6a6b55c75afb5f6e356b51f39012286335b6309b0efb283c2dd0116e27709e72

Analysis

max time kernel
160s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 09:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
Size

24.3MB
MD5

504df0007f99f2b6c53d7169f70e920c
SHA1

9cb405ab2d219c24133396bf9e80339b45d721bc
SHA256

6a6b55c75afb5f6e356b51f39012286335b6309b0efb283c2dd0116e27709e72
SHA512

e994823f94e5b29fd2c2b83d2aed89b798f68e818b1cc590c2e96a846336aa4f519b51a4054a4653c8d9490ec1a045b4e8ddb0b1fb2406fcf95aded789966dd4
SSDEEP

196608:uP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018lLiJk0:uPboGX8a/jWWu3cI2D/cWcls1QLkk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1476	alg.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
2924	fxssvc.exe
1728	elevation_service.exe
3148	elevation_service.exe
3712	maintenanceservice.exe
4196	msdtc.exe
5088	OSE.EXE
2276	PerceptionSimulationService.exe
4980	perfhost.exe
4704	locator.exe
1572	SensorDataService.exe
5060	snmptrap.exe
3996	spectrum.exe
232	ssh-agent.exe
3316	TieringEngineService.exe
1716	AgentService.exe
3992	vds.exe
716	vssvc.exe
2764	wbengine.exe
1852	WmiApSrv.exe
3004	SearchIndexer.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1075c9eb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca3985b499cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a55f3da799cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4343cb399cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000697a7aa899cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1528	2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	2924	fxssvc.exe
Token: SeRestorePrivilege	3316	TieringEngineService.exe
Token: SeManageVolumePrivilege	3316	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1716	AgentService.exe
Token: SeBackupPrivilege	716	vssvc.exe
Token: SeRestorePrivilege	716	vssvc.exe
Token: SeAuditPrivilege	716	vssvc.exe
Token: SeBackupPrivilege	2764	wbengine.exe
Token: SeRestorePrivilege	2764	wbengine.exe
Token: SeSecurityPrivilege	2764	wbengine.exe
Token: 33	3004	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3004	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2984	3004	SearchIndexer.exe	123
PID 3004 wrote to memory of 2984	3004	SearchIndexer.exe	123
PID 3004 wrote to memory of 1788	3004	SearchIndexer.exe	124
PID 3004 wrote to memory of 1788	3004	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_504df0007f99f2b6c53d7169f70e920c_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1476

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4444

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1728

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:2192

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4196

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4704

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1572

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3996

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1516

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:716

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1852

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2984
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
864f49fe7bfebf1980595b8f539d8edd

SHA1
e39c8323b8ac1029681f6ae9084d924dccec2019

SHA256
63c2a55bc226598207bbdd8c665fdc05f9951054f2d0ca89aab79855a03f273e

SHA512
66c55507580bcd9d26d18267c0b6554bd74f8246fd82836464b9f60b395f44ab4cc9c173aaa3d1663624056479f6b3eef744b68b6be70c1937855ccc23a337eb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
0fae42283dc6b4150f5e480fc5fc058d

SHA1
c4ac86cc34470d1e8a8a841017307f822ba3601b

SHA256
40147999334d5d3b0fb42f3d0a9e29372e7124c3bf8498f0d4ccd70edc66b3c8

SHA512
044f04fe1a84f131733eed412728bb8541a2f6349a692f772471cda9b5a5a9cbbbcf0998da32a0fb2704a5e9847a05ae6d2f3f51c0a389f68019380e8e601b0b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
7ffd1a1d180002e5cf1cf5489b3f110b

SHA1
0600727a2f37b2041423b819866f07c96cbf5233

SHA256
d2db54b8fb8bbac1bc10775c51e81dfaecc257064299ed8f0dfa9af89403ac2c

SHA512
bf608101630547c520a0fde29c919ed4eb0a01407b615390ed54bc68e484a0ac9beb1e1d92bd9a20083c166798ed77a7977d99da59a9c4b7947790ac33497dc7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8ecaa2f5845d350a5b4c7ece4a9d4d0b

SHA1
e69da3836b12c722150fd29d467b0b5894d975c4

SHA256
024baa10a8813530c51afa00b6b37af0399c0315b21f236215808dc6b04b947a

SHA512
901a693b106715fd49e51d3d941fa3c66efc4af2ebc9042dcf31200ca88ed7912bba8dc6b91ecc17fd1e8d1aad4bd161049b2a5632daa665a68a10c578832249

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
9267ce771b0b0e718f987d15bb3c83e2

SHA1
05534b0b3e0e38843f20019456b1a73459d30829

SHA256
358b681f3f7f39f7157afeeb12b0cf2edf17f42927e4c8c022f4a9e5b0ff4292

SHA512
1764b4ad4a2365ea0aa0e3181ffc80411aa84e4d5e2b2e3968868f26b14fbd11ecd706228f64d2d8effa0651b1f58aa4e55647614b20c1e8c61c63cb95e1302d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7f3d9a7b9bc24429db9d3085d77b769f

SHA1
ff5e36d3d39e8601c766612eaa4aeea6018963ab

SHA256
224158dbde34293aec5db53b4905d44571e6f36e01fa4a9ee2bee391b54b614f

SHA512
a1f9aa425bb7fe152afc74ae3e93873eb07ab11895a4cd10aec106dd99672599012a652c9302649a3104094b919d5daf13be5491b81126d1888f139a3b365161

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
439e8f3fa402f0ded582ea7bfa0a1c27

SHA1
d076268a30908dab4cb62009268664fe5ccd27cb

SHA256
76c588a5daaa5698142153bfd29e1a9243b158f9eb19273171466d509ff294a1

SHA512
863e2d2192f5f7ea0733a0de649f6597e054b49144783f8875b590b43ae58caa18d7c1cdf4edfd70a63c33581bdfcbd0ff42f9b690e089ad33685c184443d006

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
97d2d149d3514bebbdba3703e99901ed

SHA1
cb85ae3b2cf4db34e67a7eeb6d2754540e77e588

SHA256
4ba4888b173c50e93ef9a078f32140596f041cb390eac56479a337ed7161f2eb

SHA512
d529ecf109a823e75740ca8f8a9f364284fe0db68351523261532d9c51c7a0d2bad968236aeeeb8a87364773b318b38a4e514adb22e8772c0c60886fbef8c3b3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
09609529dcec7e0fcd678ed00c80f74d

SHA1
2c9cedb02c1cb1cf4c3cddc8c17d49d0c70b4b58

SHA256
4c1a417cde59d1f612cd981813b00355be5e4a0046ac5a8cef66da6eb19d54a4

SHA512
39c0b6a791ec3cde176f2ddf70bfd0b8b834f7177eec923a506d16d0011c9c197a1df239cc000bfd174466f20655b688016234ae19177ea5b30bbb75b78b3716

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
65468a1575211b3302cc03fc911c9d85

SHA1
9ba03b705bdc73410ce3a3a6fa012cc1e4b2cf4a

SHA256
af552bf75debb419f6f73ef0523739991feedad022d2c032e2d77d9c7114b9b9

SHA512
6b3fac5fe3921bdb353170ad706d1692a86576dff0712548d1eddb8b3edc3c042c869332ab050d40db143154b5190ceca2ed65686dd6c61f5f58a36795be864b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
a37881d992cc312b47152156e5d07b13

SHA1
b8bb22cebef87dd4f3a629e23a5c0f3d180a55f8

SHA256
77a29705efa35c4ade18da66c92ac82e5cf05f4ed782fbf09171c4c1b3cbcaf2

SHA512
d50cb6a4a393299d73768b35a155f2cb74b5b08980f3476d80cd883a892d516075b23d4306fd19d4539fd06fbfd1e24e6f90b36028139ef4090397d2030edafd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7e07f2102522c689a218aa2302eb2477

SHA1
685aa448e632e5672105c78802ee6f7a6a01db97

SHA256
e76e9a764129dc0dd60fbc76e84f7f95acedafe9e1392ada567b422b8ca2f8ed

SHA512
1295e0be56a8450750421561365b67c65dbf6a6cc401ff2419a86f3d98f02237c3017d28f20d4b30eac2f222f8df10c592b5f2f450a227e38c032718d5a97ca9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3f8e0172978740a914f0085fe53aa077

SHA1
9fd8a622a1e3eab236d834d3c5b5e628338790b3

SHA256
74a2529765b3cb7db711da3e1956bfb196a9cc856b17a3e18d088c5e2f824347

SHA512
ff041d26014f14f166a0fc8c7f4f076f74cde9df71ff5dd7af04b037a4dfc10fe74538b50e0c1b8bf21eb618bff1857c939ce11be88c9e92af4e18e1c01edb55

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4d6a7a683227c9497c0a3b909a7d9045

SHA1
e1482129f1b905aac637aca091d9b74f1d41eca1

SHA256
ba54a8ce312e3f49add81f1e2fa18e33bbb869b7c377e6874f523e49bbd9cbaa

SHA512
2144ee94ba03002c15dddfc206f84f821488718a5069403e8b87026fbf18e3204b257b6ac312bdc295bc88abf7f6422c1a08ff9b6939c076a49db53d7649d536

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
182d0acfade87c2a1dcc2eb885aacde3

SHA1
2720907773d1e0353cf809d34ef22b8053e73848

SHA256
651fcbee2cb5c4779508d501b68a6c7a6ac0cc5fbffda2b74a5e35159b58adc5

SHA512
5b03f34607057bba09d96c5752b12a916f1bcde74e351f0d0ce669b9590ca856289ee61aae0a7a451cb41bc27bcdff6cd48f26d5f4b90ae22351529ead8258d9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
476ed9dac84e3bbfd1f5d0457ee4c936

SHA1
7243648e13a5352d5bd96f4d5f6d73d94ee69e86

SHA256
6eac76eac2206bca55164d9fa3e92359708823829bef90fe21de6329419525c4

SHA512
58dcc4c88a0e4be63ffc4fb57217b4cc7778c3c98b793266e028a832362f476070f359a4f7eba5f09503b2a9d9f0b7eb5c425076b9cae10ea9e0f337858a6cf9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
fcd81fa13f08e44d53a4d5109ec34b55

SHA1
5ed422bc961532ee5eaf0b58d048a832aa45126f

SHA256
b35040df596eb5b0db6f7b2354ef9cc62ed0efb7a62e063871365732dc43920e

SHA512
fcc6a3766e49ec4e7c9cf2220cec4d2c1ee53e317994fa9a7d578eb84bd15a7946fdacd56a333a0dc2f32ffbb453d1efbf2c4c9fa5d32045250a5be5e8a71849

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
11a40940f6a82eb536438899313f5d07

SHA1
f6c8cbd9794be5cfa86661c486ddade14f7d7583

SHA256
9a53772c66b0b85fbedf3a319926b3147882db100b6c28094283b067929ad001

SHA512
e480257893cbcc4124f460e1bf897e5ce24fbddf5cb265367d9d6492ef3a4045f4244c97a1c2f758560c7eba415910c4aa0496356d306e159ee529e312cbc6c8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
b640a20c275070d6e562ddfac516fa6c

SHA1
0faed0ff6ece443ae279d93f51a2f07855a96354

SHA256
8d966dadad6594ffaacd1eecea26c4436468a5d254558cd74a658ebd3940d276

SHA512
48a6e634c50a500e40f4c59783814ff2ed40c90b40bbd82ddadfa432c250b8dc0a425b0c9e6cf71682d238e7efb70dc023d69e17679770d63b55e712ff880038

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
47dc0389dd37f877d90d59de5d4c11d6

SHA1
9b0c043d2c5baaddeb461f1c4b1508c92fc6f24f

SHA256
8837fe0d6eb42724d12b8e07efa8fa5d43ff96013a4070a19a69c47e13790f1c

SHA512
20bba20cd72c8f75d8bd1b45a3bc1ca0b208b6d0b17413d9a382cc70e141839e29cf274ff8cbb6be0b60c27c0acedcc9339c99da9a8e3d1db3de16586a8405c9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
9cff075c8ebeb2c4b8693a2f15719ed6

SHA1
16f5bdb3a77ea4fa034ca4cb17669c211645bf4d

SHA256
ff46074dbbb2e8219ddfdeed08ce08ccd5aec385cdb91cc680f19073fe2987be

SHA512
6eda7a6db58bdd04d5e76f6781fcf67977b3b7ffea1ca27a77082135175487805b74a03c8d01450e715e7fab8f591625fcbb618205d87cc5e333405e1ba88e94

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a1cd3bcc7e08c0aa3e4caa03a982c1d4

SHA1
1f917480714daa7a79e31f7309c77fd625e2640d

SHA256
1b5a5ad3884598307b9f202a17cfc6d039c660e206fbeb5b6205387de7ca3847

SHA512
a805c20369986139c89a8aecee8549258b4d0f1c7f433c5df85f6274a8b0587194d1ac2337d2e58c030230b36d0e044def3f5cb718448f4356b28bc47158faba

Download Submit
memory/232-178-0x0000000140000000-0x000000014027F000-memory.dmp

Filesize
2.5MB

Download
memory/232-315-0x0000000140000000-0x000000014027F000-memory.dmp

Filesize
2.5MB

Download
memory/716-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/716-342-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1476-89-0x0000000140000000-0x0000000140227000-memory.dmp

Filesize
2.2MB

Download
memory/1476-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1476-12-0x0000000140000000-0x0000000140227000-memory.dmp

Filesize
2.2MB

Download
memory/1476-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1528-22-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1528-0-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1528-7-0x00000000025C0000-0x0000000002627000-memory.dmp

Filesize
412KB

Download
memory/1528-6-0x00000000025C0000-0x0000000002627000-memory.dmp

Filesize
412KB

Download
memory/1528-1-0x00000000025C0000-0x0000000002627000-memory.dmp

Filesize
412KB

Download
memory/1572-250-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1572-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1600-34-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1600-26-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1600-32-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1716-200-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1716-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1728-126-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1728-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1728-52-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1728-58-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1852-254-0x0000000140000000-0x0000000140243000-memory.dmp

Filesize
2.3MB

Download
memory/1852-358-0x0000000140000000-0x0000000140243000-memory.dmp

Filesize
2.3MB

Download
memory/2276-226-0x0000000140000000-0x0000000140228000-memory.dmp

Filesize
2.2MB

Download
memory/2276-115-0x0000000140000000-0x0000000140228000-memory.dmp

Filesize
2.2MB

Download
memory/2764-347-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2764-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2924-46-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/2924-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2924-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2924-44-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/2924-38-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3004-267-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3004-377-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3148-68-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3148-70-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3148-62-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3148-130-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3316-189-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/3316-321-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/3712-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3712-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3712-85-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/3712-81-0x0000000140000000-0x0000000140247000-memory.dmp

Filesize
2.3MB

Download
memory/3712-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3992-215-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3992-333-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3996-313-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3996-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4196-165-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/4196-88-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/4196-90-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4704-253-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/4704-131-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/4980-246-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/4980-127-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/5060-266-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/5060-154-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/5088-214-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/5088-109-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads