8d57845efecd75e138b3d2a7e79fe3e8e30a77e7d83c01cf821d8a6527ce40

SHA512
a94e7bafef73ccf476fe93701058fee2d10f166418d71e1da95d16866e8beb55caff66e44dfcf677651e4de267276088e69dfd1cb18a4d27e0301a3bb633c147

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fbfb3fa79869ec4597d384d71fe8a255

SHA1
8e58e95781c9421f02732a149aaae1f110fa5f19

SHA256
72d8fb53c30143c05290bed3f1c8e8cde9bdb6573d05d6d1f36828714d2ac31d

SHA512
e83b53e7b56779546b7127fa05f09e10931ae4cd0023467eb191580c044e50c0deecedd0c544e9fb4679c6868a6c8171e9d9364eaf4f83880d22848f10d71dde

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
1a44156c11e1b896b463ac5d2a8c45cd

SHA1
6e578281ed6a9fd55cd17faddf62283e0c4fe293

SHA256
5f999e6b530844428f7d03ea3600c89868f2bc2976c1e9a2610373cf840562c2

SHA512
14b880208c8096b9119f9b4b89e57332c91f949e3b6644eb01f8df05b42cc5b0903dd6cb1ffa8ac4808f9db9004e6f09101a7d90f0615f6ff648cdb1491bf32f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
fee747a51a0cefb222a4ec4469530efa

SHA1
bd567d410b07fb34543005b0e73569d8a126bd4d

SHA256
e80f9261a124bab381f1a1519e4c8a1598eeda59618887416edb601bdb6db051

SHA512
6cc5a32960d8d10784cfe259c05d2a92fbd86f8524d2ed0d2772bb7e108ca3bef758b57bf8beee7bf8f924c4f93e971cd2a072e8b79df65f393f7af19a6a4f67

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
1b76d06718ffad52c7a8bb190ff6df04

SHA1
12afa8283b81b3ea71a7c7b1eb6e2c811ae4912a

SHA256
b7e59003f19f54299f41202e233df0c60b3c4f5608b7107803538190590b20db

SHA512
0e6938ffb0944a4d8bc1db589785aaea8a440026fcba392b313e486eefe6773db79d09c67810373b3142cb09958214c30471161699f09f7cbff01b34a28b802c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
86982a4a6fa864d8c7defd6c4e20c5a6

SHA1
4a52192ea2c548e232b0d19467a523c326562579

SHA256
9f3025000ad0f163b56f8ed1a39c9cbbbb10dd173f6c1664ff90afcfd52172c1

SHA512
935a0ad77e55d0741f32792812b5c23e427186f45a3e8cb26ca58fbfe4411f783bcaddcbf32073cbbe00dce9b02ec4c46fb8980eb7823c8a805c55f9c87ed383

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
6c35804dc602f43e0d1bbcbfd9f0ad36

SHA1
c258cadd7ce4593fbbebc99877191e4666dfc339

SHA256
32f9a76d5c0d6e5adf6b0da30313f17949cfcf947e1c46b88d6889552918425d

SHA512
b129ae357fa1c83cf5d589fc49774891b44dbcb3fdd70fd144e29ec2eae20c0e1ca70f5e77b799630a974b795a0a06bb331bc0aa117d31b48aef51d930f5dec0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
14c277c2861d8b15c21258087a475a77

SHA1
1e602cc4cefa7c1804027253b7d0266f69d0ff61

SHA256
371b5b201831f3f26ef148341805c529cc169d2a2d6ea0e62a2a08007608feda

SHA512
afa8c4bc4a2c1f6f05b2ee857773013d6494b24abdbd0b9828edff38036047f150f8e087553d1c6ba578ed14afefbe802bacdf3fb50b2bfce492536461b76518

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
17KB

MD5
6400cf2625f77c46691fdb1417b81fff

SHA1
c532389e0a686cda04ab56ecde987ead29ffacd6

SHA256
6faa884a871708587486e1b52ae8818b26110b0da394b822a28c3bae0abf68ad

SHA512
9411e08f7d449a832cccb929dff0dd5788bf3cebeb4e0eab4b1c3ff9da4b2c28673042545b3302513f592d728ff0e60ad0836fd5af22050d7be8297985e401b8

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b75d0d9556c7ef80e92ad08fe48324a3

SHA1
70636bd6a83bacc20ca62605b66aeeff310750d4

SHA256
05b4bffe41e0884b3b0778d8f6ee6efe5fd2df414c3e055f08ecec8c35c13f82

SHA512
9e5b4527f0bf361dc43370ce4c0664e32841ad20d06ab9a9dd932b73effc4629c9d16395771490a868f6b56415825b7f3c634f3b90a1c064ebf555a797ee8ea9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
42KB

MD5
5c61add8058c99ff92e0e8ae6845f9ad

SHA1
5ee458ede0467a3ccc4aae990d9efc588ae8bea8

SHA256
e30062fa01a648ad7537cf2821fd6cc71adc4bac0b8218b5a49b25f58dd9b821

SHA512
b437b12fc682eefce8f9eb3bbb94bd39d9169fd1af77fc8a37bc91cdc80b89149ae63fed17b7cb31602e5da23e4e6d2b1137e07b95f389d6a8a7b68a1c8ac7a8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
42KB

MD5
bea7d380898ffebaa1f513326a22313e

SHA1
2ceae03cf79d4921635d886493c2920ebc24eaa7

SHA256
d7dd3f8187943d77d7c64fb222fb7d17f85f2b3d400b154c37bc63892403b326

SHA512
703f7a9e9b82bf117e2f4d00f027b09726f565dd60764fccd39d30864adce209b6f7178b9af9dc2b7d3c9dc9944989ecfbbf8fbf147ccc2f2e2db26d02f1384f

Download Submit
memory/376-467-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/376-1482-0x0000000020960000-0x00000000209F2000-memory.dmp

Filesize
584KB

Download
memory/376-966-0x00000000200F0000-0x000000002018C000-memory.dmp

Filesize
624KB

Download
memory/376-1266-0x0000000020CA0000-0x0000000020E62000-memory.dmp

Filesize
1.8MB

Download
memory/376-1037-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/376-1006-0x0000000020190000-0x00000000201E0000-memory.dmp

Filesize
320KB

Download
memory/376-495-0x000000001F2F0000-0x000000001F322000-memory.dmp

Filesize
200KB

Download
memory/376-1483-0x000000001CBB0000-0x000000001CBBA000-memory.dmp

Filesize
40KB

Download
memory/376-494-0x000000001F450000-0x000000001F9F4000-memory.dmp

Filesize
5.6MB

Download
memory/376-493-0x000000001D080000-0x000000001D0B4000-memory.dmp

Filesize
208KB

Download
memory/944-1147-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/944-1135-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1244-1020-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1244-1015-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1624-244-0x00000231EABE0000-0x00000231EAC02000-memory.dmp

Filesize
136KB

Download
memory/1836-1075-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1836-1200-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1836-1522-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2016-967-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2104-1274-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2104-1087-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2124-1304-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2124-1106-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2796-1358-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2796-1112-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2844-44-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-41-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-26-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-2-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-8-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-12-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-13-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-14-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-15-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-9-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-27-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-28-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-11-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-31-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-1-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-18-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-33-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-34-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-5-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/2844-19-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-4-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2844-35-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-36-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-20-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-7-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-10-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-37-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-21-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-22-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-23-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-43-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-25-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-49-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-16-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-55-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-30-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-32-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-17-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-38-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-39-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-29-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-40-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-24-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-57-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-67-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-42-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-65-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-64-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-45-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-46-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-0-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/2844-47-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-48-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-63-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-50-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-62-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-51-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-52-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-53-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-54-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-56-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-61-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-58-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-59-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2844-60-0x0000000002960000-0x0000000003960000-memory.dmp

Filesize
16.0MB

Download
memory/2972-1046-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2972-1149-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3364-1448-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3364-1123-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3500-1503-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3500-1158-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3908-1519-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3908-1164-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4296-1201-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4296-1567-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4564-1022-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4564-1134-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4580-1063-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4580-497-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4684-1064-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/4684-1187-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/5308-1049-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/5308-1163-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/5332-1176-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5332-1540-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5540-1561-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/5540-1188-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/5664-1175-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/5664-1060-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/5804-981-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5804-970-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5960-1098-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5960-984-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/6048-1111-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/6048-995-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download