fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c

Analysis

max time kernel
22s
max time network
23s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 13:14

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-21T13:15:46Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_23-dirty.qcow2\"}"

Report Analysis Logs

General

Target

fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
Size

1.8MB
MD5

18e372553fb80fbdcb7d041156639ba9
SHA1

dafd4168c6225447b8271d13618dcdea7af46675
SHA256

fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c
SHA512

baaef0f9d94b87e742ff0eba743b034860136b111acf5a27977956d105630d2890dd0b47ef9e6713a02aa57d907180bd8e4ca10f849dec16bb72b540cf06238e
SSDEEP

49152:kx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WArFO7p+5gRwPHqqgvNxnz:kvbjVkjjCAzJLp+50wPzsNxz

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1312	alg.exe
404	DiagnosticsHub.StandardCollector.Service.exe
1452	fxssvc.exe
3372	elevation_service.exe
1660	elevation_service.exe
4060	maintenanceservice.exe
3240	msdtc.exe
1560	OSE.EXE
1240	PerceptionSimulationService.exe
536	perfhost.exe
3460	locator.exe
1480	SensorDataService.exe
3008	snmptrap.exe
4172	spectrum.exe
1924	ssh-agent.exe
2400	TieringEngineService.exe
2424	AgentService.exe
4480	vds.exe
1044	vssvc.exe
2200	wbengine.exe
1164	WmiApSrv.exe
3220	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\system32\vssvc.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\system32\spectrum.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2ce8fbb9c43e60d1.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\system32\locator.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\System32\vds.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM324B.tmp\goopdateres_iw.dll	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM324B.tmp\goopdateres_mr.dll	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT324C.tmp	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM324B.tmp\goopdateres_ta.dll	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM324B.tmp\psuser.dll	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM324B.tmp\goopdateres_ja.dll	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM324B.tmp\goopdateres_vi.dll	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM324B.tmp\GoogleCrashHandler.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM324B.tmp\GoogleCrashHandler64.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM324B.tmp\goopdateres_it.dll	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM324B.tmp\goopdateres_ml.dll	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM324B.tmp\goopdateres_sl.dll	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_72093\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM324B.tmp\GoogleUpdateCore.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM324B.tmp\goopdateres_is.dll	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM324B.tmp\GoogleUpdateSetup.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM324B.tmp\GoogleUpdateBroker.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM324B.tmp\goopdateres_bg.dll	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM324B.tmp\goopdateres_et.dll	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 39 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa7fdcf2ed93da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c788d9f8ed93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e01d0f8ed93da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5c3d4f8ed93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c04bfdf8ed93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be9dcdf8ed93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6eee6f1ed93da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000472701f2ed93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3604	fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
Token: SeAuditPrivilege	1452	fxssvc.exe
Token: SeRestorePrivilege	2400	TieringEngineService.exe
Token: SeManageVolumePrivilege	2400	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2424	AgentService.exe
Token: SeBackupPrivilege	1044	vssvc.exe
Token: SeRestorePrivilege	1044	vssvc.exe
Token: SeAuditPrivilege	1044	vssvc.exe
Token: SeBackupPrivilege	2200	wbengine.exe
Token: SeRestorePrivilege	2200	wbengine.exe
Token: SeSecurityPrivilege	2200	wbengine.exe
Token: 33	3220	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3220	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 5348	3220	SearchIndexer.exe	114
PID 3220 wrote to memory of 5348	3220	SearchIndexer.exe	114
PID 3220 wrote to memory of 5376	3220	SearchIndexer.exe	115
PID 3220 wrote to memory of 5376	3220	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe
"C:\Users\Admin\AppData\Local\Temp\fb5b443ca3a57ff0140bb9a881fd87fa8bb5d747350296768099f3de05708b7c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1312

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4036

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1660

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4060

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3240

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1560

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:536

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3460

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1480

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4172

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:216

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1164

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5348
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9ae74a61a50b295b55d87cdb9e2be09f

SHA1
85d6e413f81ed7e593c7af71556b3e99af9ece6f

SHA256
caadb5c7e16f0b4447b83d4a1345be0c56aad9a7722922a8e89b7ef72c5ea8dd

SHA512
c99a6d68a39630931a565805e9cf838f6add02bedf43ccdc69e449517671f59320130bab4ac2f6e8845cc3ef68d16d63a090d1f724ddce03aa5c06354ac04767

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
9dab8360f3626a2e43a60307a5daeb20

SHA1
f8fa760568f64e24626db9126068639e60eb7aa2

SHA256
518281071d47ab249f8be1a8d3181cd9e60e6201b62aeee328212059b6c139e2

SHA512
258ace7efc21c6e33be924e527f7bc0e56165e9195ebebca64da97002aa9633827bb7df06b745bcc50c3af084901febdc862173a346fb4e4383ef32cc0600dea

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b07349f55c3f9c59712231914690115c

SHA1
6a60fee277105d24c13750c3fd5c5ff6a5a6805d

SHA256
d3dd04efd1e3d74ebd0193109513830499742cc11f777d563b1937380cfa02fe

SHA512
ac5b1b37cc224cda674df3598154f141a2cedb4e486b350fc5fb3fba039fdb09ccdebec7e44c5b5278b54ba08e1a41a008f91b31ebd1d3059087442143acad9e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8a74fa6f47412205e92118cf6026f47c

SHA1
76ffda99ddcb3582e96bb7305204ead12b6c1ef9

SHA256
e2ca5df2a334673c51891dc6c3ccf42ee45c3efc68c43504868f3f5d1e820578

SHA512
5df79f4a843418585ab21e287a5d40f6b5647f35346f1af2878e310796286438ee5cade388c871265cfef8ed517d8dca69bd9b23fd8d39721d848b73f7c32f78

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
73a5e5eb1b5373d7a4efc0d6f99e62a7

SHA1
adeaf62ab2ca525fa58375763149b7938ec9d10a

SHA256
f626f5b594d9047bc4899ebc5f73aafb41c49ad075b770eb00efe508b01c5be2

SHA512
80f3f857b60ee533874b344fe2ae2d4ecddeebfe9b8b2c985f3961f639503c13bf8cc0db9212b969286550530bd5cd451aa5ec3c68f2dca1ba52abd5cb2b0222

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
665c99a4601f64cfabc4173f22002d01

SHA1
a79a79d92086c931d40662be1c7da57abcc1b71a

SHA256
d99e7a05db7fd1171c75a3a1bd6af217309c61c494eb30cc459a054508a294f6

SHA512
823a46b3cf14561346393845135c66a82d8af446f7a18d57bb66fcd05a0e57cfef565a677c2f99ad5363313023bb8434d5c162f1e1993bf7d337c79c1623e174

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6790c7be1c83871d4d8fd063acff036f

SHA1
251fa9dab5420a46501b2270fc2e4f9cffb57e86

SHA256
d4a3b637e2cacfd629b96dbc48276d1cbe2cfa95473d255826966bd87ef69230

SHA512
3eb4d3b18b9bf5b397ab3475daaf809cb73fe65cfd848a2355c9cd3a55071e0766e501d858047930cd89292f4d049f0aec85b3b2bcf8415bb4d32c8d208971c1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
43791444d422c72884913928808653bb

SHA1
dda3153bad5942bb5b5f7fb1bbbea2bd20405b60

SHA256
48de7ff380f4a8755b42640bf6b792189f9f1b84da918b489399dd9e11b2bc1c

SHA512
e15f9f1f62a000edafee36cb37c04f663adcba448340aed35bad682fe1f88f75fe32dc9c53b4983831343fa89d2a4434d88e4311eb5e9cf20232bc3870e9f6c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
6a9f33541aa592a2325830aa8f6b3003

SHA1
1e58612736bcf8c0974b9389a390f1c3c18985f3

SHA256
b73cc463ce15893e1f7c43d00eb7fb43d09c0e37df8c42432a39f5e18b33cd63

SHA512
b6122ca524a5c86231b51424b7fda5b69e22ef59567e814c996a5ff598f195d0c3da33932eae6bb035db206e286bb8fd2b58311fc024fc16f7ce0a9409bd1153

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4fb8b81e17fd9be57a6abcfe4541cc37

SHA1
94e0dc2944cc6b4c9774b0cea79b4a5505cccb28

SHA256
dba0ed59c18af656503bf97428428a13edc18d47d1c3cd7c46e6bd01c62cd17a

SHA512
99eba6c966f750ef3fc2af5733f752628f4bed4f3545cd6501ec76b6b2f2dacaece0ac750d05dfddcc49524fa14f3cb643bc0b3f73068555c81d78b2912bfc0c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3cd7f5ea44ce5e0f81e592862f2c21d8

SHA1
4098521561a23c86eb1fdcc73c26d277e671e4e7

SHA256
cdbbe0a717b4e93ac0d03da17184e150294e7bbac9e7053b85490aa2601c27c8

SHA512
60a18fd1cc8879c5d6a7d18d8a69411e404799dfc82fc18f3858025c40690298e7065b47a3afd451d284fe443377262635ea36e5f96e0d069f75139cf405014e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1b8a9f8f83f332d90c9efdf6bc618640

SHA1
51021cb1d998e314fc5c554d409934e8234a2844

SHA256
4d38504fbfc0bb264d9b4f2dc8b2b2872738453d8712cb854b4fa976ca3baf4f

SHA512
61c6e7722a1ebcd9ff58ff58d71a18fc9ab63190a28d87aa967b8c0f051be727e9ab005d10d72b1132e2a2017049ba07c74fc6433bf6d0586e5823c38ff81cec

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
7f7a2732693afa38fb922e7cd3bc4e3e

SHA1
4c7b849a1fbf18813f08b195f09667af8b571035

SHA256
f4e42184c6ecfa2923ab569d12af9795c5f38cbbce049571c545c5d2fbfe6e88

SHA512
5be47d96fd6811b6a6192f49d8e4614bb16da6467d15390ef6395033590cb6902168fd96eecd862ee3e30fc8482464ecf36e304cd8357703edb3885f6b8f543c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
af89bd1aca6ca62755a7a6aa3ae6c8d2

SHA1
9ee146ebb009bbf8e54b5f9917eb276b628f70e1

SHA256
f9cf783757f2d8a904589505c30665d80f440d2e0ec3d90e6cffc45d7580129d

SHA512
6e1cb3c2f4f91f28610ac519e152120cb2bd026261056fcdb847e66969d2fa45d2279c4414fc19dd2c8988b9595ef6ed9008c59f2501103de84e9ec641e30e35

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a5f7adaa242290d2f87634bfa843150e

SHA1
1ba818303a19f7edfe9b738179e738363dd33f0f

SHA256
0aa2569dce4d7d7636db306bd399c0f64f602fa67be11efb7265e4725a08e38d

SHA512
094e25f163a3293055670251399718b2975ca8535adcffdbacd3975eea8fdf469f513f20eba0809c45e29760d72707067354e2bf865b3f7f372725f317d2dc82

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
99cfc6ba49d80b3044a74436c5c3197d

SHA1
5b116f66e73b1263b03bf1c5833ced592f1a2e5c

SHA256
c00de8a1af3ddffd1ec0f86c5bf62dc99c2072a6b676272e59001caa9ea34c00

SHA512
b2f911597dee506c04365ef46a737419bba26c94bfc396de4ba420a77791657186cc7588054950f5368cb169e22ebdfd4a0336e3a23fc96ec0639c45dd1d5058

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4374b7661bc1971720c0b244a97e8e12

SHA1
c5ec31a61de3a8e6a678f5821666c73bb04d245a

SHA256
d15c1c0dba444f4e7de7ca95e7d0e99ae4730a824d6191f79a1d2747be95faae

SHA512
805be68dbac6758a670e9b804a4a88d7c3eb35780e65eb878894d4e547e4ac58f04d8271a08604b303f6670277e665b02d8afbbbe85945b6eb4cf7784600e60b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d7fba233d7e3da0e36b06a877d120b7c

SHA1
195cc75dbe5f107164b0b7b503236ab5eb2b64ea

SHA256
ff11be60ae38886ccc82c7d755f9862f0707b53d5dff3a1cfa07b5204fa386da

SHA512
f256241687c482dd58f7ca0a94d456835cea2c7bd79c11a07c2cdbe89349680063ae332427557c1804fb1116a9eaea340296ee1f8460053e2c1613c21b702add

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
53d934f4f40dddb3d709a017226dc1e8

SHA1
293274be3066069cd06a37a00987d0126f71e5bd

SHA256
8903781c35d41fb7b84438f5084481af24f403ef8516bf45151a0abcaf2023b4

SHA512
64b239f70a3ab275dc0d0bd7acdd3a52069ffe6ed1e110d9a21d1436ac203771610d639985543154e291e494b981d31af93321ab1bc0406c1933aac50f9985b0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
1da944fb3c3527653ebb982583362e15

SHA1
eb63ea5fa7fd4fd29e9003fb843f50d612ce0f0e

SHA256
7fb3ea188efd058c2f1677a087256eada935dc85422688348f7b809047f48927

SHA512
9b42985b3b3a61b209a1d05d40ab2e03e5e70196eed3ae333bedc7bc119320f0e5a3f013a1a78a8f968a956ae89a42920ee1865009b8b7db4cc76cde5e33bdf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
8c7917c53bd8646aad28b6111d5ee816

SHA1
0c8e8c11c251344892c937bf6f7657f4ed31a195

SHA256
f8293010783ce9e6ce5c69d743e6a38c2cd988ba88e1c69379b79a6e2c25be35

SHA512
1b01e6e73379d947760313ad8cf6ac23151f8e90358894a22e197aa63f9e5fb1261a6baac8e0ac9cd7fb44ef2086abe03a7a8d891884ea1f68ad9474cd0584d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a82495ca2a4af39f1cae7147e26279a0

SHA1
876dcdc3401c317ef5a5fb64aca4e9ded94b4670

SHA256
4ff32e7e4177cf8da0d121edee2d8506c42a79508f3b9ade04b05ff5384e9726

SHA512
5399f1b70a430af35e2ed1e3b31d1a2a8c3b27b3fc3b65a7c05c9d850c1679698b5881bfcba26d134c044fea6becebad08196d07407955bdc32b65a40efd8c9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
0699ad5e629169a81932eabaed27baae

SHA1
d5a8a4f2590a709418df1d3a17b7937f06f76cde

SHA256
4ddd9ca2bd43d47394861a78fd5153d4d56e30d4eebc0193601e3368b62932b5

SHA512
38082b2a3554a1b876396487fc435b7db4f00e0e99acb231fbe4c7a20bcfcc8008e632f2d98b446dbe6991822fa7be44d9a61e2ed06c93c76c19081bd2749f81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
1801a032c9f2f6bc399534347e82878b

SHA1
73f543357ef668597868cf6d3237a18a79ac24c0

SHA256
b72394d0c87a12880c43fb09a228086a347d3b03a267e7fb5adbce898cdf632b

SHA512
0d4737780eccfdbed169925b3535d26e16c4eca4fc41610947883a80db5099256a244003fb064ff7bee35e03218e999dbccc899c3bcfd51056d57a719f54131d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
69e581ce498291356960b279e98b0f61

SHA1
1b84b03e0fdaa3125cd0600b8b1535604209e9ea

SHA256
965cbf459c060daeb0270ac5a42ccfbcdd1bfaad1a7bb71ee7d94efb3d9adce2

SHA512
807be311efdb183b45663509f284241e4bfde3350c177ff76f08f85b488b95c61ab83275bd73287eed7e56b58e0c7e36ba573d33cc46c35d9352c5a25c06b08c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
767ac2e26d3be6a54bdec92533c2ee12

SHA1
4f4911e2204299fa89b785de54dbfc170e7e0d4b

SHA256
43ecc972730e56fd37e3c9c500f8eab1a9d3a24dd310175e01459e9e61c29632

SHA512
f8e44555a15edc751764befcfe8b75a824d27062e7951f2a454a84527ac8715222bdf24abb9b29a33fe9c985cfd5fb27cd2cf3d4d7326525c483938fc61ee3e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
d512d4eada2bb45aeb6859e69f2f0070

SHA1
de276e8d3f2fd9745816b50018b3d1dd55b7d535

SHA256
7754450e02a4e7119045532a4ad8d49b1d5a0203f79a93eb5c9e6b0b5886981e

SHA512
ab6faa7b5f714ac06ad17b0f4825b4c17a3103ba637542b6f6631840db6b433dbd51864280248d9cff90b01b11d19e294d283ce15eb1d6ead0885e76e5df3eb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
3b7df24c4448e027019dc838ebb518af

SHA1
21e4b14a681e5cccb17dd8e62dedf3afbed20aa2

SHA256
28d7d9cca6365280b3e5266814bfa6430f914b93d79bf049244828b0b5aebe2d

SHA512
3ba34e54667d54a32657a4d2e20567b4f5a83c7d6b61bf3515546d7a8754dca091c1bb16da9809e6bf03fb97214875de50d65ce1ad119b67cbe85a47ee1836b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
8705940c309d3ab09033c4a678f39f07

SHA1
299251b19a3838e181947f0579e781c02dc95fcf

SHA256
b634890269fd0e23035c7cc98c67327c0fae05f83972db870f94a0bd4ee0a81c

SHA512
cabbed993a031f2d5d205e50c636fd92c687325605c1ac5fb840536fd2a6ef56835465623e28482e6e80b42355f88fde971518e3f47e6a8de3f65e7a3999e333

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
54060cc50c743c34909481727fecc55d

SHA1
cd3b6e7f232549ecc812d9e46bcc47cc0ce9ac5a

SHA256
effee411483b8654ba29f6ef319b2a66c605607531cb81dc3ab5223736d8b43b

SHA512
c595f3bae8fa510c4a56d01874fe976ccbcf85def7c8cfe8249c35f056e9c145a71baf1f02b156152f6f08a727d5ed86780e9c2eead33a68fd1eac8d1644bed8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
481a8b86daae3d4ed361001062c5f310

SHA1
9af035768257d94cca820e2838518dd85d59a402

SHA256
f718f32073c49fa2029e49a322fadf328807a9507043f7d4f4732f1be5b81886

SHA512
ea0f373a2cb91c4f56bfa77ab19f854746be99e6a7599209ee5ca0da8d89fa88ee99d57072db544f7ed99d0e1e8616d43f99fe38348d161d90a29a2a28ccae4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
1052c30486964e7ae4fbbb2a2736385c

SHA1
f0b16f24b248e2931c79ced9a3de50f9862d4c31

SHA256
f4711b4ca1968fe0885641fa258546c6f7b02cd357e444cea48781b10f4ba0dc

SHA512
3a0613128c46b840d2d83e2e344b613b245a691545ee52023356f90a521190edb1dd065a4edbc6d5900f2405d7964e748778f450e2489256d195153300ac35bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
570515382a17933441633d8af0ca2f78

SHA1
06c04a739b600d849f31290921a0c95a61b3048d

SHA256
32e3cc8262804daba926529ff58026949a36ec0dc5f0a0cbc6a497acd84e1964

SHA512
5fd20a297fc019b1fe061a17b32639ff6370dae3bbf00978b02660995e8fc58fb4a0e875a1380a26a43778e3cc1ef882061e74d9da2d3bfec1f6c403169824dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b4031fda326b94a5c0950399639dbf22

SHA1
402acd9aa73766ded11c87753463ffa086ac4c22

SHA256
460581d965c8b884f61f2713d06335475133963d027eac32e41af982d3769d40

SHA512
5db49f96461df1e4d7a19705b09f998d32bb451096d1e5738f87c00b2102c234b88207ae15c183cba51d6f34e10bb097ee74839993da091d0c785a6b5b713be1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
1b85e6ea04ada27764841a1c2473e62c

SHA1
75ebb2dbf344d9f61142347aa9e16491a08aae8c

SHA256
356d9b307ecf88a688c82d77420747fc9559e8f1c7b20377f98cba9927c1e1b0

SHA512
aa4af7c7d55ffa289d8a569d72644f34b20dd5e7302bfc23740cd864e80c555218ed26ac976448e5d3d05b1122a458fd256b05349d78442ff95a5319b311ff1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
80615bde1f793c5c8d53ebd44703e62a

SHA1
e00c31fa8a47b4730ef19cd715795961750b8338

SHA256
a13a4670dce425a36ce8cd509d788440e79866d1688dcdf3efe33f19417be278

SHA512
1252caae95209ebd65ea11d18fe8f332bbb76e95d1354e56616de54a31989ae328937437d1dd438d118e7d0ff35b304242e7edb7a000c7c0115d8b46b5f46c0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
4f4104da2fc2667231d72143471d4c42

SHA1
2f51da9479ebb9b83610f621ff38daa30e998a5a

SHA256
7e0e89efb6db4807d018c075a5b03f6bba2a54b79c33dcf6a5fbf3c228e592c6

SHA512
250febd91b37896d42f10fb7037f2d638ccf1901c3a37129a5c2891c2efff8087eb8a0cda1608411608a9cca8a2fb904bc0e700caf4357f0cd93cb2690e52742

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
95a52422e84a2c2084694cc003861543

SHA1
f183e5d80b25843e91318b4e3881eab9b354a17b

SHA256
3853223990186e99ac46b193896193ad7638c8ac4ffb84f64379b0f4c9041e36

SHA512
8ceee532ed4692aaa257a72226d6128bc7bf9056696c9e44f0281edf16a31bde9ad4d6f13417a973730284f14487f84b05aebeae9b8cde9095a4db44e277da22

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
a272461a11fb12c1d9a763e676e4e3bb

SHA1
7c52d67d929e82256050cf49234a8f9d54e2cc06

SHA256
0cc08e873fdeba6b318034db6f0d77a7c0c8c07957278f7aa055be29cdb6fc16

SHA512
2fdf7383f22438f61f387eaca1a75246c653fd4ee286ac5e14ed51b0ca2fd164b661baac191b1b3f1dbdf953938d30ff47619549157d91abdf2c7e1345a5898c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
1405023865790d230d59da28a42d2a83

SHA1
b43fbf6b79f6112dfc983faaa73d6e5d613a5d97

SHA256
0093a36af9e2c57ad6da1788149c5a944d8f54744471784981a6a4dd6a7b3982

SHA512
993dab549b890c948fc091902e3e35f592dd9bfa6c906fc899812697bab7e3a6cafd77bb43aa7856c967645249f6eeabb2e3b769ed5382f64e4fdaf358e1534a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7a41b9a1b408a3e5ecfa17c1ce600180

SHA1
ed262e8079edda07577ea4e143fb9acfdc3bc90a

SHA256
8d194650cac2d454fb163783d0894434010d7fd0fbd71d5595cae4cae615835b

SHA512
2f56547c2c29b963fac06590ff0b76e6039ff8938b031f7f5a1bda215a6ac61377ee4c2385ffb038fcb9d70faea68dac1998f84a4ce83141d21e2278a4635c38

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
7cce9a3f4e8017a8408e174aa0ff4b57

SHA1
4e8aca04e27a9de0799f504826b05a6585127dc2

SHA256
f79e50c428c05f1dd5afb31e3eb36b5e500eb82852f40c850d9ef3d7c836901d

SHA512
a0ae0a64f9695d5679c0eb9f64e8bbfba018fc387305f57ab735c8f4716e31c89950833ae55c2f433b017baae49d8e6e60e2eb14f005cbb498021f36154f1fbf

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e28392f1eb9d00fec5ee3f4d13a30d3c

SHA1
8417598ff30c709890d5a7405728a866de3aa41d

SHA256
a3c94592f5c9cb934aebe5472d47504c989fcec88f08a569da736a870476e6c8

SHA512
255c6dd19dd4adb6ca00608989c8e065a9ec354df37aa1b3ae9f312b41d0cbe03cc9fdb768fcba40bad014ef9c04f3ab057510daf356c9b083bae85ad8c9d455

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
2b786b1a7c0ea37b5161019b06536099

SHA1
58b9942e0188cf206b997626c52c01ea930b7f25

SHA256
1684125b7cbb9d629006893a827243b60c19bb40ae21591f7228d865c2e054a1

SHA512
0fbb91eb5b09fd7a21e8b8c808a242453701b768e2d4352e4fcf173e58f23dc6806a8b3d56dc1bf84de89169761441091a139026837eb72a6daa522fd5238381

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e534dbeeaaea28dadc4767026103d46b

SHA1
d38b3dc5e340e97848959a03827975dd4986c78a

SHA256
f86d58b5219a03e6da54bd618e9bf4d71f35b18a2db3e158559ab7f75418d442

SHA512
098d3ac7957508ed84dea176bacbec43cdd69a553b2c5533e47c0c0f7beb12c4c0e1c4d1eb1b57647991d6f0b746ad99aa94c7c5d610cc4cf4722ffcfa7d5691

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
93cdc37b73142e9bdf907d6e8d1c6105

SHA1
ecd5893caf7abfecf03fd84941046d1015eca277

SHA256
992cd44945728a0fc4c4c9611d32471a18b6a41e06b6f8e5783c5430d77de65e

SHA512
db0382280049e92906b0f3dbc760e30c769cb5f82042745db0c115f2a33f9518f5d3f80aa1f2703aa717698786bdcd029ad41fb88970ae2c75b15af0bb89eab0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
36081cd1883dd6f392e32c49f4ab1994

SHA1
47b91761ab66795ade339a6c68f2ce24aebe1a68

SHA256
d4bb0ed68fb0c99ee795d1eb5a0bc7fdafe53d6cbceea24a4aa3865cf7f83bba

SHA512
36619b9208f79797b3ab6162d3d98bfde214c3c85fc639db2a9a25e3840ef6f342558b2ad463628b49c3064ab784cc3c67e5da9a4b3714f11a81abd9dc1edaf0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b328d503b62243e6dbfee2f0668c3469

SHA1
010f49cd663c681a440b2c4b015525f76faca620

SHA256
884b7d3c2692a602f5f28b2da6d8ca5e072d640b6d71365d623c988ec47e95c3

SHA512
b70ab2b919c306ef536d1ef759b54be6b3b09b99e28a0bd927175e3aba3c68c71c17ccdb60cdce55590b7029da8fe7755e771fefd06953f8cd9bcf0db235d964

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1af6b236f144edd22d97a09b824d78e6

SHA1
ba12beaec10b24ac6b7de8caed8f6aaf0101dd55

SHA256
6e9bd73134353d85a50d12d8273e05a2435029e2306766dcebd130445c9b6600

SHA512
23fe926874b583e9f5dd8da92e0d7483023ec36070c9a155837119796a2ab4c2a8838ea9532265029b72db077c708ccd8b528a31bcbf98d698b2ab2dcfcf39bc

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
a0719e0a3f2657074be934274d1b8ea9

SHA1
1231f9bd9b1dad9102ab8c9dc1bb290105aa6e06

SHA256
6ded57e7ad7ca3c70cf23226b8cb1c60046125f8a71dfdbf70c939c2256cc9f3

SHA512
f388865f82b53c907467631bbc15d3f38387ea83ae8bcf1aa5ca9867f9c7b77de8e0727821efada4bda891854d5c46dade94d76a2cc80353ea7b83541d2f05ba

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
52191a210715ec2fa517c3de50929cac

SHA1
a038dbefd3ab1ca8fa480dbbca958063d21a7e11

SHA256
d2360332f2c74dfe4102248f493824c1b1b38a665d5531389f4cbe105a2dee54

SHA512
dec8c1b72a9af03f602fd470076e57616275a946dad0fda2708a7634bf4c8ece9fa2dcf084a977446e64783ecbce78c29751b18a7cf382530adee1fab39f1f88

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
1b288bc444b58597f1cb20d36aa875dd

SHA1
5cd6489c84b5dd4d13070a00bba56aa4585d9d11

SHA256
be438033239f02e98d9afd41e97e1643cd83c13bb9ce7b898886c751e27aca7d

SHA512
f632fecbed1d8598d50d325b7fe42b8608e2bdcfa9e3d81365712a6d814bb0f807fc0574407323d0485725700d894090bf90bda6506400edbf51906219a814ac

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ff569de9ea15d67692fc6c0937a73be5

SHA1
8db5dced8bcb3d4536073a10eec1f287d5172b3c

SHA256
1d181242e8925a874218aaf2fd98e15cd7645e5d378a469a8adbf4a2d092d6c1

SHA512
eb72fd8cb94649dede6a55e3db0afe5d6008c4113afc3701b49432067038a9f42ee71ea64317a35ef66eb310f9244b6aba6ea92b8ebb42061ed062d9f0d3bedd

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ab2d830625e6b1613725e8c2d4f1ae6b

SHA1
c3854a01d57ea9d5fffa075e05c002ce36b4db89

SHA256
2c8054dfd88882b63d71353b280224792c4bd3f44b827065b8ad7052a0e510f2

SHA512
e25f30c054c9c4dc00f0513ba42b1f124606e1f8b415701e9fb6e823a93a9b3d24963f2639b821e2789f8e90cadf9f3fc94b15f3f5f144a8334fa5d5b3ded6ae

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bf871f1b8cc757b35e8c35c8e4d1f207

SHA1
6d8114ed15005cc73144994ce56ad7e4cd991e90

SHA256
c6611ce66020c459074a241f232d64ef8bb69246b33fbfc86646c87e48292314

SHA512
7a9c7f2bc775bb7564323695ef15687c3b6268fe2a81cfb0fcf16b32a2318dd050ff179412b1c48295243eddfe58edc73798272139da10d9a41d85da36daf9b2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7bf49d74dd7227a178e4da8cdce5d784

SHA1
9d4b22fb2b574104b546da478b718d184ae0fee0

SHA256
320e8fb3dbb3e4952be09579bf049f704b7971fb0abadce32725977c49b8ce40

SHA512
aa5c4b5276259dfcb3075cb87bb9a4bec8ca7ca482697284d92a12c689eb71cd9a00b1abb327a677d705800072b3db4794be2ef37285397730cd3c4651f51578

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2011ca97dc3f5caaf3d98ddb9428210d

SHA1
f60b9e4ab6f5713d3af1b4d0c303f2d0ecf3de1b

SHA256
228cdb9070a950b5f180c67139a2502bda8c9d75e22f00e0543dd6879772fa7c

SHA512
4703adfdb4e647692bed8cf30c188b4559453518fe147281a7825b3a2aac78a5db3132e136924cb99f2d0ea81eb4af5d58503c47eb57b1bd70d156e1d2e9aeb0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e48b20b229145e900fba21a635581cbb

SHA1
2818dfd6f9d4d0da479a7ed12421257f27f6cbc6

SHA256
a55f2a2dd56b87f14502025f5ea34feb68765b3f2201d21e2c14d1e6582fe3da

SHA512
81342ca63cc3bccb840e82cd2a253e27512b6808d7e862bf50b7f871fc54a569ce50daddf0d8d1208a75f6272bf774898b666bc3033111a8abf81440e037c505

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b32821bc9689d4df0dd7e6d05a60c6f1

SHA1
1f81ea983960ae68a16fd93ce58f42d9baffac31

SHA256
533fd4dfb1f6ac8d6ac20df8aaa28ecf268e465526128670090e76b5b4e11687

SHA512
60f3e3c808b4dfae869b8d8b236212fe09a639e88dd39b0bd34cf414166bcfc1cf5841596bb97ff083726cc4a92514b0f4246d150e1dae885d682119a6f8bc30

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
9af08480e5818f495734681e03563e86

SHA1
1f45a0fb9f6a171e751657f14e510f083a3e878d

SHA256
8ef5400e8b00430751efedb31543f8560ed34bb7e4b9427cbfa64490609b07ce

SHA512
54907f7984ae1e93c753ebbc8da08713d64f824d941810d7b021a039b5f13f55e4a6bcf2f59f40bbdd8e3394fc2aafb71e0888b795e247f31eabbad31fe001b6

Download Submit
memory/404-159-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/404-95-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/404-94-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/404-102-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/536-210-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/536-266-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/536-203-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1044-323-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1044-331-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1164-359-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1164-351-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1240-198-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1240-252-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1240-190-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1312-87-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1312-88-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1312-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1312-143-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1312-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1452-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1452-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1452-116-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/1452-113-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/1452-107-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/1480-235-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1480-226-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1480-292-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1560-185-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1560-176-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1560-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1660-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1660-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1660-139-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1660-201-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1924-335-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1924-275-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1924-269-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2200-337-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2200-344-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2400-287-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2400-357-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2400-348-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2400-282-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2424-294-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2424-301-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/2424-310-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/2424-308-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3008-248-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3008-242-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3008-307-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3220-364-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3220-371-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3240-225-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3240-160-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3240-161-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3240-169-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3372-121-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3372-189-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3372-127-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3372-120-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3460-279-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3460-222-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3460-213-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3604-542-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3604-7-0x00000000024B0000-0x0000000002517000-memory.dmp

Filesize
412KB

Download
memory/3604-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3604-132-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3604-1-0x00000000024B0000-0x0000000002517000-memory.dmp

Filesize
412KB

Download
memory/3604-6-0x00000000024B0000-0x0000000002517000-memory.dmp

Filesize
412KB

Download
memory/4060-157-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4060-144-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4060-146-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4060-151-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4060-154-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4172-322-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4172-255-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4172-262-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/4480-311-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4480-319-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/4480-675-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads