81ef05dde420e96b8e8a36f34fbce389a7a4610bd485c14b364c37d3b77bb2cb

Analysis

max time kernel
26s
max time network
29s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 11:38

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-22T11:39:44Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_31-dirty.qcow2\"}"

Report Analysis Logs

General

Target

2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
Size

24.3MB
MD5

50ee55fc28e486eb976689c4c14472b4
SHA1

f8693361decbf337cf9b162277d071ca2a654b82
SHA256

81ef05dde420e96b8e8a36f34fbce389a7a4610bd485c14b364c37d3b77bb2cb
SHA512

c6f52a4872f37cc3f7208b10b9107af06d4b11f08c23f7ad3e35c701a6170d10a195324e564157caa6c58450b5a0ab8f6278605edf7967cc0fbd5a5276aad20c
SSDEEP

196608:hP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018oZ:hPboGX8a/jWWu3cI2D/cWcls1B

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
940	alg.exe
4100	DiagnosticsHub.StandardCollector.Service.exe
1388	fxssvc.exe
4040	elevation_service.exe
512	elevation_service.exe
1760	maintenanceservice.exe
4044	msdtc.exe
2888	OSE.EXE
2440	PerceptionSimulationService.exe
4732	perfhost.exe
3604	locator.exe
1596	SensorDataService.exe
4508	snmptrap.exe
2856	spectrum.exe
2900	ssh-agent.exe
4272	TieringEngineService.exe
4428	AgentService.exe
2040	vds.exe
3760	vssvc.exe
2388	wbengine.exe
2120	WmiApSrv.exe
3788	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8b9eb887fc7bedf8.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000698ce7b8a994da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6510bb9a994da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6510bb9a994da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7c7e2b8a994da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba621eb9a994da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000edee08b9a994da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2992	2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	1388	fxssvc.exe
Token: SeRestorePrivilege	4272	TieringEngineService.exe
Token: SeManageVolumePrivilege	4272	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4428	AgentService.exe
Token: SeBackupPrivilege	3760	vssvc.exe
Token: SeRestorePrivilege	3760	vssvc.exe
Token: SeAuditPrivilege	3760	vssvc.exe
Token: SeBackupPrivilege	2388	wbengine.exe
Token: SeRestorePrivilege	2388	wbengine.exe
Token: SeSecurityPrivilege	2388	wbengine.exe
Token: 33	3788	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3788	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 5236	3788	SearchIndexer.exe	128
PID 3788 wrote to memory of 5236	3788	SearchIndexer.exe	128
PID 3788 wrote to memory of 5260	3788	SearchIndexer.exe	129
PID 3788 wrote to memory of 5260	3788	SearchIndexer.exe	129

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_50ee55fc28e486eb976689c4c14472b4_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:940

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4624

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:512

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1760

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4044

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2888

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3604

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1596

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4508

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2856

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4584

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2120

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5236
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:5260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1310c5b27289a06903fb28a32796c98f

SHA1
43ad1eda211e9cf927636f02d407bd580512df4e

SHA256
6131b745b560c5ab3a669af4d80f26ac46f9334d1c12bed4f25be560c33502de

SHA512
bf29862cebc6c0e94bd49b1720291163af539d8c08532967a6ddf4664a606aafb93aec9ee4eae7506759c9b84f186361f65c194a4f28d4d327805b5aabc7f199

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
25810ad1aaab1218e924d9744132c806

SHA1
f9f7076506185c44631f9075e97e2e441b772821

SHA256
873cb03b69f58979a5031fd38e3b88ce4f74f5c6098d621f6e83d323c3c2e01a

SHA512
73ff5be19c5887dacd2fe3687f3b871fd46844ac13182ced0d1504246b8f6821ae5851cbf192a00932be3936d8da539026be88fa992ee9b79b0fd235e532de7f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
bb3f97420c5345e3e03f6cd05c896d2b

SHA1
4614dd24fee915afd2521cc5bf9143306736bc4a

SHA256
0f89978807aad6c73ddc6def888517c8c617cbd6cbf5960e27dbb9f2b45afc81

SHA512
ea533e9c8d1838b15586e699219bc5b788f9cf67c8d5fd3c1cd011e5d5343b9db57b64d6cc34d3ba542aaf63448ad91e75420fc0dec7a09be17cff930338265f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
cd7ec55e22947ea79fa3ffd1f0f94ffb

SHA1
80aedcf775db26160881a7ee011298dd0fc40599

SHA256
1fc6b1fc9c2bffee704957ded634a5b590d291d97c10937da7dfc4d2f0077bbc

SHA512
23c098ee6560724980d290dd02f52fdbdfb3640f2390102f4d9339faa1cc8ad0c6b95b71ae93a4284cd4eb217b81a25a83b2df4b3df8a1268e47701c0cd53886

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
ffd024abf289037e5471cde4e9b97a61

SHA1
0dace52edb5fd256c2bfea9f8eeb0914ad029119

SHA256
f61b3c18b6272607847bdfb2ae704f29a1f1d356c6f5c764e017bb4c4f9003c3

SHA512
00cb5f8d8fd444485b5e608311e55f205c9c4ff5c4b47774fb0815d9fbefced7a0ccd1865c82c353e6c8359b8679ce0de99b17c0978dbbcc52be98b373e4b0de

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
de040c4a0efc84615f92692516503227

SHA1
f8a720bb1284fed485b124c97f712940eefd38f2

SHA256
f7599360ef34c52e2cf1e3e0afc7029943f101bd78c5b7b770271ec979e93cd5

SHA512
1d0a85b1332a5b5834befc7bb981aba1857045ebe9298a379ded3a091030315a37b8e76eba2df67582df6ec26848f6fe808015208c857730c7c98a38bf57bf57

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
575c022e2694dcbe41d9320dd64f7140

SHA1
8100e871b97fa23fefebf94689466ecab09d525f

SHA256
161b59f8b094718d485fe5a74a7e91a49c472f8023b1cd20416cde06da23291e

SHA512
1b3dfc9950f39c979d3c997dd58dfc6b26931570c2c13b8dc38539ac0e1fd5e4c43baae1e4cbb2533c3345aaa7acbad9f14955fbc38413cd0f16438ff213441d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
29ef0096832bc8fea7f47e5ab053e467

SHA1
d8eab7953fff820f413cf8a11bf0f30e7b48c556

SHA256
eba3864b5c8040e4766717a1fa799446970a13b318e6b5e60a0fab4fdfadca5f

SHA512
19dd6bd3c236da3aa2663bd7e6294dfa977c11052f058019d8def6621a8d4844c116e3771c9caa153457bb1cec53673c9d66d71f5c9392b88107e77f78022a6a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
29f75b1e882ddcd788f3241620e53388

SHA1
89fd5e0665dc4a14f0c3c37a802a10e6cd5475ed

SHA256
49d5e5ce6035c262896841b9c752b39bc04e2e98509e6f9df832c8e472c2261d

SHA512
532b8908252da9ec45d0feb30cc43d16f776d1a6185f3504538047103fd2be3537bf1b7589efb0819473159ac46cfd0e545c572ad82990ebddb6b1166702985f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
b761f9494479417e61a1fea66b7ffa07

SHA1
9df82659ed33f8df4a82c6c035b629d01430dfa4

SHA256
77d6b0d0c6626c32bbc37cd3ceea2c83aa449d541861efa8d9aa450b104bd1ce

SHA512
5bdfd4dabf3dbb7338aa897fd645f28be1b8ee3b7f60a01cdc4de51ed86b1fbdec5a589993dbf8cd7b91ce5c9285cb5ede201fe9e83fbc21fe6ea9459803d9f7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
8a6dba8b9a378b92f4d2767f29917da9

SHA1
b8f356f8daffbfbcc3cc84679beac196b221c23f

SHA256
bfda233ba5e274a678b0ae180574e827211a7541ba1075da76d2d5e08c40bcd8

SHA512
d61ac7c53228bc20e704410098e9c2a679e47ab5874ce28f2ba7643d6a1f05a0b1d58bfaaed01673214630f6aa5b8302bc86405d640344be768fdc139efd21c3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7aceb25abe619f8a43777817149ca161

SHA1
4944222542142e0ac8e655eb4c781cb6e8c7c132

SHA256
10aab336bcf78308ab774e38d020d0f8ed7131bd94bd6203377f9d0fef5204d5

SHA512
c40051e433c64ee39f9910c39fd6c0b77e4dbc63882634b855d751e79564e0b86e27ef7c84ff6587ed52c13418f2e184881be160809a3d0ca9eaf81518752ce7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fce4c3ebb03940314b22c5c00b9fcb73

SHA1
a5b4cf7f5054e0f1adcd9923ebb9cb0c01ed4ff8

SHA256
347273904c34db15b5e23c28ecf46cff86ec25994447a0699b8d6d44c631c1a1

SHA512
fe42b4c6297bda11e435a49f6ab49c09ab61504b01ceebfe93c9d4d37065b2cb75a8e7f98f39678a9fe7c2945143ced421e7ca629e6cdc392ec9a39674dc95b6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9e1e0ffaddc61fa0f542eeddb4e7d600

SHA1
ba664f7c23dca0e97a7dc9aa067820a66e1be558

SHA256
c4cb5f67113190c9b8544f8fac9cb6b7a83093fefaf7408d78d1c4f5da836e48

SHA512
add9a939f576b4728046eb20bc48320ea88360134ae2499d641b641bb731b9c0089b717ec1d8ee72f8d7408e0c71d2ef1c8c64514c5112239902b707986f9e8e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
7cfbbad75e2346188b4ad1b9ec0623a3

SHA1
374076020148e282a3b8a7c45d657ccef93d37e7

SHA256
28da3e76ae66cf875c5d46f168d3942f81975a1a8a18bb2f3404b9aa678208e3

SHA512
76c3af2cf3de68ffa93e35d765cd4493462902399e2b635187392fe8ab0d51a2d7ff83e7ba4c9b92b3dc037607e16694fa1a0a57f0775747d3b92b8870bc5622

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f0bef2cc425de22dbf2fc429e937d028

SHA1
a4862ed357e13bab4c162e5c8004648b088b9416

SHA256
32cb2fe569de0ee681a3b0c98dd7bf21f4f86c20678f836464c698c131746aa5

SHA512
2933c11e07d5eb82478337a8866425614f70d8a96dbd782f6d586b59bc7d08febabafd0b136b3bce29177c99b2589160a98dee7b856c289977283e5d932308c9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
17254bffff0f8f09a8a7b7c2c8f0b55f

SHA1
44328f0b81888129e4a4cc7b62d3144e7d750ac9

SHA256
14f21e74eafcc6d754bbdede42e2f306264aaf4ad9c4fbfe57c6fbd1876474b9

SHA512
69b31f33db8a45a3685ec5041ec55ea2e4017fde500a9609e41c9f59d8ab02a0ca7d0d451dfbd8243cc0c137eed5a9ca728aa902eac3fbfa3e1109031b553209

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
9bf788b8bab7636061d8a2fa8b8ab301

SHA1
811643440e51058b9f9c2ee7c6df7ded2ecbdf02

SHA256
8342b8f864c2352622534e1b8011a257f279a9625ac8bd9d0e28082f5ec744c4

SHA512
569ef9d4c1607b5bef7285508ea6e33d9f882e33566109392642b92da3cccb15bcf0cc4960727ce60399a09befbf86b5f70d2a6f569ec6ae3ecfcb68eacf9a63

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
40fbca7b9815972166761c3970ecbba4

SHA1
c93a38670c3562737886bcee668b161b272baa8d

SHA256
592271b090efebaf3687e0690ef73d98b7991efe2beb827edfed222fb6a39052

SHA512
4174d529c0de3e97943eaa61c2d1e60180f6663b1cc6022120b897f016a4e33fca416cc2082235cd6befb9ed358fff14efadf4a9c5e699138c55860d7b825d31

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e7a1b58cc344db3767080e1eff0eb179

SHA1
9bc078aca6af37405a15cfa3ae247fd07fb71195

SHA256
03f742f7c62eed0b1d0e83898254e59c9bdd834fe2e31a7e10a4e2422d71c4de

SHA512
1f79c2db7c93d1a4169aea079a8ab833c1e52db5893a61beab05eb68b2f4feceec09150009166a8b04ca3fb6b1a22976ca88192b733f6c45513df5817ed55562

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
3273d4b6b5dca4757724b9a836b0ab03

SHA1
734b4520d1737ec844e739ed11d36044e8c1930e

SHA256
0e9f880bd682c721509953823af3fd17c37217cfb8e7f276e47a974dae4ef497

SHA512
7c2f806f8ac40d7cc45de07987124084cc35e4d3819cdf2321c4463f3961dd11049dd4d75f350f22a99811fcf8d1aa1bac1e6b23057212c14fb89a9302e7ae88

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b4f8c81c76442772c9c66d6efb9f780b

SHA1
6eaf44da95d6ecdc869417cb4d9a47cb6b4fc55a

SHA256
c3d658c00ab4ca5c600781ce80e2861e994f1a98baf9f8ca0a8f1a6a5cdd9b42

SHA512
ca41cc4dec45cfe4761124566e3f8409a99d969463043e4c6a78721afeb7b9ff00522e3983989f5ec536efcb934aa7059246f0ad34240bd7af308afc85461680

Download Submit
memory/512-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/512-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/512-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/512-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/940-75-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/940-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/940-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/940-13-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/1388-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1388-47-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1388-44-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1388-37-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1388-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1596-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1596-468-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1596-159-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1596-467-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1596-215-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1760-89-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1760-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1760-83-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1760-77-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1760-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2040-399-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2040-235-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2040-242-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/2120-273-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/2120-281-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2388-497-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2388-267-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/2388-260-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2440-130-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2440-184-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2440-122-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2856-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2856-245-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2856-186-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2888-172-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/2888-116-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2888-108-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/2900-258-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2900-190-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2900-199-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2992-66-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2992-0-0x00000000021D0000-0x0000000002237000-memory.dmp

Filesize
412KB

Download
memory/2992-7-0x00000000021D0000-0x0000000002237000-memory.dmp

Filesize
412KB

Download
memory/2992-3-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3604-139-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/3604-146-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3604-203-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/3760-491-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3760-254-0x0000000000640000-0x00000000006A0000-memory.dmp

Filesize
384KB

Download
memory/3760-248-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3788-286-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3788-293-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4040-51-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4040-58-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4040-120-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4040-52-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4044-92-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4044-158-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/4044-94-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/4044-101-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4100-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4100-26-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/4100-91-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/4100-32-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4272-271-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/4272-211-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/4272-205-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/4428-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4428-230-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4428-229-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4428-224-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4508-233-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4508-163-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4508-174-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4732-135-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads