298536cdcb72e7f66715a946ad7a39738fbcbbd0224d89f01dcce131e8bc7c19

Analysis

max time kernel
80s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2024, 19:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-23_e004b8d9e548928f168779c50bf624ab_ryuk.exe
Size

2.4MB
MD5

e004b8d9e548928f168779c50bf624ab
SHA1

e1b0785612056235fbbee8d7db52a76c258160b4
SHA256

298536cdcb72e7f66715a946ad7a39738fbcbbd0224d89f01dcce131e8bc7c19
SHA512

1d8f6f777989d717af39f30694386ed19d9523e6d82270d61ad43e085ec79d12040e406152de25684c085409b240820e1acf3ac9526cd1c1a79fcd9c9061d952
SSDEEP

49152:WFk2kQ95lRfFUesqU7TSFnqvIUPJfzl2nKNbBDNxdjM:WvfsqTqzLprDNxdjM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3612	alg.exe
2160	elevation_service.exe
1364	elevation_service.exe
548	maintenanceservice.exe
2144	OSE.EXE
2436	DiagnosticsHub.StandardCollector.Service.exe
3296	fxssvc.exe
1636	msdtc.exe
2056	PerceptionSimulationService.exe
4700	perfhost.exe
3576	locator.exe
3252	SensorDataService.exe
4000	snmptrap.exe
1696	spectrum.exe
2188	ssh-agent.exe
4340	TieringEngineService.exe
2320	AgentService.exe
4548	vds.exe
1864	vssvc.exe
1648	wbengine.exe
3352	WmiApSrv.exe
4912	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\da61630e8ed1090.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-23_e004b8d9e548928f168779c50bf624ab_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{6FB5F2B8-50C9-4E27-9F75-756369A42747}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000feff2387404eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd113787404eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060fc6187404eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e23ce186404eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c03c786404eda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001666c986404eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000069ae5387404eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f14f986404eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4724	2024-01-23_e004b8d9e548928f168779c50bf624ab_ryuk.exe
Token: SeDebugPrivilege	3612	alg.exe
Token: SeDebugPrivilege	3612	alg.exe
Token: SeDebugPrivilege	3612	alg.exe
Token: SeTakeOwnershipPrivilege	2160	elevation_service.exe
Token: SeAuditPrivilege	3296	fxssvc.exe
Token: SeRestorePrivilege	4340	TieringEngineService.exe
Token: SeManageVolumePrivilege	4340	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2320	AgentService.exe
Token: SeBackupPrivilege	1864	vssvc.exe
Token: SeRestorePrivilege	1864	vssvc.exe
Token: SeAuditPrivilege	1864	vssvc.exe
Token: SeBackupPrivilege	1648	wbengine.exe
Token: SeRestorePrivilege	1648	wbengine.exe
Token: SeSecurityPrivilege	1648	wbengine.exe
Token: 33	4912	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4912	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 3584	4912	SearchIndexer.exe	109
PID 4912 wrote to memory of 3584	4912	SearchIndexer.exe	109
PID 4912 wrote to memory of 3828	4912	SearchIndexer.exe	108
PID 4912 wrote to memory of 3828	4912	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-23_e004b8d9e548928f168779c50bf624ab_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-23_e004b8d9e548928f168779c50bf624ab_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1364

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:548

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2144

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3868

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1636

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3252

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4000

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
1⤵
- Modifies data under HKEY_USERS
PID:3828

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
1⤵
- Modifies data under HKEY_USERS
PID:3584

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3352

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2556

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1696

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3576

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
268KB

MD5
2dbe91acf68331ff5d5713e67e3c0bff

SHA1
e323deb23a6687c1bfb5cba2a25109a5fb2d081c

SHA256
b314c242ff4658a79cb37fb154ae15c2af51c933a3bbe9f9b6361eb8a38dc52c

SHA512
429dc5ba9e04779d44671be4df936a0d580b52f6f0aa3d1998d4fef4221f32312f9a4a4281df249fd37d2d7469772d080a582478c16d9f26ae0f181e74b3d074

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
311KB

MD5
1ffe2eaab261c2e336f2f70fbd27e626

SHA1
c37bc7f36d8f8d8f29c24775f8bc4912af23e4b0

SHA256
a723ffd3c209be35b904a61dc52ff17e02ff9d372687894d231b5778a15b733d

SHA512
cb956ecb2765e52a05f9eb6a13813b8769386600847b5f01c11f2f4d0624282a86fd8e864a4a3eea2e8c9f33bf6eeb67ff11c6304a4259ecff986fb7a19bd430

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
183KB

MD5
150aa61ee69ecb810af9a5705d723106

SHA1
39a988cdc63d76978450274fb40df1e27a5a0297

SHA256
931f9ebfb71e59549d05dffc6d20fbbd7c130987e1149c90f1fda1888c8b2528

SHA512
630a88ec76e28b455b15e8b525f0ee3cd7ce87e327ecfdec671807a60fee1e9c08dfc1f1390a65bb383d9b5b5057b9bd8c868070089bd053a423d66ddb47ec6f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
85KB

MD5
5e41068b6a948230dde142962457b59c

SHA1
6787da912c212423cff8be0ad8915b0b50aeca93

SHA256
5d2731293f371d46a0721b7886b336cf06514168f6c8d4c6f839c46421374da4

SHA512
0bd518e30804ba4032f915951c9a6fa79546dfca7a35c030159b812d5df60c8e4c5dd31e90cf0b544eddfc383e90a7359bdffe29c70db4ebee6d352dee7c4e10

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
70KB

MD5
ea27d4d384e8f76ab4ae97ebf360e83d

SHA1
fbce9c7d070a13c6e812dc8cd07c63f4aee9c8ba

SHA256
c325c345e82f3ed25eadafd8ce9b99162b862181b4c9d7a8ab756680576d8503

SHA512
fc4f0edec79d79e8e2c2585dc2c7307412db8d1d78325e4d3a59d29299b59dd9b41584257cf76621d7c3ed3c24fa66250585c073de582171b7e1292ad4074a91

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
20KB

MD5
85e7b4a873c624859438d4d63520e306

SHA1
fddf53832ac6f7ba57657c3279fc090bb02e1832

SHA256
a3a0f673412ed4fe0f186c74ba28457265bb4200328541eacea9ce81ee3a7470

SHA512
61e503eabf5a7aed87131ca7031eba7d817298740fa37ae8541a03e79bf54cf38894154f69da1867345bfcdcab8ba17c0c71bf05508367174f47664b9e749706

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
16KB

MD5
3d8c741f4fa61a46cad6de591bcf9027

SHA1
15e376d877c8d55476bca73cc9cf54024651ef93

SHA256
0099de8767d7e79eb9228b7bd1e829c1c19f13dccd5b073dedcde4ccca11f76f

SHA512
66af1c74eb7314475e18802f6b28ae63a7363d8a67625e0ab628579841472ce227d5b3b686e6f064cccd924fcf142ec4cf7f6e68941deb04007eda301363594b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
104KB

MD5
8a44e097d058f95295fd259a82c50787

SHA1
bd9f4f36152870bf0b0c56cc922e3f6cc77f6e15

SHA256
a5678f370d9a1e37441fe288f4c35fc8f27ef90af35c6e62e66d3346251fb612

SHA512
51e04dfa1c8446307b2192875e5933e1737faddfe7f420fa5f265963aec7d6846f38ab4831f048387f95cfd2f6697f1a05d9364b41dee1979fafb74d9a60346a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
64KB

MD5
d21414609d1305e2d4a6cdb6e384334c

SHA1
1eb1cdaecc56a28f6bf61ce7b6e34787c03cd7fc

SHA256
63f1496999ad1b30d201a6fcc10ba262df6b44968bf2f7e9f98685aca14cc9ae

SHA512
3860ad2792a2c8ab7ffe13c3f312eeea3554182b394048adfda5d83e9dd842740d98c8999ee9e9d6120c295064dfdf18bbe6963a279f0d484fb08b792f8db3be

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
92KB

MD5
ded9f9c56292dd9055edffcb455f8b74

SHA1
b16ff12d5a79ee85a68680cbeb042107ae2be339

SHA256
1c47275d4f704338786cd595d48a9f2ca8856291920a618f1141c48305b42d3b

SHA512
30210c950218d4324d41b83d292ffe6d536ea110f04019993a1007c847da6f24c83d5aac5b966618882c0dbbd39681a1ca6ad333ae2b88d301a61ab887459f2c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
58KB

MD5
5d102dc29a54061491a2b470a1b98f82

SHA1
5a6d8915720057b9badd08b7c5b8b91a34a2db40

SHA256
1c4a76afa881f6c455184deb3a310cde56b9b501b9aa55b097a3e37670a45661

SHA512
e69abea9e1bd83121abc243d78b533597c50b4081ad5f53f20fb5738301edb2dc928b109742b02c35753bae3ed3b71d95cec4b0d3defe6f0d0a23ca0c844e411

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
78KB

MD5
1472b555c73ab967dbf247dfd8e37e56

SHA1
5428c97c3491e30ebcfda3af90c27a9cd4eba1b4

SHA256
811db468e43f947b027d5870458f3ae2327069ef1ceb897ea99f5312b3563465

SHA512
93dee2384e05881b365505586acfc249ba9d9e7898da1667634158f374005bca3f28323fcc6935881d345f3c0f6d11dafe4ead3be7349ecc150a6bad6efe88ff

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
64KB

MD5
afbfc0b37f18246a0e3be4a0ee0905f6

SHA1
b8ec89f948d6f8bd57a6cdc3219e543f4998d647

SHA256
ee4d3559967c2a6403cfca85032b251e647726caa11d7941bdad3b539af3ed4f

SHA512
ffb9534cea4a68244f5e63a9bbced9ff4eec851cc4e0acf474c7fc38e1cc51ce2ca8ae553ed70501ed4300059dcb08486f6f4e03407c43fbc235fb14fa4e14d8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
114KB

MD5
19c78e3009e846022ede2080ea1ca7c8

SHA1
636e0c3e9cd4ba429dda0c448c7ae8a6f6622a5e

SHA256
9fea45c7a4d747e91ab8f9748677fdda568a9bc070a36e47261e416d1b63dfc0

SHA512
9440d054580605d9709cb14c03bb69d1e22b42bde511c3624ac95c8797284098502f025bc5179c0acf1d25c4650f1ad660d05c674072cd5e9c919c226ff5845c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
64KB

MD5
45cb600f0e5174091e4cbed2a5b2c92b

SHA1
ad0f350c88bfd6b4d890c44cca37e06979158f81

SHA256
96eec46c20a7c7f1f2c3f94f4648ecbba987fa8f8cd76e78b511a2a9f7967acf

SHA512
6d542a9317c8bf1b86447d74a7cb1ebd57943a04a741e17cbd8aea3a9e71a1e344d103a447f16dca2d9f931607ce0c47b1ea5e6f8138cf2af36c267ba2da7095

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
59KB

MD5
42569acd815b811816f3455413924d2f

SHA1
984990657b6494575e039989eb97f3dd0042bbc4

SHA256
1db07a3fcd420778495e1c00f9ef76ceacfc70054da80e6dc05fbc311e2fce1f

SHA512
e0dbf3b255814cdd8df78dffb2896c71b63208cf11948712c0c35f197d5ec77a497ba301c6e70d2909f8e5e05c60659143fcdd2db42bba06e0527369d4720dc0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
101KB

MD5
95b3abcff764841b831bdfb4b6b852f5

SHA1
4b3f9c912a8333f3765d5537e4099ceb8b2d5c24

SHA256
ea8fd4369ff58471eefdc7452e0c52b6e5197c1518ea8cb6ab190ab3a61499ec

SHA512
a135f21f0aa2624efcc184b9aee8ed029491088cb4a0f335517d0e256078c12b5f7ea96650402c1dcd3a63cae4a3b0981f1741490973263efba57dbe0614d96c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
10KB

MD5
c8491c7cac96cc7ed7f4597b8b02ef33

SHA1
a17aa046123d2034419bbe73ff72bc683b9d499e

SHA256
85b43f3f4e4cff9941757b00f9086eba09f09f46d323eb089329f8248faa0001

SHA512
30dfb7c1663ae9f13fd0b85a59358e4df504d9de2c95cdee180e9e66ec2d68753533603f4b30d4e10dd7bfa7bd5787ceb9bddd2d8d2ba86f9901083c05face39

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
144KB

MD5
dd3d89d430bce5fb77060a2bbf69abd2

SHA1
df0b52fc6ad4a31ee1dfa5503d2ede8f3aa5c93c

SHA256
591070a3f51331ab452c3e8ea686a4d1564f92f023cf6bdd5957a1b1903df52b

SHA512
d9caabd4b9c38a1dbe5520ea4f5e22a4ec90f811673a15bf979a9523895a603f3614a7f7cad1d36ff974fa56559a707ac87c0c9f76afcd2349249daa89a1d508

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
160KB

MD5
f3728460549c5189303488feea0e0e9a

SHA1
7bd110cd22856020492a6c08316ee74b518b2678

SHA256
db760278e6975b8f787d39efa9db68036e2feac41e7320130df572412d469497

SHA512
c3a2454492157c58e710cb63cc92db6df950520a832c235eea406c571c6e031d9288733dad7a5a2278cf6b119b37f4c6a9ff334e5072e08c02597cc212b099df

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
96KB

MD5
f9627348d8233550ab64bb124aba9bda

SHA1
7d80dab2e3b5b07589ccbaa82f2d61dda94dcdec

SHA256
e500a82b31f0e19980deb63b9058d37292fd3f1b069e09061670410fbace9a9a

SHA512
29db9bb89875457e1cef4ad3446c097911c0ddec90699ba75b93fcb753b8ff77e2199e13d9fd6292d267581bf9c8a1b039866656fdac9c9f35be881ad2c4ca8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
61KB

MD5
31b3a162957b7fb7abaf00cab906df02

SHA1
98951e6cdfcfd6f947a0e0eda76908c3f4b78f29

SHA256
68c8537511eeac896f6ec95551bf6f61cb8dfad52f8b815b789bee585816d5f7

SHA512
01731086c12325c065c062af6e87dafcb3a431f702612e620421e7e159500362892882d074fc5a6b821b0d71f6f0a0e71633a774783d1cea6aaaf58752d70880

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
44KB

MD5
de7b16e86428fe2ee0e98d54773800c1

SHA1
cbc38b482af761c104aad14e845387f46f97c276

SHA256
446d1c0e5137575d3f02912e472eae7b22d419a4162d8b4c6abf937617214f31

SHA512
8865e94cf5b785df0dd55132aabbcd5c7e9bcca09149bcd3f30f85794fbc5a9df802f59eb8fa832e10cf27cb1ac168c2cf12e99e73f558fbb9e071a560200f3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
92KB

MD5
15b2603a414196469cad125bebcb580f

SHA1
0e21a32dc3c9caef7b0a3637b275d2bb53d482ec

SHA256
c24d5913b8730881cbc257da2968f370fc95f2a5d4f0082dfae864d4cd9b902a

SHA512
e35190a492a64a9c014ef61b4239c8a6cedf6dc0201383a3e964a463565513ee5332e60e5aa871e7d18b190721a0d621f4bf3dc673d8ced669c232eb5fa4460c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
63KB

MD5
a6b991c2b1b0ad3399f38c8e1a23beb6

SHA1
84f67197065a0ec633e94fd6b5af96d08b352465

SHA256
67517d9174c66c2cb2059b55ec367c570d649fc4920146229bc492a14bc4ccf2

SHA512
82114beb577c3c609205226991a38f5908542f148dce5d67492b10ff8ce1cab8acb53643530da70bcdf5afd2a6529778f7955b5491e379691a65193c0d5a6906

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
78KB

MD5
52b9208d509c9072d11f561198ac6f65

SHA1
2702b4514303c00f9ed08cb31f77f05da16589b2

SHA256
3a8fb393a9e78e639cf1b5af6fe883882e93177b0700df1706705a76077df9d7

SHA512
24689f3d1000a1238ca64f1b46cf7f4087ba1750784eb04b79fb618d7d3425369d5cd7cb51b167998d6c2935b6be30bed88bb6690472c23f2943ee8b8e63dfe6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
70KB

MD5
7d3805eb493e7eca0231691ff56aeb11

SHA1
1dac7db6390b0027399072d43ea1ad31f4fb2f88

SHA256
0dcd9cd50755191b81b916a02b0fd8fa40c2204c60ceba765b5b59dbded2f0a2

SHA512
41e70d9b1e3417763b07e3b146348c02711395c370fb63b27de4edd3b9579a30e5cd283e2224557d61cfafd21068f645369ed2ff981dd9e25878a3526bebe4b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
123KB

MD5
6c0933145cbec8af95b1fbf92fbc5086

SHA1
d651e9bd65f418531e3cb8a6af48cfc527fdd3f2

SHA256
306676a5383c0340bf2eb9ca64ed60056d4f12a0c4e28655b3173bb9590f5a88

SHA512
27677f5426d26f4de9020711dc0451d1500c662ccdbbaaa1b9190f89d5168e98e13e841b4f557072032d0e281f5313db5fc38809b50f3f4eee1be9a02220c7ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
27KB

MD5
0098faf48e181afee13fbe4da1cc9ada

SHA1
7011e01c3a315ef0a986a4106259e3ad454b77a9

SHA256
20a02241a3e681a285813e94fa94afd18b143a9b3d54950e11e9456b5ab6f0fc

SHA512
6f95378c84a2525147d41f48ead1e270ffb2c6ee9488c67ed6a2491c28e0d3e86c851b3d8d2a2edf609f7acb5fcdb0a740198fa7be5077a101947a6dec4d60be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
114KB

MD5
c99f04f9e3200558a7d77c94c3574e56

SHA1
906f20aebc93e4e34b40242e79c1bed4d92bde82

SHA256
108d646f2be9af08be3a8753e5e147ecee74a408cf372229bc4fdb64fac89b9a

SHA512
20e424cc11f44237208bccd05fe4ff01314cb316bd1ef080e3d58e121625d0d07d03827cd6747d9796073fc086aabb027f077720847ee2a5a20c727a59a8723f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
64KB

MD5
2d480d4700930ed7e4f18f577c537a65

SHA1
5429f2ec14b9ebbda4d2c2480aea0f6f64205c82

SHA256
18de2eaf2700c48852e180aedcf8cf1dedc8092aabb6e507c4df0c0ac7ce8831

SHA512
e761c7dec10254d944feb6160d986027967e0d565cbd4c31d90bd6ee571b12a0f1167692e58d9b67435b705afdfea926bd15ca4b09ac5443f6eb85d35cced9aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
42KB

MD5
ee0ccf061c288d426c143b5b957747fb

SHA1
0b7533a110cdcc6d2db612dc8bda09ecb5ee2c2f

SHA256
56c2b8a1997c5bb83a864e4a9fe6d39680de6fbbe9ddc1ba44bfed5da6a4c07c

SHA512
9d15559fd2d8eefce3250fab45b57ff7edc210deb04f4b585e81647c6c69f3423b2fb282ad60658e4c5f6642c1efe2f103864bc62eb0930ecd5b41ad70ef3108

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
71KB

MD5
a25764f650797ece83de977574b033d1

SHA1
6030f264eb1f84586be6acb35d14a96a30b68913

SHA256
f2882384190290228daa8a672394086569837f8403ca7596c270fb9a58509c9d

SHA512
974fbd6a7cd544e5c262daf98cb39448292f5bcaa0113a4a51ad48623ddc31a175afa46ef81549a662154ea0b5d201fb7f3ec9b7b735279067b312ff6fd7b743

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
54KB

MD5
eadaacc23ee98fd570891ef3e9530f46

SHA1
b52bf23000bd0901fcd6cacfad5ceecc24136b97

SHA256
cccb9ca2c46eee95e94f8c418041e0dff3d84a98d25a5011c7956e1a472615cb

SHA512
eb7ddd559922f2e11f79ff70a14b49a4e24cfe0846000374af7c883f2f0172ee0acec2280306b67901dd1ab55d0f8d8ffef76a9ec5ee6753bca6d565909dd779

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
18KB

MD5
5b69be5175f65b7cb0a755e72a65916b

SHA1
f45ab6a4c282622b8a2484f8c9bce270dd1fcba7

SHA256
8c36b1647bee0b2cd4a0319e042df3e221279978286395cccb52f60da77d55aa

SHA512
bf8d026ad456e126d0273c88663ecc904f1fb3cceea3bf599770b1a17c938e87f40790b4fcc676afad08cb1a7278cd40aef61a9d81d5f879548786ce83f6e79f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
105KB

MD5
2e6cc59a42a50cc839fc63e8219c803a

SHA1
68290419b83673ff01cf2bd48395389732936e39

SHA256
98bc08a39fc0e80464ceb1868a66ef6c46cc77dffc0c20f7d9ab55a5cf3a09a3

SHA512
5e89967b4c337df9569882d0d846be8890207dfe5b669eee9d16da8aee0c12a39ec745272d91a915a969407732f6775c51bec666d5cb213a8567f77637b86bbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
23KB

MD5
165219079ace9d7891806af527d298f2

SHA1
904c31ff8157ec8f9578c289f23143ac7fb44544

SHA256
cbd1384dd998bdb2177dec33b4d54149fdf5d23b6c27f324d06fa19c531b0efd

SHA512
dfe5d75462fe5a7301241fd2703fb781ed109342c2b2da480e905ad38b41a9b1f026987be8175080323a9ecdab85c03ca28eb2264aa6bc5d24be4094c136dfd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
64KB

MD5
edd5a6be4e597aaa927d83d4c26b6cf5

SHA1
253dbd1bc2ae0646a29be09db54b3be5c60cf5a3

SHA256
b738ebc12705250d0e803eba16ca81a6f12f7a5d2098d79ba833a230b6bc7569

SHA512
a28b069d86c9b512d4983b4babc98e62758a7a9fd4da013646ed3cc6a442a9937ede618ff59e6e56e8dbc44baf6f736a395717026cf163681e25339232cfdc24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
6KB

MD5
fa5f96818d2beebae0896620bc66cc70

SHA1
a6c02e314f68ce406f5cbd052a96fa12f6c5c078

SHA256
3d2b77049d46295d558b19d79773a6cb705df9d9bce5df7a739fab2219dfaeb2

SHA512
4a1b5a5969e5b03b6091efd47321fb92d5a6d73cb3a264d00d6027df972fc51f9f8df3e6da95a3485f2ae19ef4f5784b0044f18b972527a41eae6e73a66e3e3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
47KB

MD5
56d7cae967fcc327a83773bcd1b2cc57

SHA1
86d71c45b8702b7243593ef31e48156da3e01d5c

SHA256
f109503faf5d6fac4437ff211b0757c89cd3214017fc02a4c27844211efd3259

SHA512
35b9465b312dd9f792ac0045b576c5d04a96c2e539f57996a373f4fe6f72b458d65fafc959356843c01380525b9a6abd3fb193b6593edb2f1b341d19980effd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
79KB

MD5
802bb97e8b9e84234fa407a0702fb165

SHA1
a081dcb80d51ce07856e14f8515b24dd2920b716

SHA256
6c5f7716220b866d647c5b475e33c280e6c9c9cb04fbd9b5a53e409bddfe962e

SHA512
4eea4d6f09b6f9145336d633182b03636471fd2528ceab50cb5a5f4ae8d8f18a5846a0ec3d384715dc1279abd2c5eabca573cca403404343f41b151a2035d251

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1KB

MD5
a41ec5e0974ff01c36f13e99008b0393

SHA1
05852023c36b0dd7c690ba564e0cbcfcc52db4fc

SHA256
1605d192fef2397fc74365dbdec2baf18c3067568356b1ec56ea6d0641ed1975

SHA512
1263b7a7ce580c9132096082f5ca5e0d5f6966ba6c28ceb9b9a7bd9d8eb13d6b6df78909106ece2472fb38f70036d87af3042a1ba6ddd8afcd89d1e6efbb6220

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
106KB

MD5
628b747d5d009d095185eefc1accd319

SHA1
ed08cf7f3d21ed297a9f6ced13f536393a3f8fc6

SHA256
2bb1adffc321194924d871dde08c07d3374d072e8a9ad276285a01dadcf31093

SHA512
4a6374dba33eed2044122988aa5a8d995ca848bddfd8c8953f06892a7ae586178a19093c2eb15998a924b6a9028d7faacc8b7477d5139b9d4eb8ab2d0dc4ed35

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
85KB

MD5
cb0db9592c22aefad4a980ab3d8774f3

SHA1
761d84ee2ad4babb50f5cf1689bef579cc3890be

SHA256
232db2a888662e0b94dd7f3a1687ef2a54b9586d92214bb3b96f7a93efdb3ee6

SHA512
67e4487ad3954ed39850a5de01c959ee183821872fe7df1b398aa87625de3e0227ea1a5d0a2ef3d623acec9361b5c4886d2e204e5099cc4d91c78c95327c36e2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
159KB

MD5
cda73769b8fea7085d28a96b40dc3f58

SHA1
13a513135ddca392f8b03a1d9c35ccb8641958e5

SHA256
1d833b3ebfec715c731b3873bf543ea1c07de52ae4e3ea19982db720e163ab71

SHA512
69bd557b4ef2ff8aaa794b37cb0bef920b0b8be9a97e2436c8928092a00cab77d60ce12a10b93dc8457cbe975016a42f106c9e43b2f9006b76c83a23d3a5b31a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
64KB

MD5
2eaa97e10b7b22617d3d52d4bfb646e4

SHA1
636cb79b2fbd19635441e7441efea408cda4c51e

SHA256
3202bad5bf78350ac566cf62c7925dbe2a08cda384fe039b6a9ad0903cac7993

SHA512
cb51dfbcf40fdeb37c438c066ded74ee5ee8f39fed682b45cfe48196f524816ecf29dfd8b3e75b40e1ac8caf92fb6c09fe615c121172da7315fc1e942301f830

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
362KB

MD5
9356a3910f1ec7eff82a7dd29cdce4ec

SHA1
432d40a03f07ba898262e2d20ec1dfb932fe0fec

SHA256
72ac1f7585f5b4b5bf66651f3eee2582e381700cb2ff1980eeb512baf9edbaee

SHA512
7fee110567a49b664558f5ee654a713227bf5181f647426b01b4965b732b4e3991e6e5483178727667febd748eb51f9252e697e4cbebf1ef6f8958a7c1e3bbd1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
153KB

MD5
e7bbcbdba4c920ab8c13d47b7de49628

SHA1
908a3e167b5ee9c4d4cc0db8c2ddba2a8cd7e97f

SHA256
3ec92e3ecf7b6a3d334003fedc7d08b0c19bdfe7d8bb6771565efd51fac2a323

SHA512
dfbe9bc80fd0077bb1956f74d1ff52c9582c0aaa8aedc632c0a1627e12ff41fa15fefc059a26aba99439962a320d180120b6731c43a7f6d50b58313d452712f1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
92KB

MD5
12b0faed0822dfb1fc88a278cb6c02d8

SHA1
c3c96bac94050160aa818908124e5f900fc2080f

SHA256
ee19333f0bec7c74e6aea51e425df2a48c12029700f7ad8e2a52f7b3c9603e8a

SHA512
8f5ac953101cf08050a871eac9311c27d035bb24e0d2989362d704a5944b1a75a8cc498bd32e07fc9de3202fd53999942a60dacac1c8d61f1f31cf580f39366b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
173KB

MD5
74bb0cc2a108f789af36631e76f83d82

SHA1
7e4f1ba6fc92897fd5008401fbb3be9fc6b12704

SHA256
8d175f5aa7174c4bc81e10d0a92f4df5e0f6b35d869d3040299c63b56cdc4606

SHA512
441bfecfeffaa50e5fdad048b261398e1ec2364aa1b60bc090490e91e722bf218b164e23dbaa246e476e80f835eb92697d563e7f19d2eaac74156ea27d8cddfb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
74KB

MD5
a2f4d7efd1e08456b8255fae6f6db72f

SHA1
76495b9234c65f73b5116181e543472bf8625651

SHA256
25d74f049d0b00e683831b2854508e3a8121dd45dfebc4c87d7c4baaae9404b9

SHA512
c19553eaa84a3da17a83e8e027858130676d010f21f2d684fb0bbb3cc58314ff23dc9730453b85f05bc1348be2719b05feeea4c69a7f410aa536c94d11d02838

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
45KB

MD5
8ea7b718c7bae99fe24f05d6071f8d0e

SHA1
a2e37309de5d2ad2a9c261761829a91326c706a5

SHA256
b4d5d13650b0d25d724baafbacd13caa3fa1dd1c704e87884c006979320a14fc

SHA512
072205ac6339fcdb9fab23598f65d6f5c55841c95b7bcfaf3bfc62a61d48ee491b916b41e95f45133c8ec5f13f1d4c8c73bd454daf26f88f60483ed3ea1037ef

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
132KB

MD5
74fca0fa98427a2aafb3a5512d0184e5

SHA1
f5dc0953e8996786b8286c1e45dca99928423e2f

SHA256
91b112d9ef74739b76aaf5868169c36bfac627a806d69656bfe85eb6ac9560d2

SHA512
b7cab7c507d7fe966bb4fea0e10666940f6c0b91506b6a09dafdbd7f86a85e79d8d399da0004190bf1e2a705df6de4c2f94731dfe1f773267f2739767fd54a03

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
194KB

MD5
4cecc5d3e0101cae121dce2f9a3f7d54

SHA1
1a65456ca2f240058247aea459009fcbd60e4aaa

SHA256
2a1e45f6bcc475452d5f26f6d57038f7bea79493ef18dd0ee7bb994e98d5adf4

SHA512
6918216b042527fe276d2038d16a229597e55a7bce811b98826b002a9ac3579571afab6af53d634d8975e2097d38f1b5ecbc24f80cc0bd54721545043b198716

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
174KB

MD5
292eccddc87e3f3e0641c84d888b6cfc

SHA1
f8dfcdeb1e71845f235918fbaa22854394026edb

SHA256
d99a3f0b80479c3d36e6aebdfef26fe19d50060f8e8f9d46ba2984b0ff1ef60f

SHA512
cc156e1319777806595a4d848d57eb3614c5689c86460d46c573630f75b332f660c177e95f0420b66775dbd4cfa19b0c94fa500fa2bbe13d5316a59348464306

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
23KB

MD5
ff74cad9ac6902d1e5c994fa59f53cad

SHA1
ad6f282d8116b5dbf86e94da9a89d5c0beb809aa

SHA256
8eeec1170ac28080891953f898bf4e250b4b23a87a8744d54961707647a40ba6

SHA512
fea7032afcf249d878b79ae0e241d4c67577df82ed5e6804ecf94fb823276599cfae50dff60485f4e0cb435c220c6346cb3accf7ae32ba7e7657f9c1e49e1149

Download Submit
C:\Windows\System32\alg.exe

Filesize
26KB

MD5
da97160678afdd6ea43398e8e31ae586

SHA1
3c823a75482d7b29cc042b167a8a1ddb1b98cc6f

SHA256
df0d86113e95ef7a9fa5cd6149b50eb4969e6b6be81ab4ba8ad9f2f2262b5130

SHA512
8b675aade4188611d6a4429ebe7a558b51596b065eba021b127f0bfd055fb64fbb0dfe66ccb99e2bde9917c1e5efc1b7567ec96d62344cd80468c0a7469de1ec

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
54KB

MD5
55a0a22e8db5c58c3ad0e6016088830b

SHA1
c9cec6faa13507850ba47dec4db7e57819abbaf1

SHA256
38d0871375fb9b986adb9160338c84228cacd2420808b6a5a9ec3b354ed1fa9f

SHA512
6b34416a94fcd6893ce091964507587e847c1f442094533ed0d763155ece209781f581c326b2742b8d4e7bc01832a92f68c1fc6576f6912b023bbd4a3e3e3e9d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
89KB

MD5
71f12ea95927402b6e035f1af8f88cd8

SHA1
32aa83f9dbfa97fbdac6a808cdfa9b33d9dbaf25

SHA256
14f67569c4472552a6f22c2e01e060cebba281735875661a04e69fde9eab1061

SHA512
6b0d2238b1512b3da6aff47b14dc98665f23d0d2a66050cdd33dee209ccd6a488c4df68e89ac0afd380d4f0ae1c79c8a24ea7ee2a99f5df2fcac3423f1c398e2

Download Submit
C:\Windows\System32\vds.exe

Filesize
78KB

MD5
5bbd7661b27a602cfaad0e9b7815ffac

SHA1
63bb20c96fb987e8bafc05573de34415c923d061

SHA256
4e82f48e2b71e4f118fb7ddaccfc067908d9d2f000707c5dc1e4a7813028cbc1

SHA512
2b5087bf80c2b2d660fb7f4d41e6578d401c2bdc0d0c536eea6be4e4fce7f283f56468fdc8900cbff3a5b43aae0d86a185d75f96ef3056efbcd3650bd86d07ce

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
87KB

MD5
3cab2355d52693af50c475f18cdb664e

SHA1
dda0104d9e5b5e7aa4760687eab85600d3a77536

SHA256
b4524fa2ec2396cf1e3bfb62b6d18939dc0ac77345cc4fa99fc90fc1477faae0

SHA512
4b7084f45f42265070eb01e47aa405f4ac935239d87e2c7de930f05e488158a8f06146ac0663245fa95c76b6a9e89ecdfbfe4989a9a32df46afdaaed4e90e342

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
92KB

MD5
f66f34d35a9bb8579a6a9ca1b78faabe

SHA1
17f72aee4eeca2a6e9aee8e240321dc2afb456d8

SHA256
95181b4da44a36460dcba38d0f6c4766c35d49e2381d0ec409eabc055d7a3277

SHA512
5e6ec6ab41f5c2f87e1c3401ea612f078f96de123b98d5c8ec35f37aae4e592670c10df1da2a6700f8e323a66b8674da5302e4ca98ee480b04fb8db106aea597

Download Submit
C:\odt\office2016setup.exe

Filesize
86KB

MD5
97358039bdde316f3c569f368d3532f5

SHA1
0beed01ab86294d505b5bc554c593c1eef3b9a8e

SHA256
0b591fe06a6857f34f2d57d5abf6b1747bb4d66d9582a2270fe92a03d48cf2b5

SHA512
311a51c92441f121a716ff8591058f38e2e308e821b0eba15a6f7b6248b2befb784a21220fc7389d5ec230a32cf575c672d9b2914d47d302cf52761c4a25aa63

Download Submit
memory/548-57-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/548-49-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/548-60-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/548-63-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/548-50-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1364-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1364-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1364-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1364-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1636-280-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1636-337-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1636-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1648-434-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1648-441-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1696-419-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1696-359-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1696-351-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1864-420-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1864-429-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2056-284-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2056-349-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2056-296-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/2144-238-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2144-72-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2144-66-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2144-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2160-234-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2160-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2160-27-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2160-34-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2188-364-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2188-373-0x0000000000E50000-0x0000000000EB0000-memory.dmp

Filesize
384KB

Download
memory/2188-432-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2320-403-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2320-404-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2320-390-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2320-399-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2436-310-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2436-244-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2436-243-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2436-250-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3252-389-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3252-333-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3252-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3296-255-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3296-270-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3296-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3296-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3296-264-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3352-450-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3352-455-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3576-378-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3576-312-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3576-320-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/3612-22-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3612-16-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3612-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3612-230-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3828-555-0x000001F1961D0000-0x000001F1961E0000-memory.dmp

Filesize
64KB

Download
memory/3828-556-0x000001F1961C0000-0x000001F1961D0000-memory.dmp

Filesize
64KB

Download
memory/3828-550-0x000001F1961C0000-0x000001F1961D0000-memory.dmp

Filesize
64KB

Download
memory/4000-339-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4000-346-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4000-406-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4340-386-0x0000000000880000-0x00000000008E0000-memory.dmp

Filesize
384KB

Download
memory/4340-380-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4340-448-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4548-407-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4548-416-0x0000000000B90000-0x0000000000BF0000-memory.dmp

Filesize
384KB

Download
memory/4548-549-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4700-363-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4700-307-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/4700-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4724-13-0x0000000140000000-0x0000000140287000-memory.dmp

Filesize
2.5MB

Download
memory/4724-1-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4724-12-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4724-7-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4724-0-0x0000000140000000-0x0000000140287000-memory.dmp

Filesize
2.5MB

Download
memory/4912-471-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4912-459-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads