82d7b8be6ebe6f0f886491c4bc7bce541bd5592720013bf98071c242689604f9

Analysis

max time kernel
152s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82d7b8be6ebe6f0f886491c4bc7bce541bd5592720013bf98071c242689604f9.exe
Size

1.3MB
MD5

b3f8223261706a2594f1d6cc8b48e3dd
SHA1

eeb757b1ce1a41402f0eaccc3c67df5f469b2cad
SHA256

82d7b8be6ebe6f0f886491c4bc7bce541bd5592720013bf98071c242689604f9
SHA512

34fcf7ebe16302df08a42ae8bffa085a1e871a0261dcb06611fe49be6d546437af22552e6872a565894b331f6e8e7a05c5e5cc7986c907a4de52ee48cbaabb55
SSDEEP

12288:v09B+VWMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:v09BgSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1968	alg.exe
5012	elevation_service.exe
3428	elevation_service.exe
4736	maintenanceservice.exe
3804	OSE.EXE
1280	DiagnosticsHub.StandardCollector.Service.exe
1132	fxssvc.exe
3728	msdtc.exe
4856	PerceptionSimulationService.exe
2080	perfhost.exe
4016	locator.exe
2820	SensorDataService.exe
1492	snmptrap.exe
1956	spectrum.exe
380	ssh-agent.exe
2180	TieringEngineService.exe
5100	AgentService.exe
3340	vds.exe
1028	vssvc.exe
2284	wbengine.exe
4804	WmiApSrv.exe
744	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\75176828d8c8c63e.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	82d7b8be6ebe6f0f886491c4bc7bce541bd5592720013bf98071c242689604f9.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_112359\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008978fc3c5071da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f516e3b5071da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ffcbc3b5071da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055e1823c5071da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c57f23a5071da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b091ed3a5071da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc79373b5071da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005adec3b5071da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000078753b5071da01	SearchProtocolHost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4876	82d7b8be6ebe6f0f886491c4bc7bce541bd5592720013bf98071c242689604f9.exe
Token: SeDebugPrivilege	1968	alg.exe
Token: SeDebugPrivilege	1968	alg.exe
Token: SeDebugPrivilege	1968	alg.exe
Token: SeTakeOwnershipPrivilege	5012	elevation_service.exe
Token: SeAuditPrivilege	1132	fxssvc.exe
Token: SeRestorePrivilege	2180	TieringEngineService.exe
Token: SeManageVolumePrivilege	2180	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5100	AgentService.exe
Token: SeBackupPrivilege	1028	vssvc.exe
Token: SeRestorePrivilege	1028	vssvc.exe
Token: SeAuditPrivilege	1028	vssvc.exe
Token: SeBackupPrivilege	2284	wbengine.exe
Token: SeRestorePrivilege	2284	wbengine.exe
Token: SeSecurityPrivilege	2284	wbengine.exe
Token: 33	744	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	744	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 1364	744	SearchIndexer.exe	134
PID 744 wrote to memory of 1364	744	SearchIndexer.exe	134
PID 744 wrote to memory of 2704	744	SearchIndexer.exe	135
PID 744 wrote to memory of 2704	744	SearchIndexer.exe	135

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\82d7b8be6ebe6f0f886491c4bc7bce541bd5592720013bf98071c242689604f9.exe
"C:\Users\Admin\AppData\Local\Temp\82d7b8be6ebe6f0f886491c4bc7bce541bd5592720013bf98071c242689604f9.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3428

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4736

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3804

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1468

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3728

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4016

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2820

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1492

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1956

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2876

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4804

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1364
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 924 928 936 8192 932 908
  2⤵
  - Modifies data under HKEY_USERS
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.6MB

MD5
ba48af006acc6776bf3ea46c7502904c

SHA1
d210b507bfea2d9f9c157a0c550f4a196093f9ad

SHA256
93f2491510ec184927f9a2b357c14d9e11fb2564d0cf6772772c49e1be255720

SHA512
36be089318b26d6bb4bf75bc596a0eed9da1aca4018eb11381cc55a08b50fff0faa885ae9173ef7328dde906fde7ae99d44f5e41048d3112c99b2c83c1db85e2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
4369d514c3033a9583672d665b3f9b90

SHA1
f7d634131a5121bf6c33c795a175d2e22c2770a8

SHA256
d6d93838e087f1504cb7333b7fcb243eaf723e65dc9873381ba0c49c6d6bfe25

SHA512
004336aeb27e324c0e930f7b3ac3e61fbcb2a6ca009b8572fc6d7afaf365dce7c9ebcd664b80ee1a566325353c87d8e6a4df576e446e66e6945e52b385a6101a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
f4131cca234def74a5f2174df0ba4c6c

SHA1
7379a9c16a130bc7566e14d85ffa241744405801

SHA256
6e21668071dc43ac03495b4f8e5032c8b3e19eb8161ffff337e26774668de7db

SHA512
dc47edfee1916b7736cdc1ad179510f62d1535d277c7806e600177041245937c799cb2c380d2e8f1d067ce1cc362c0ac3b5c9ade6288aeafc3502fa797399442

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
512KB

MD5
353f5672bc3ff2830fc4f7de65f0e5f2

SHA1
e9d3be8267b6b189c912874adbc0d2ab4fbdce88

SHA256
f2830e4d49b682143e11086a80903c596f706e6d106c385f970eab90f6094be2

SHA512
1ce8fc1e12018eaa6e703bda084b21631a39777d9ac06346323a762d08fd48f2006380808e6d397def55338f462c5508d544ee3de21a30b1a3f7c8ae597c8e9e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
790f63dfb873fb6d7fea29cea145e810

SHA1
781b88a126d2a9c01ceee0022fdcf2eff81983f9

SHA256
a3ef3ebcaad81ffaa35f71b416906581c91a681b2e6598b8fe824a86d0bc0634

SHA512
cd7b49915b91752d9cb1bcf0a4e4f564edb4f30c41b76933b1ef25286b3cb41a9b60ed862d2f5c7886678f4a994d53233abcca1af246ee7d8196994488dc5cd8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
fdabfa870efffebd37009751218ca947

SHA1
06d97345ffb7d987baee3f9073c5169cccdb12fe

SHA256
cad2fc7ef26ed1e028f3d1c25363eef9e7ce9d455a89f58fb35339832cbbe7e8

SHA512
d7417823afeccbc5b5d318c671039c1331f1cb90a67ee698cf28da98c309de476ee49c6953317cce7166f5bc653d39b79586ed9d5b15ac85be0c90ea14a2ccf8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
d683a0d5cbdda84d537433439722f168

SHA1
f932afe9d70b09ad70030a37a3a110c98fc734d1

SHA256
14cd52eebc8039b24cb489da7e148eb9323d29c42ece69a886e656447ac7054d

SHA512
8faf3d670a24bf621b43df6984d9603c51cc732b1d00383433c11def44589534654d4262cf28964570bdaf280570a5b60e2cfe01095cd66e6e4105704d8cdba6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3dccee6b91486b89a5866dd09ac43e96

SHA1
94d9344b8406d2af9f17c4405cd6f9a41e65d0f7

SHA256
d04263f8b671ffe05d4066f04a16de0f19bee86f9e02a90da802909416897d32

SHA512
c74f9158e535cdf61dd9baa62ed6247bf89276f4c6f60e52863cb69f39b88ae5c3f455822d056d6d72a82672340d1f1fcba9577465dda5295db917e427fcc31e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
192KB

MD5
a29564880e51cb5a9e954d81dc97c802

SHA1
63298ff819033b03c10fbd882a44bb22a1f2ff18

SHA256
ff3e532f9711f70fed4ad66dc260aba205b3dadbc7724b8d5d14f059d35830b7

SHA512
946425703735b1feddf689bf7c1bf83039bd0dbaf953604ea66da32f3a5bd133bfcdfcde9df3ed3c873497a245138881b53e1be1e0625cbc3d299ad13cb7b364

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
192KB

MD5
dbd502df82b31f4e2874b162e8471ded

SHA1
a8b3010aeef1f3663fd1ca2c054322c79710fb2e

SHA256
5c6382af7b53fae339b4249b494e53526b954102466723096e2d9a08e883adaf

SHA512
f585484aa4a7aa2ab44cf30846314cad353ea387403fcbea75e4a15bed33391bece2d798b29ba349ce8c3d847ea449fff277e4231d86277332d32320d4c72d71

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e355e24281c0821dcdf9b0253e875011

SHA1
7543f87c7191fc469d37f2e55788886fa33f55de

SHA256
6ce4b26be88e84103302402411625b62c167078f1b90467353fe7e731d53124f

SHA512
6a8623e6c314b60b3ad6b9b5ab41b6a07fdfdace3b47bc9fadca681286ebe7a95b700515c2351910f3d915332c84930dfd912097aeb4ac9f678793a7a6d48450

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
65d33df05eb283d2d2083419e2c07557

SHA1
b9d9c7b93dac99a54f204384ea9ac90e978675d7

SHA256
dbb340848ca7dea7f98ed9714217c9c0166af8d28f4316fe9ab9527f467f653d

SHA512
8b45f0460f3e97baa9772f1bc853b37b1023585e9e4883436b636e877db9d7b9ba665edace01c86dec3c819b94b43e14513f1663634be813a19ec1396b185408

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
497771914903aa6c184938847e9f5e9a

SHA1
7d14eecd0b6213402f8cc0a4197154e91d19eec8

SHA256
5f55c8ec9587d8b00b988a979159f0290e41f246b1ebf205652520db8c26cff9

SHA512
b62f4b4c4c33610221b8112ed47bf6861866cfcf6e7f07d2732640d7e0069cc5b737c1e81dc380f774a8f5a7cbc777107a99b5d0c991ed0a176a29a231f3eb79

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
7e0189bc426f3dc74b48482a9ea49f0c

SHA1
d20a346f75258662ca33bb4024e143c999c2b30f

SHA256
cb87cf2fbc8606944ecc3dc628922bc4cd434f75f17435947a8c44c5faf7bc66

SHA512
e1579d7203b5f4c2a96d59643e6b5d5499780cc13cf9b1f2a2135444d77646c301b0b84819cf297554c4f3d975fd447d9bd670e6cd6190ce4166499f8d702e11

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
896KB

MD5
665c1d28b1d71d42d1e14b6d862682b0

SHA1
226c42c89800b88a82eeb2f1e60ba031ebd3f498

SHA256
01ba6533f1daecd2eab30ac038109b146853747863c2d81bf764e654e455ef41

SHA512
a0543e659c685c3790b9355428e5d7315e213d08d050f901e36b914a9b5c14ae58df1520479f3c6063b52805476c5661abe433f8d6fbe59bf21cb3d6f56c301b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.5MB

MD5
c9217c0bd81cb1cb261bf98e17446c89

SHA1
352ad779def1fb7521150b92df13d8876a9d45f1

SHA256
6b2a78a3a16e3a5f541d6ec78dbf35a753fc0ec0cd89f7bb770a3a49abd15441

SHA512
420167f64ac32ff6ebbea7fe331d82db17a20296605b0fc59f0d701af577dd358618f20ab4c793d8af560a5632cf0397961f5d937378c447b022c7804d46bd8d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
64KB

MD5
35fd00d746253164872a4e343b0eb98d

SHA1
b9f005760d477175e1c0b9fc6d2f3c7a43965cbd

SHA256
f022da88c5a1b65fa3cfef5956175b8075e8b2f1398b9ed2c01d32a29bfb388f

SHA512
1ea786024ec3f2e87566994d2dad3275e1314947ea4c449fa90dc7f79f6a0d277f8fbb10e6c207a02b3e36f77fae66bbe273486406d70dd40c5a9c06086eae5c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
cb3007537b6d5369f7c18b2cf3bdea25

SHA1
ba82bca1e78ae9171c7a3bb5599a4260ee975693

SHA256
14f5fd64ecde1889e1bcc07ed596734161d445e928bcdd6e0a925ec3fb4bfb08

SHA512
0de2b5913244bd7e60d5347905d4389afaca9141ac1033e0758e8e11a605c6a8f2734ca73a826411061e60008da272dfcfe6e9281ae74bee4a7026d4a7862429

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
73fdcf73ef8d2d992ad74bb95537bc40

SHA1
979d98a2c329ba47b55a0f019560ec7971cb391d

SHA256
f439900179174af1c0cebea203aafad55dd1dcfd94bedc7a57f25ede9af6c553

SHA512
acb4bd7ad8555fe0234f0251547d7ea0bd880e9e3b004dc5da7b094b993fd6b4fbac88a60ec01ef89b787af98c832a3c0a54d8ef522012e69ef66fa55433bd27

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
92c8bb7f2dc884fbbc0823f0d99735e4

SHA1
3347f42bcf8b0cae361dced73902025f157b708e

SHA256
abb599f72cabf60960eec70e04cc4a9f2b938f9f0e9bae33af8ef2ce020d4b09

SHA512
3acfd6a68b418f6dbf0e08a91526af75605c72aceb7d3341f6007922192d25ae7061ec8a6c574e21692aff0242d707f14dad7115ee7cd96ead8247c590578101

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
f1c4265aae5abe779654d1ee9f599fb2

SHA1
1fb1c3bcc2db03053b00183d5291f25673fab58f

SHA256
7f27b33bf26db2f4ad196816f754603e61bbbc4344b31d3ca131e84c96179705

SHA512
b6e89b4dab08a590a349c6dfd4c49fab3d68321abf0b871d6fbca4a037b831646b45b2e8b38b25ed353a7562e856eea10252e2f6465b2f825c16749974fdb5ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
f2824cb08cbec214fa7ad5e6e5cb25ab

SHA1
9279ce4284655d6c6d66bad561fe681038fccc8f

SHA256
9d7111f240e4c95908a61bf542f4f11a9b13019446df12afee53d9bbdae3d0e8

SHA512
f48ed135575455e4bdd42676d8edde75cea1d56e1af89ec12a05d7d90904ec1088e06e941afff6a8e632e5fa806c3bd410898528873369bf52db9a9f8d6b6eda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
32e9fd5a92d681a8584316686520dcb9

SHA1
4adc6949295540b15ef5eca6737996a035b8e35a

SHA256
16d820c8aa314eb757dcde63f824ab79a1f4b41b84260b29b5133dad37670675

SHA512
b070a534ee29f16fb7005e58c733f9c19a498eee3bd14d47001286e56af2d19f51d02f43951f847ebe2a0e41e4b9b7a4c8118560405c23725862d269baaf2470

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
b5a7754d84107029d0209b1111ac7197

SHA1
c1f057b40ca6fd78dffa56263a42f40c5f6bb105

SHA256
ab1ad542aa6a750c86ed6367ce3f1ce6d93d7d90fb0c148112e97189ce886f5e

SHA512
678ed359439a132623a61aa152659f20adb1c1ce3e49d8685ab362fb0038008018bff574883e1137f71efbcc3fd815ae6580ec6771fad48aab2dbadb33fbb66f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
2ac91f2bdfbaa436d53fea5b32698444

SHA1
ca848c0e05138ded561ea6d8beea07c273ec80b2

SHA256
3cf65f1f9988810a786cc36221196f1389b34d6fedb06cc31a0e91f6ceffb6d5

SHA512
d49c33187fc08872bf3fafc4b826c3b3d077c37d5221ff57bc60868d72edbc69ab7057b101001de28b99a4144877c0c6178c9320541b45c0269280d11afc90d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
e9ab955e86dda7a7d5d6efb743096bcc

SHA1
7f8b262ceaee0dbdc2a4e366deac460a42fc763d

SHA256
8630c3a9b737e4f9d241ba46b8042d00285d7753def9421d7b4cf06820b42dc7

SHA512
5349c57bc63a85c57b6c2412dff3ff6aede0080869b6d3a01de319ebaed6adbaa8144b2d7cd3aae0af7104438051679b156e32665205832b4386e476bb3dbb1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
ed43b4dcbcad03aedfb611ba3132db93

SHA1
106546022690847427ce299bf454359715af8786

SHA256
979a79972c76c1e4ac276f46d0787e1a689390b857b6d45e2b34c4468419e3bb

SHA512
e2025b1818c987f985e02b5813a095f11f13906569bd1d7b2fb53a7f9b00ee384652936fda16626717272ea042395cb487e88f452ed75a5c5adaa95bd1c1100a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
fa9272650487c87179cb9b3468f44685

SHA1
0e202a72242d7f30afa19f77f619059ca21082f2

SHA256
1803db92a8b4f88c4a3079eb0b5908cb331a9ea6bd34b49fdaaf10bbda25cc8e

SHA512
17b37f1acab108c0fa6e6024722178962bbf35e3dff54c325887e939b7e1ef6743bc6b00b211a7ba138c92a63cf2706c7b0cc803b2df390288234e4e717c634a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
0d5bb5c21eb193349bc683e9b225fb85

SHA1
458a8d1245a25499a3eb91abda2fbde0e15341b4

SHA256
87b466dd60f268496311f1d6537c92605ae78fe4fd8b4b0c2b7ab0b368fa4381

SHA512
c2226bde6971c57115ab8f641fc7053b42a55101de5577bb683b822a44985bce169d6c8c3a8614c3cfac31e7fc440bd742e913d40117fd6d787e4f0acf8ccdf4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
640KB

MD5
679c1c205a04ecb4c0e3659a8e4b7075

SHA1
109c6731298042de0c3d2561e6a527cb9192c4cc

SHA256
eb1dcf319a9f03e3347e323a19f315031d36d44b8dfb3911212e9fabbb972429

SHA512
a079dceed6350968c3662c083388ca636a6a8c5248b4184ee713408fbe8eb28b42437aa3a85d9aa2ead9b075e79a6c56942144faa1420bd49c53912477e77546

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
640KB

MD5
529c1f6df91fca090b21063dad5fcf4f

SHA1
61878b26c97ec8e3ed31e755bd03d76583dba3db

SHA256
8fd08b58a7bac0e910c271d0d2de49d2fd8490a234a89be4a97cbd9171d312a8

SHA512
e5436c2923d137ad17816b97170870ecc9b3e64d7ebacb005d15dbccdf4b0c55d0fcf7f42a8350123edb307e3513aae6a6d654795870ab95630ffa24c4c96c12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
640KB

MD5
1af8b05929e407557fdde398170f8a2f

SHA1
d703df80c8a8b02df1e48ec2b533d300660241c8

SHA256
32ee100fc8430b1c43112600d38c9be2312933832afeadb418f15b69fb10d8b4

SHA512
99b079c10eee8dc6e8a0719147e37ed69687f79e4bf5f5bd3de5604f4a1c58984a6e2b9b7d530866e285083526caf8f3aea0075718e9409b277497e7230bfa6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
576KB

MD5
e88cf39126ca5e350511a93e7e867db4

SHA1
a41eff664e29944e4381e273de440aeeb4458ce0

SHA256
0bd9d12d065bff509ffd31c3805151d050c786d31e131445d4b433b58d4ffd77

SHA512
9507b03268aa13a1f73481cab4a042fb66372d0dcab69dd2eaf9ea57c749577df49df206c2fc28c360141366a6776cfe763261d5cac330abf6e7c93b2cb19a3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
576KB

MD5
ee7969ea673825cb4a6ea5332098b80a

SHA1
66733a84c8ffc40f1f4c3cdc5faa84476029cb5e

SHA256
bfff4064a9f17899a10a16e1663e62411e50c5800d69cdbb52c51eed314a7fe9

SHA512
82d987fc7329cdba80b0ec7c682b50d97551291c737a4ebfe187e43f2aaca2ae5ea649045c1ccbd2669eee6e352ee5b22a7889cc7baf29c9df4c4e0a3b15da9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
576KB

MD5
b286bfe55a199f2279a6cebf5885ec55

SHA1
725de9368bc48b31f052ca56d54cbe7366674681

SHA256
c8bdba3b610ca77cffc7928bb17d07c580953f5479254db8bb8c52cefa721280

SHA512
5f52f752c41251c8636e302ad5e00266151fe86ccecad7dbf79b6e4617df6e9ea7715ffeec3d8b296da12ecca2eff005533c8f68a6e2aa726227c926b6381c41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
576KB

MD5
fc33802d10a8678d8d796e8b2052a78c

SHA1
b033a051254ed9b51812671dd4961eb4e2bef8aa

SHA256
04556840adb72736f9d699cd8dcf75a9b09597744d3b6e69eb92f3c914a87ad2

SHA512
a139c70eecb78db98bc8b8f2011b6247f20ac2a6ac4e0345cf44e6ea433d9323f663d0ab619aa5f6b700feae9d5afac54dc19e46fb7e9c041ce1efc10213b134

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
576KB

MD5
d730fef48d84607f89c1f3375f6e84ee

SHA1
a60ee558e2233e676823ca82e78c73faadf78369

SHA256
d9722e8893601da88de53fa1cf9b4f96c0c647dc8f44bbf3a203124a245e23f6

SHA512
9f15fdbff9cdb616295dde10a86a707aa6dfba54d522bcdbd05eb2d70f6484b011c994e1935bb62313ebbf16d5698ed4c4c0338bf17dd57c461d62468bbe8f41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
576KB

MD5
242a9dc11aa62a1cccd72765ae2c2831

SHA1
b6dfd7532ba3c5131f8731556b48660a11e552eb

SHA256
3c418fe7a59c7a04ba793a2b4f1403e62c22e9bab6cb5d3a9fad4c49a9d9d1a7

SHA512
32f1e47677d6609c78ce09845e362f343a446168d2a232cefe979ba00c059ba3ed30a4a21fb38349471a0ae098b1a40afe86496dc9d88e7769bec1a61ddb8eea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
576KB

MD5
51df50bdecfc7ff4ef06c55dc32c3206

SHA1
fed8dbe214091cea5c510ff38ea419cbc29968e6

SHA256
0dc3a568a43a1ab427292fccf3d6d71ccda95a41a428257f48b65d70526a7e9f

SHA512
189824fdedca9f9f2939304a96c0a26d6b871427f4cfaca6924a8c0dfb63bac5c2e9a1ffe0106f48555688ff6225fa734b2b67b9b5e5af20dcd05cf8b84d582f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
576KB

MD5
0278eab7dd527917b858e1e3e29c669b

SHA1
720280384edade6a1d47c09a48c62c3ec37f6162

SHA256
6e8172a788d2b9c18829d0005cbfe2f78f6506637e99326da8fa4edbb09ddf3b

SHA512
5759f11b093165c42fd9c255bad1aa4fff8bcc1ecc1cbd74720d17735d19099ec96b7ba9acf7a215ee46477c5f6821431ceb10955f6032b061f077a673c7a093

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
576KB

MD5
97a23a56ff6263c633c3436380be7b67

SHA1
7b9a6dcf418e7ba46afe135527e7840e2b67f4c0

SHA256
853af11ba7dc0eac4e2fd1451c48493c35a521d4424ef4e01b19799bafb9be22

SHA512
af1a51b3bcf49a03339033dc452f77cbc15a8d7ede0995aadda94c626bca6cfb1928d689f1a618ba5a3c62da79b1b81643e2667d3a37596b03cd1e514f2bdf89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
512KB

MD5
dac1dfa6da0b5c2debffd558a009bb21

SHA1
48eb8b6727387b68e9b48a1be0b664388d527aaf

SHA256
5940bc5eb39af551edc7484597b224be6f48378105b1d5c2b04d3640c9c037b8

SHA512
53289ea567717a3727dca3ab627b7f0c7b458cf509c6522bd13ca623e257c486767809b527cc212351dfb34b10b7a7ea4d8723fb8c4a3386eaff2360aa4d1131

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
dad2cd939b2c89e91c229a69988c748b

SHA1
235caca2cd5baa08695c8f16d3a568579008bf7f

SHA256
5085ccfc3111bf147ae681d38b8f24ef3d2e290c828b88db391b0384d7a158b7

SHA512
3e926995e94c743bb28bf071a65f64dfb6fda81fbfa9b9db0925d9f5f250ff04174cf5cd3e83b6139e3ce041f7b684a2a87894ad8e14db99265a7011c167d9ae

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
1f6cd5997d32dbcbfc3bbe52422c190f

SHA1
41008b02c3a9e1012fd8d1d7cc4c2bdf80a87c28

SHA256
9d516c0bd44f8ee9c7885164af81bec9ceee885befc8c00a576b47f24b955abe

SHA512
e4d39389f6da179eea6616d153f7c09a96ec256bb075d56413332a80d4f4747200d4a2f48eeac9e51a130f41dba8a3e0eb4c61e9a9fdef7fc68501b46336ead8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
089cd6a6d928d491066977e9afff3c73

SHA1
edf7060cd63fad3b7a6168789f7fc4ce763fb765

SHA256
f793317b67ff47c453c89b4b2bc891d01776584d2b1622cf82ec07ffb8df2da9

SHA512
76da5435851bde76b919a8126d0b7249bc86d34ac02ef6ff8cf821859dfb916209fd1de9d0e167db8b575352b0c17eb35ad90129d1323a985dffc38712839254

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
ea76975c694c77dcfb334721abb14e7e

SHA1
9469d2880cafafb8d8165f5a33a8db2438b19fb9

SHA256
ef50055f32330d4e801ff6ec84ff24ff854ac863f5f2abca77bf39916afe64dd

SHA512
6b6db5c2c8364bd4483d2181149a44cb53288e4506e92408b10e2f74a88b7c9610892e64b4328f846af757a83b0e29329424c5c952425a72909d61805c034525

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
eed82238388c950929adfc5d24294bf9

SHA1
5a81bea95985c604c0bd5272a1400896cbd9bbe9

SHA256
5bdc54a806d5df0d7e5470dc25a13cdb3dd1da5dac12a0f71b5ebbe9895cff34

SHA512
33f98f85bb61fa09aabcb85c95654830fc0250338a7ba24d9d40b5247b042bef17ee76ca14b845e88e4289c633c1ebf1cf0f2a445dcd0467dee8211da817b7d6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
960KB

MD5
0b0ee7bcac9058209556b293df4ecc4e

SHA1
97698f4a1529f176d2de98045ebbd087a9752da1

SHA256
2c4f1119574a942ee3edae3722e26570549d3799f4a0accf3bf852c623ef0253

SHA512
b4431d2cf832e94be7616848dd65ee37c58112066c5c0303697f9a9e9487eff119cdd46bda5d333f926aff5383c0a1310e3eaaddd48298d065fe9e10c70d74b2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
576KB

MD5
313cc1d018a59d09af6cc9fe23cebe4f

SHA1
da2379ddcf2de568107d3a890ad2e449e946d170

SHA256
f1f9079de6c6a5300c7b16f9f2c828c5a3af2d11e20123ca9c6ce2c495398e08

SHA512
b5b82ee22fe60baf25d98306da6f76641c72512d5d9385de0f39d6dbf8bbdf939e3fc60fe1ea16bcabc5fa4b5825c30d47683193e754119c7b2278869fb349fd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
320KB

MD5
7228ae50451f09eff4016417bd4b8bff

SHA1
6f59256bb54c74ebf41509aa868a98d10c5f9fdf

SHA256
cb5cb9b12dfed5fd8eaca4497e020e64bbf63fa3f7030123e0b4384380d346ed

SHA512
15f21c059c9dd876bfff47cddeeb8cb08b2b858dd33febcf99fca2700dc2c085e856a7d075d079d77f46d2b32e0cb68b8598e63793c5c03e612719a6c84abc5b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
3c8cb6b1ab99fcaf2b5d66a8593e13b1

SHA1
d6b559ec0d5fc196db911299585926daa80c5dbd

SHA256
80c06f28245704f6d7607a146fc8c33482b3430f8e3db286dcb8be23b05adf59

SHA512
f673c2ae83c50641aa5ef9843a9663b6497c69535c77fe8a533414036b4b8386202b501dfce9b9003bedca5ac357e7b8df7ec3358f8493187c2f35e8c1c32d01

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1d81e085bce9a5f75bdf23e7d2e876ff

SHA1
7b94965796622b51f4b6b9be47bccfaee33c2030

SHA256
28ef2ca7a154cb17aaa562e5688335e76fa16b463ff181b784899c073876b474

SHA512
c925fbd244e169c5e4b2b44e72c6329ac9988e0f4237b756780011e17926e4963c972f5d9b94d58c015e8c626722603841cd8ee7630caebf6866c561b24cd07b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
99dcd1f23037e021832c78697efa1123

SHA1
730da855abd525c5d327c7d9b63895002c84bc1a

SHA256
5f0963246d46f5fdd203cc5a2f5871f6cd031c5bc1d52739d9ced31322836733

SHA512
687e76baff2c9ad322f642640e93448fd9d5a8611ff34d6a052e7b0d2f8ea520f008c2270706c595c56aaca4c059319943a32d5c882c41ecf465ce8478c4e549

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
314861ea7ab6b708653472ee2f8e1c0d

SHA1
848ac25d930a104511585ab6e52e7ab3ce9b9ebf

SHA256
e9c5c38e904281d74c13a256e4a6a5de41beb96a3924f394f088f1a1667ab52c

SHA512
ff653ffa9f93d3c3d10a7c48bde9486f87bce9bc41982669136b2e0e879bcad2990580ea84f72ccf9d57b7b0fedaef8eb616a5307cf4f50fd37a2570a0c98a11

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
31e7b9de49b2104d7592fb9f0b755314

SHA1
84332bc8c538e0fd1da25549a89ef59c0e973693

SHA256
cbcec6fb4bc4f31de57f0fe083625c433af31e05bb0fe1298cfcb6de4e75c286

SHA512
18a7283f769511f1301f82ef4394a5cd0012142bf4fd092a5df7912ca390dcc398513487ae381bcb28dc5ae513c059ebfe440d009e75815a84c1db1dde26b76f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
44c8e5e15810fc284fa6b7812d26de67

SHA1
8fb17af1b13840bdd60fd88d1c8b1607e954d5c9

SHA256
c6327d5d61fd23b1bfd34b1b41695a52153b7726508d68be4a221b6e81debe5e

SHA512
97176a66e0cd2749b40269f6e1b85a8a0aef84cad2bcf37f0880b753cdefa48ffb9ffe460add802affd91eb1cabb5614eb145499785a904890bf103c9fa4961d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
f12a8518c30675b748beb8ebe5aa84d0

SHA1
b603c5b9f32c5454199b6a43533638f19e4fcde1

SHA256
f8f32fc45ca5c8b8122c96822b886c4750f4ed0d5137ee36f5d98637b8059403

SHA512
872ad43d8eeef934c089250d9f353d01d8e6afbc931d0a156b036b23d69e5fb026e362880f3416b2f7c6a5bff93a954db148d6f666e4c3b85619f74bcbf74ec9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
a05a21708550403dfc6b04da6c810ae8

SHA1
2a9283c3d526923584fb5461443da147364123bd

SHA256
e838dcad5e94a82035efba84017144d8536dc92056d3c4dde50ed23af31c2326

SHA512
bf21ec902b3fd4f0171352c4e17c3e71f3606ae2024fe4936bea7d33ab79a0620125aa423110b84b27ffb76e4e5c1b87b8ce4f71fb46f6f453364e68c32e03f2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
86f0c6d01f7a331a744337a871367b4b

SHA1
1a2d98237038071429300bf10d167455ad5da076

SHA256
ef185b7dc0dc8938379a4cc26b149800222ece32fd1ce89408fc67df7d0efdbe

SHA512
442a68862a43b6fa86a625c2045804758059121a009d416a8247c893421e0bad93ba872a9f41e7be5778f5bf4854836719efaf30f02873a64ac41f91a3ca875c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
09e486cab7333fcb08a31405eea99185

SHA1
f0b6afc015904dda3e95523171f97dc73949675e

SHA256
9b6b8fcf15847a0b8e35712744bb1ce39791f345a48975e367e413fc345e3b50

SHA512
12c150ffa4fc492a69095e6e5bd05e650ba5b1a0abc2e5ad9549353269d6d549450e8242c7255fcd90434a4a29794ccead892751716b0998e6b61e7d2849acb4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
66ad184158befd921af306f20dcb9a46

SHA1
baf7a16ccbcb8fb1390505d1d44f56ae83aa3ea1

SHA256
0f401dada4764c0080ce9ae30c680d0505a518782fdc44a5042fa89ba9cf4a6e

SHA512
79d5fefa747fd2f14fd8c768f576c8d781e7a759fec1df961d3a99cf8e41cdb97effa0b105fbf52194fdba0598bf4cee258718691a36a3b2b4b2ea9d4937baf4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ec142e9cbbdda126b64df23746055e94

SHA1
f41a71382d45e591e1c0f9659c2ba785553f84f7

SHA256
5c9c7f2fb6a5997616871dd9b39ab74889572f79e55e64165f4ee2d4b04090c5

SHA512
60f22e9c21d2981d413807300584b1cfab855823d9e8c1998801f21983172f9b58323233c630b296bbe864ff02c6b178837b516393196b14c35ed534e2a174e9

Download Submit
C:\odt\office2016setup.exe

Filesize
2.8MB

MD5
75a4c2448c95ecd49b9d60832b994eb0

SHA1
ba8f292bdd1d2d6f9463a87c2729e4d83e9f8884

SHA256
63ff3a7c5de00c4203f7cac816a86b1441d4cf6fbdc5d467c2e1b38773b5ac46

SHA512
3e3eeee91a5f3d8c475102027e025c15b159d894fddcb3dc4e73e29651182be5e4168db20a374b6ff7172290dfc708d08e5b4b86b48cad5b2bd733212c5ff811

Download Submit
memory/380-438-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/380-371-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/380-378-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/1028-435-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1028-428-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1132-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1132-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1132-258-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1132-267-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1132-273-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1280-253-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1280-245-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1280-313-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1280-252-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1280-246-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1492-411-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1492-342-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1492-348-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1492-420-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1956-425-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1956-353-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1956-363-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1968-74-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1968-23-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1968-16-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1968-15-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2080-302-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2080-375-0x00000000005B0000-0x0000000000616000-memory.dmp

Filesize
408KB

Download
memory/2080-308-0x00000000005B0000-0x0000000000616000-memory.dmp

Filesize
408KB

Download
memory/2080-367-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2180-384-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2180-390-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2180-451-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2284-439-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2284-448-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2820-394-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2820-334-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2820-326-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3340-412-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3340-422-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/3428-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3428-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3428-196-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3428-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3728-274-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3728-282-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3728-339-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3804-75-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3804-67-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3804-68-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3804-232-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4016-315-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4016-381-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4016-323-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4736-52-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/4736-65-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/4736-51-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4736-59-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4736-62-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4804-452-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4856-352-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4856-362-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4856-287-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4856-297-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4876-1-0x0000000000B20000-0x0000000000B86000-memory.dmp

Filesize
408KB

Download
memory/4876-7-0x0000000000B20000-0x0000000000B86000-memory.dmp

Filesize
408KB

Download
memory/4876-6-0x0000000000B20000-0x0000000000B86000-memory.dmp

Filesize
408KB

Download
memory/4876-13-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/4876-0-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/5012-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5012-110-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5012-28-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/5012-35-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/5100-409-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5100-408-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5100-395-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5100-402-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads