686db8036dcad810bbaaf9729e9372d2751fcc91eb49ad3b61f16297df8d17b7

Analysis

max time kernel
79s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2024 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

686db8036dcad810bbaaf9729e9372d2751fcc91eb49ad3b61f16297df8d17b7.exe
Size

1.6MB
MD5

bd36aa480c975f46286dec088cb8351b
SHA1

090c1f8d1d17cd7ed983543388a79176713f68b5
SHA256

686db8036dcad810bbaaf9729e9372d2751fcc91eb49ad3b61f16297df8d17b7
SHA512

c58a6e774c99fa673d25c2175569a3e54d6ef4fc3483f3dee3966a1534d1ef25e6320b842bef52ee22ca62463b7340759ebe4c21ddf23124dd2b711cdc1ab6d3
SSDEEP

24576:V49BL8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:VYLgDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
432	alg.exe
4476	elevation_service.exe
2668	elevation_service.exe
4904	maintenanceservice.exe
5048	OSE.EXE
3084	DiagnosticsHub.StandardCollector.Service.exe
544	fxssvc.exe
4744	msdtc.exe
2484	PerceptionSimulationService.exe
2084	perfhost.exe
3448	locator.exe
5100	SensorDataService.exe
2372	snmptrap.exe
4636	spectrum.exe
4336	ssh-agent.exe
4548	TieringEngineService.exe
2968	AgentService.exe
3948	vds.exe
1708	vssvc.exe
4940	wbengine.exe
1864	WmiApSrv.exe
5136	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\214f9e61726fd8b7.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	686db8036dcad810bbaaf9729e9372d2751fcc91eb49ad3b61f16297df8d17b7.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75437\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75437\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1160	686db8036dcad810bbaaf9729e9372d2751fcc91eb49ad3b61f16297df8d17b7.exe
Token: SeDebugPrivilege	432	alg.exe
Token: SeDebugPrivilege	432	alg.exe
Token: SeDebugPrivilege	432	alg.exe
Token: SeTakeOwnershipPrivilege	4476	elevation_service.exe
Token: SeAuditPrivilege	544	fxssvc.exe
Token: SeRestorePrivilege	4548	TieringEngineService.exe
Token: SeManageVolumePrivilege	4548	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2968	AgentService.exe
Token: SeBackupPrivilege	1708	vssvc.exe
Token: SeRestorePrivilege	1708	vssvc.exe
Token: SeAuditPrivilege	1708	vssvc.exe
Token: SeBackupPrivilege	4940	wbengine.exe
Token: SeRestorePrivilege	4940	wbengine.exe
Token: SeSecurityPrivilege	4940	wbengine.exe
Token: 33	5136	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5136	SearchIndexer.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\686db8036dcad810bbaaf9729e9372d2751fcc91eb49ad3b61f16297df8d17b7.exe
"C:\Users\Admin\AppData\Local\Temp\686db8036dcad810bbaaf9729e9372d2751fcc91eb49ad3b61f16297df8d17b7.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2668

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5048

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4904

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3084

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5100

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
1⤵
PID:5620

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
1⤵
PID:5592

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5136

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5056

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3448

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4744

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
28KB

MD5
556e02c5f6c6eed8779f152d2b891a6d

SHA1
f5d8938d4968d90b34389f195586793131e203a7

SHA256
647ec55ee24febd04d5147bac2b24218f0f0efe0b560c1bd66a6901ac9654bf5

SHA512
34d03d701c982abddf3460721a789e3586cbaed3ad7eeb711a15b2ac18dd00c15e176a7cc5f819ba4f20141aa2c3f6a79d779ac2e2fdaef6294c31e4b358eaec

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
382KB

MD5
c4195b50be80b9ef22c86839fbf6b959

SHA1
34106c66f7990469a087a19f5969976d18da9715

SHA256
c1faf9ed8a517dcfe8cad0d179865804d86ffc2ae90043819870dc5955affe2f

SHA512
27b2826b0c72da093d322ef68c7e472fbb67969685e03062fccfb523323a1ccb4312559083d0ca537745fde8c53d5496f522af0dacb26effa0c53538de92112f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
381KB

MD5
c20b1d7f3c37904832f1cbbfb62ab887

SHA1
8d6b52225c81c6a7b89379d950994f42b225d9b3

SHA256
d3643b6798e59187349a8962a404c7b922da3d1c9a75d5ce8b55b47a986e4394

SHA512
b5208c050f2a57c5b51eeadf9b1a648417e56b5518892dafed3e8adb991bd81872749ae0560922604528090ca5067857f668d6847d8b123a1f5f75ab038caadb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.1MB

MD5
e0ba59ac7e3623ec3d0f0c55ccd963bd

SHA1
6897c287cdb3a17023ad5bc9a9e3e3e1e47e9835

SHA256
d56f27d6173e3633f33acd03337a157db33b12a30501c58a3773a3e533cc6aeb

SHA512
1590b41074324e647571ad7132c423d3d8bc5d39ab4956b83a85dba2bf20c64de3ce1564064afb30f86de004c8ff598aefa89b7d37f1f1938ace15243253e9b5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
900KB

MD5
510472116aa9e31a2c087069b6046599

SHA1
b0070a39967c5764f9bf1e4c58f695e9166c5e37

SHA256
ef661cfc3902451e5b8744031ebf984888da75c150fb52bd40efc667afe71df7

SHA512
2845b7e0a0f051447a4756cd527074150718aa69565c9661b2cb29b62e16707b6ae361ef57d54510adc47c39cbe79306972de4fa44180cffcc6e6e634b0dd805

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.1MB

MD5
43b5edb6e5c3394ee4d1bb3c6339a1a9

SHA1
9b2272f3b6510804dbeff71b27c3cb6118619db1

SHA256
ca62308fc519ffb60aa3ea37f68710ad1ea35c7bb522c9e0bb5ee45c8cd6f8ba

SHA512
199ad2944ef459c77f99b116de233ef78c6feb9503b227d23e5f0f244d845b87766c088b1c8b4fd7c7dfbb4a218511975a7d76f03547e3724fd15e00cddbd0b4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
92KB

MD5
ac0d34b18655cac1979b5077d7ab15fb

SHA1
045911c9dabe4fe9c97b7afcd72d09dfe4851443

SHA256
47cbf9faf247a4e57e1930d7cd3310f6f100c89e13f45a9c6bf3d9894b0550f3

SHA512
32ecb2884d3ef21318c4733086008df59ed257487913446f4161bdc4cf3350138a71d60ff6538cd1d048b087e289e474df8f1d9139dd97179a9812a2a35f03dd

Download Submit
memory/432-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/432-226-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/432-14-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/432-16-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/544-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/544-262-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/544-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/544-254-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/544-268-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1160-0-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/1160-1-0x0000000000C70000-0x0000000000CD7000-memory.dmp

Filesize
412KB

Download
memory/1160-6-0x0000000000C70000-0x0000000000CD7000-memory.dmp

Filesize
412KB

Download
memory/1160-13-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/1708-419-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1708-427-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1864-453-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1864-446-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2084-362-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2084-306-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/2084-299-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2372-345-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2372-405-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2372-339-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2484-295-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2484-286-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2484-348-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2668-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2668-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2668-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2668-37-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2668-38-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2968-402-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2968-403-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2968-390-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2968-398-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/3084-310-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3084-242-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3084-243-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3084-249-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3448-376-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3448-312-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3448-318-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3948-553-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3948-415-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3948-407-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4336-372-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4336-364-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4336-431-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4476-33-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4476-233-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4476-26-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4476-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4548-378-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4548-444-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4548-385-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4636-350-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4636-358-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4636-418-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4744-337-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4744-270-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4744-279-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4904-60-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/4904-49-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/4904-51-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/4904-56-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/4904-64-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/4940-441-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/4940-433-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5048-63-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5048-71-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5048-65-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5048-237-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5100-388-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5100-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5100-331-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5136-467-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/5136-458-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5620-554-0x000001C7C5F60000-0x000001C7C5F70000-memory.dmp

Filesize
64KB

Download
memory/5620-560-0x000001C7C5F60000-0x000001C7C5F70000-memory.dmp

Filesize
64KB

Download
memory/5620-556-0x000001C7C5F80000-0x000001C7C5F90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads