e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815

Analysis

max time kernel
22s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2023 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
Size

1.3MB
MD5

67753ac9fe4f92b79506a40197db937e
SHA1

21221e792df2118cd16fa491c871058cef3105bd
SHA256

e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815
SHA512

104bb766e506a3e3fd6efe6dc239d334a0fcd65cecbc2818ddddd7dcc4aeda6fef5318eb17ffc580aa44c5f591793d79ef699504c066857418b92f4e9aa5f41a
SSDEEP

24576:/iry1KswscUUk//tmUsDnpEYxky/+oBc63Fc:7pz//EDnpU6d

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1676	alg.exe
932	DiagnosticsHub.StandardCollector.Service.exe
3664	fxssvc.exe
4404	elevation_service.exe
4948	elevation_service.exe
2820	maintenanceservice.exe
2400	msdtc.exe
2380	OSE.EXE
4584	PerceptionSimulationService.exe
464	perfhost.exe
2112	locator.exe
2388	SensorDataService.exe
1876	snmptrap.exe
4464	spectrum.exe
2224	ssh-agent.exe
2572	TieringEngineService.exe
2016	AgentService.exe
1012	vds.exe
1748	vssvc.exe
5092	wbengine.exe
4732	WmiApSrv.exe
4420	SearchIndexer.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\System32\alg.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5ded8787e4ef4e69.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\System32\vds.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\system32\locator.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bef8e78a9e7d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1ef6f78a9e7d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2656	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
Token: SeAuditPrivilege	3664	fxssvc.exe
Token: SeRestorePrivilege	2572	TieringEngineService.exe
Token: SeManageVolumePrivilege	2572	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2016	AgentService.exe
Token: SeBackupPrivilege	1748	vssvc.exe
Token: SeRestorePrivilege	1748	vssvc.exe
Token: SeAuditPrivilege	1748	vssvc.exe
Token: SeBackupPrivilege	5092	wbengine.exe
Token: SeRestorePrivilege	5092	wbengine.exe
Token: SeSecurityPrivilege	5092	wbengine.exe
Token: 33	4420	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2656	e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 5496	4420	SearchIndexer.exe	122
PID 4420 wrote to memory of 5496	4420	SearchIndexer.exe	122
PID 4420 wrote to memory of 5524	4420	SearchIndexer.exe	123
PID 4420 wrote to memory of 5524	4420	SearchIndexer.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe
"C:\Users\Admin\AppData\Local\Temp\e956dcf8b25ccc0d1c61e40075cbe18cef9e22f1b58f79998bbf2638642a7815.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1676

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4208

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4948

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2820

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2400

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:464

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2112

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2388

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4464

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3248

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5496
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  PID:5524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
98ba6482bd7b1c0734eddd4ec8fb9a1a

SHA1
7d1e9030c6d7b8307c498bf5ab9d984fc5891b38

SHA256
9c57e09be0096d2f90d6c677b4c443cf96eead551ecef974d5d830ec45e66454

SHA512
ad83e2dee92736186bd9623337acfdda427db3a58f31f841152788fc8f68fef6b79b36e2d8b65b919a10fb22cfdf3d2e5c27d760fc004c1c1f94561cf5c272a9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
5471edd37efcd3fa419ea591b9978b71

SHA1
dadd1761f48cd583bf99767a1b34b42173c099b2

SHA256
2c6c60dc2a5960af0e620c1b37a7451536147bfb9e9b3286b6711176842ff672

SHA512
b2bcde44eb406e37cba3ce73befead00da7f1c13ad8e48b5a313144c4eeb5ca4de3a8e84c38827bf2b39ffcec3a2ec192626df1cac20344ed20a5c5a6280b515

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
844d0253b01e9f475eb7a210b4c1a13d

SHA1
9076788c487193c7f04d3b1f83c49ffc5616513f

SHA256
01571206a7ee44763099e802a21ff9c0a8435488d10d01b8a0a075f7656326b7

SHA512
7065161e41b259032c0bdf9fbb1395ddb0742613eabf26da3ecb4ba809d192502606f96d59effde444ced932b11884fd562ef12117e3d2b881fd22afa026285e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
45aa0a504c80da473691a4a67f11ec82

SHA1
ac52a0e23e60a578f49a2a31f0a7a6a5a03100e9

SHA256
2a04fe98b3848ccec62b46656297eb194e34d687982719df32e176aefa9d3ce6

SHA512
34fda4195c48e510c9a999f5227583ffc5b42f42fdcf2f8110bbd85fbbbbe4baddaef04b0fc1c03be0cf634d45af430d257f36c01ff00615aa00eb8649cd4482

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
1781ce865636395d2f9fa6bc66dfb01a

SHA1
c908b667986c9051929c3ae41b23282599226350

SHA256
1c7fc8922a1e60a79052051e4258746e7577a419320b8fb2e3bac5b2db621b16

SHA512
2430a541b51e633a8b8b88ad2561a36d5f22e86b2e6447a3a8db39f8dbc97eb556b099efee62ffe18a74a47c31359d4325fef74c02e3165d0287957d97ac1563

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2460291458977ffbd4322fa509663a20

SHA1
811eb441d4d03b2a76d8f54d4f8951c87263a0c8

SHA256
2986b4820e1feb84e702de009c338b8198f50a7d6e27623a6efc703c6b36e3da

SHA512
3377c25368c4266f2edba187bc0621ae98a8bfde1a3fafcccd544fda2473c9fcdcbbf052cb3ba456c694fb40c48674066894ebca12cbbd9a5086cf3320d7ebe9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
10dfecb6c92e6e9e2bcd43abfbadd9fb

SHA1
e9b5fff573515f9bec9678c21de0988d2b044660

SHA256
994f6e64f5a4dc767869cdcaddb7eae360689f579e87fd1c0f81c78974284c5d

SHA512
3d25c59d455f930543f8ac263c624ec155f7a1f8e898eb48bd04432d8e6b7b4371571363060b26fe0187c5138b9a220ff18bf4eab5e84da100622af1c5f11e10

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
520cbfbec066db1fe5606560b143219d

SHA1
b43d2ce0dc07643c1457d9bd6ea42833d0ac83bb

SHA256
872b85c36540f58214332d77223a90fd2b79a2cfc7e0e820598ad0722aa8e4aa

SHA512
cf96d19a8bfaccff187c3250646ea83ddce0bcb1bbc20d86c384fa3971ea03c627573daf69d143862e2fa2c07755bb9fa4944df6a8b0a54a64051cc44c21816f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
d9659f9f83be2251d5fdda3bcd32dbad

SHA1
80adb783cd99c32b96b19407a68c1e8bb3ff1287

SHA256
5dd9374fe4eee3b956c23edec5df273c0974dd851a39ed087771eedcc76d9e97

SHA512
4ac89e86e0ae085e489cd8f21c3dce1ae700c48a6444278d23e08e1d54547ae30224d74c82c0c75b8ae2a3463195e878e2e3f2a80c8c13d270368b55086d0caf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
3e8518e270f4f2ee4d0ece54dd06a875

SHA1
b675a09d2b2950088bc3332690ccc6bc0e5a9f24

SHA256
71b56ff181d066aedbf0e17a969bb37e6327d9e95d6ed992429137f53e078fe0

SHA512
a8ec693db09ab955a988f97e0350eabd99ac035d09893dcc795ee959990f1d7de21ed3cdd2cdf15461b720fe0be49a3b019a2356ab2eaaf088eb9c3245236b40

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
3e8518e270f4f2ee4d0ece54dd06a875

SHA1
b675a09d2b2950088bc3332690ccc6bc0e5a9f24

SHA256
71b56ff181d066aedbf0e17a969bb37e6327d9e95d6ed992429137f53e078fe0

SHA512
a8ec693db09ab955a988f97e0350eabd99ac035d09893dcc795ee959990f1d7de21ed3cdd2cdf15461b720fe0be49a3b019a2356ab2eaaf088eb9c3245236b40

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
8cdfa927b09a3f2f717fbebf8963e7e4

SHA1
64dec37228d9eda1b85c4648904b65df2029c1b8

SHA256
db5e7357d354798134eb682f3f0f458510f4c9e9ae873c79e24c005855e9935f

SHA512
6ae3adcc8e25b39741d5f21820ee6d2521f39d93937a492be0869fb47e5c1e750df213da61922b0a96fe5664e8421d7cf13b6423cd18ea00fd8f8533a63835a9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
42bf7dbbedb2589c7a253c8edf31b195

SHA1
a270dd8d889c5870cb8e8235279de52c6d76d2e7

SHA256
518ccc7368647b61de5e429e33d35ddb6bfcaca14ae22e750ae6832252c0941b

SHA512
7d2133ee84e8ed040833a96633e3c75000acad5bbe2312a0c46d873d95e68f3f14b35a1e34efc05933cd5a36ebb20da01654e91bf48ee761a83bf81bf0e23648

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4e9b8d9340ae52259cd86d50f00e536b

SHA1
d6df5645541173853f6a0ec3dff194e985aeb2a5

SHA256
10b0419ab70e380623e2c36c5a20e02f88407d7e45cd7dfc02656e4f96744203

SHA512
75c7086134ee4d78866fbdc1d283df61738019f916979677c30cac93327b9afd0e7b899f45bc05bd77be38f1a2e89a3e98e1675b41da915ec07773b0c76f0434

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
be6a67aa69a62ebd6951d9c403d9474b

SHA1
e64cfa9195e147973ad8a13c33166babf190367b

SHA256
0babe306dcdbfa66f48086e3371084036149ea802f10c258fead87700d78518b

SHA512
f74e3f23f292ce17d81e5b74049fb94ffd7c9e1d23274b8fd877ae102b982e05f2749295a26b56f4d714bfe1cc98edd1b0da439ed38eb6d5f3975b1641a11238

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
8d6c138d555d228c20726abc571f0454

SHA1
e3ffc25dde800e8d229a39c253505e9450c76f68

SHA256
0a2f0251fcdc33e9e55555e682b471d01cc4229dc60acbfcb4094309311413ac

SHA512
cd84db5c7c866ba5e1bdb2a4d6a86a117095d4aa137242bcff6adae32ba45695f2c47850d7fc88e94381ec65feb9822e12b85d77b388f27545f504f14fa3a78a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
aeaa5dd1091c439c33a94f8da45db013

SHA1
4d44c26dcfc590219e943601357da2aa4702526d

SHA256
1c653069e41fbc5e91e42ba9a901684ed8763082769258c3b0556c7afcb32652

SHA512
d235ddde4084cfbb1c161c7668657c1c2f08ac80a74d4e1a8a1570a1fbba756879c391c0342dfb1545bd69d39f691730e66ba03ae20cb8959e8585825f6b3fb2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
c722eeda3402d14329898e5d868b3901

SHA1
50ff5091ca637156b4e558cccb8bdf0da241b38b

SHA256
9714d9e448f0471d538db00d5b77b692535c693b166364662f956a5f01ee06a0

SHA512
012b48841a8e54f73bfe3c90f1fac67dba0f37efd8c8cf3c1ddc21fc06d23dfc154ff4b749ee5a7cbed0c9fb4ee6b04f5ef6dcdbcb6688765aec54fc255134b4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
775c20451bee67d0ece135428662a861

SHA1
cebffdf2f704c24fcae892cbb5e7df5f8e55fcbe

SHA256
147c82fa2d1b7c5de905444b94becc509bc42b1f0e8847e5b48b13c4843b4b1b

SHA512
07eb76115a3744dde13a2235236f0fa61240a269bba6b494cdac2c0678b6c9cb9dfe82c7ea75791a71c6cbf5225c8e664c5eab1135da0aec2a7298eb52349d98

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
ae43f49756bb162f6252fda19f5903cc

SHA1
c877e63871b50c0db9cbfaa174b4adec899a3a60

SHA256
25062fcbcafc1889eb7971a871ad87f942ab33952e8e46af0573028cdfadefaa

SHA512
f95ec51cd3e40ea6a93188911c3f9d1b37d2640c04b6cae1303e4f8c03fd797fe3cc21e8328ae73c01546c92de824b426cfa635470a6e8e3420ce136bc0a64a9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
187d82a1e9fad49b9fc0e401cb81c629

SHA1
1eed394d3d88933fa1e037a6505430041932fb94

SHA256
89af436d0c6fb7f40d05378e24b59f146eb49cbf6247549177517536b2a0b4e0

SHA512
f78e8f365bccdbe05f8716877b9ba1c6b45ed69a9c966cb61b80cc77abb1d219e24bb746a01510c0ddb4c787a5093fa8ffadfc018b5d810c54fcc68d220ba8ea

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
33337af9f36f490ba85ad7e8000e268d

SHA1
02c356814e0ef3c8d4700acaf1547479944bb15b

SHA256
7132d9316efe2a1b1acf5bfc72df7ae9efa0760913594c46f834738bc7a01263

SHA512
6e43a1626c68d4a5c294d2b456fafd6e6d7ce50b696d19d97c44aaa2c8debb3e81821b923bf5e2bdfce0368ccb9c8413a0d3efdf6dea630922540d187ea7a7ca

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6c78e9a8e44fed6b712a37d980de62c9

SHA1
bed0695685f75db90875871bd740b6f9198ce939

SHA256
c84142e3abd1b9a684623bfec0667b30b1175043e12cd3173492bbd8feaae1f0

SHA512
b2377e8ef11c6e475c225509b864a796930f7d5fe86d86bb5a06c2f00b0bd69bd5591aa0c4294846201de9e24a5b0c4429e176334332c316694a410da0c7c47e

Download Submit
memory/464-145-0x0000000000900000-0x0000000000967000-memory.dmp

Filesize
412KB

Download
memory/464-138-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/464-202-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/932-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/932-27-0x0000000140000000-0x000000014021E000-memory.dmp

Filesize
2.1MB

Download
memory/932-33-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/932-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/932-94-0x0000000140000000-0x000000014021E000-memory.dmp

Filesize
2.1MB

Download
memory/1012-248-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1012-254-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1676-13-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1676-14-0x0000000140000000-0x000000014021F000-memory.dmp

Filesize
2.1MB

Download
memory/1676-20-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1676-78-0x0000000140000000-0x000000014021F000-memory.dmp

Filesize
2.1MB

Download
memory/1748-267-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1748-259-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1876-177-0x0000000140000000-0x000000014020B000-memory.dmp

Filesize
2.0MB

Download
memory/1876-245-0x0000000140000000-0x000000014020B000-memory.dmp

Filesize
2.0MB

Download
memory/1876-184-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2016-238-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2016-242-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2016-243-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2016-230-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2112-217-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2112-150-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2112-158-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2224-204-0x0000000140000000-0x0000000140277000-memory.dmp

Filesize
2.5MB

Download
memory/2224-211-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2224-271-0x0000000140000000-0x0000000140277000-memory.dmp

Filesize
2.5MB

Download
memory/2380-175-0x0000000140000000-0x0000000140244000-memory.dmp

Filesize
2.3MB

Download
memory/2380-122-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2380-112-0x0000000140000000-0x0000000140244000-memory.dmp

Filesize
2.3MB

Download
memory/2388-228-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2388-164-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2388-170-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2400-161-0x0000000140000000-0x000000014022E000-memory.dmp

Filesize
2.2MB

Download
memory/2400-96-0x0000000140000000-0x000000014022E000-memory.dmp

Filesize
2.2MB

Download
memory/2400-97-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2400-104-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2572-284-0x0000000140000000-0x0000000140257000-memory.dmp

Filesize
2.3MB

Download
memory/2572-219-0x0000000140000000-0x0000000140257000-memory.dmp

Filesize
2.3MB

Download
memory/2572-224-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2656-8-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/2656-65-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2656-7-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/2656-1-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/2656-0-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2820-79-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download
memory/2820-93-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download
memory/2820-90-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/2820-87-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/2820-80-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/3664-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3664-39-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3664-46-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3664-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3664-53-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4404-120-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4404-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4404-61-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4404-50-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4420-298-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4420-306-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/4464-197-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4464-258-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4464-190-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4584-135-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4584-125-0x0000000140000000-0x0000000140220000-memory.dmp

Filesize
2.1MB

Download
memory/4584-188-0x0000000140000000-0x0000000140220000-memory.dmp

Filesize
2.1MB

Download
memory/4732-285-0x0000000140000000-0x000000014023B000-memory.dmp

Filesize
2.2MB

Download
memory/4732-293-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4948-74-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4948-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4948-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4948-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5092-273-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5092-280-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads