dd43c34dc8b0cf65c6c7fa8f4439103151c7e5947bf4116b45c59654bb633c6a

Analysis

max time kernel
10s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
Size

1.8MB
MD5

f880384e51de2dd96924d8e87a016ec9
SHA1

70f5d2ef1d072f573a83cea62093ba205db4c96c
SHA256

dd43c34dc8b0cf65c6c7fa8f4439103151c7e5947bf4116b45c59654bb633c6a
SHA512

6fbf3ce94a5f1db98e69a3a73ce7886d84d5008deb9bd80fc6a9a52a0985ff9ce62bfb68ed00cd2a27826a1611d424edc131c8dbfbfe969a4f6b8341f2ecd5ee
SSDEEP

49152:gE19+ApwXk1QE1RzsEQPaxHNWRw/3FPfUNDZ4:l93wXmoK+afFPfUNF

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2092	alg.exe
3716	DiagnosticsHub.StandardCollector.Service.exe
3644	fxssvc.exe
4220	elevation_service.exe
4140	elevation_service.exe
4928	maintenanceservice.exe
5036	msdtc.exe
3604	OSE.EXE
1608	PerceptionSimulationService.exe
5004	perfhost.exe
3388	locator.exe
3184	SensorDataService.exe
4116	snmptrap.exe
3368	spectrum.exe
4088	ssh-agent.exe
4716	TieringEngineService.exe
1000	AgentService.exe
4260	vds.exe
4676	vssvc.exe
3988	wbengine.exe
2468	WmiApSrv.exe
1548	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ecae4bd84a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cbdfd36fb9a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000797f7771b9a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4db3070b9a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000284e4371b9a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4104	2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
Token: SeAuditPrivilege	3644	fxssvc.exe
Token: SeRestorePrivilege	4716	TieringEngineService.exe
Token: SeManageVolumePrivilege	4716	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1000	AgentService.exe
Token: SeBackupPrivilege	4676	vssvc.exe
Token: SeRestorePrivilege	4676	vssvc.exe
Token: SeAuditPrivilege	4676	vssvc.exe
Token: SeBackupPrivilege	3988	wbengine.exe
Token: SeRestorePrivilege	3988	wbengine.exe
Token: SeSecurityPrivilege	3988	wbengine.exe
Token: 33	1548	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1548	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 3160	1548	SearchIndexer.exe	112
PID 1548 wrote to memory of 3160	1548	SearchIndexer.exe	112
PID 1548 wrote to memory of 2988	1548	SearchIndexer.exe	113
PID 1548 wrote to memory of 2988	1548	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-10_f880384e51de2dd96924d8e87a016ec9_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2092

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1964

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4220

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4140

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4928

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5036

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3604

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5004

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3388

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3184

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3368

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3636

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4260

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2468

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3160
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
3ed1c78bf1b1c53c9e94efc58a621721

SHA1
87561d15452d9a0bec178a33705e88ba54e04571

SHA256
699ca1546d895808aa09e75d51ca8f523be65d7a6faedae91f6d8be73d1ae706

SHA512
d26db004681c660a2172b70bfa36936bc74120d4a1515bcba6bc6a525c6ac350a0e91d5722dd50187f625bfb5d04cdee528f0a2580192891bb4654053396e69c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
3f1467e03670b2278a8b32743cfd0ec3

SHA1
9193fc98606e79529bb577780b1f87d056d34aff

SHA256
3fa49d867ba2c6b3d2b0c0666895f18104da306dc2d2d40e84202041a6aa761a

SHA512
e588831931c1f3e5cba067d4892b6c95505a61985da1fe98b85b41e7235a1ba54183adf37a999cb2271f1dded55b4d6e87a683c8dfeab56d6bf3e377c8dd8b2a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b28a0e2c97ae3941320b7e9cc1eb5d52

SHA1
1f62749fe39c2798dc9cfe54b60acfa676a315c5

SHA256
0ce52b1887a73eade9eb0ca916b449e12be9a836a0047e6e50d33e9656a40fbd

SHA512
f5278b02fa33f75a8ad0bb363298425086dc41b4f22ffe64385cd34960844bc22c4c54383406a410b627838782fbf37d8aee13ba149645fccbbcb1e664162822

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2c484e3542ee089aef10cb5d8c240ea9

SHA1
c72c7f665c3c937dde53174d4b23c6be0ec47163

SHA256
effb1e7eb31befece7b0c4962728132975329bf66b5e3d66464973b1fdf6331c

SHA512
522fdd5ecefb02a7d89c629e931562264d8ee0a08f3ab7e92c382775685b4b77ca98f913ce346bfcf3ec3156b0c3ef56aedbdc3f545143679aeff264a1c65121

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bd5e438cc3cd7f25a2995fff3e8c7e85

SHA1
04d399464adf739a1ea071b627190e2de22ed007

SHA256
6e5ab9c4afc2cfc4acd5678fc8638f29727dbc945b15d646fe15ef0cd6ee54f2

SHA512
aa403858bd8593a4f3d0036ca970b16647f4d57cad4149a13ae8a78e2f72bde4924c7b83f3aaa73b8e75eb46582689e984c8e65a74b792b936d278ee1bbd91db

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3cbd277c82180db71c08fe94db7e7166

SHA1
bc900bf8930d9af4e369bb3d3c480edec178b03c

SHA256
b0016d63adcfa71b4719ce279f2612585a54784d08b8bf3534c82bee9f05191d

SHA512
f0386220f2048b8452da83894e9bb242f42ac28d587997940717244f06635886849c2b18a8eb4df54af6f940de5b1e4a6a75d9bff1c51040e00e694cc90684eb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
09b12d2ce5213d2d1f8cca17696b921f

SHA1
5731adff67af8ddb01ef5da99f85bc9e7940c522

SHA256
81e82ddc0dd5cc4524ed26687fbb42c159a0c88208a9d099a4f05c754316aa7a

SHA512
6311c0daaca520f0fdf2031958c7311d9ebaade419b341b1dbe0cdf08d962bba7c2aedb83c66efc145262a0776319964cee231771352dd221500f4042f815391

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
98166ab864fdff11e09bc90c582f1922

SHA1
d28b7c40b7409d2e79caac048476180f08721a4a

SHA256
036c620bd6bcf896651868379f640b42735d421f82df564c1daf05b0fc73317a

SHA512
e5b08c8f5a25cad4e32258b1e64d06401182f67de13920d0153237da36c69c37170d886d8ab5ceb1a7384e1e28cd29bede11787ef3566f67135447240380d4f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f03b6ecf259c5e23ecf704586c223c5a

SHA1
be064afda424e11c92ee82ef48208b37aa2c8a1b

SHA256
5b06114078a45260c26d7ec8585f7d9cf7c1d7861f57486ffffa6bc757d55f4e

SHA512
78a092f0b3ab076b44b502c3d469c85ea2b9cba1d939571a1c9a7837f9942c5894e918bd8d07f60b05a5133b47a35a778f556faba6f1d4d09fc2a56b23d07000

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f87577e14a2a370ad8c9e0025d32bfc5

SHA1
e73df5ccd1dc20966a4b0856fdbc9e3a1571c43d

SHA256
ea3934add600195be21fc0f6398631113ecf1eb56146c6d43ad7435fade3a0c9

SHA512
eebdceea4ca876417bfa6e55b5de80b262a24aed835a9af7e2e2880205db33089b4a7aebe2cf842220a32652e7a6366e3aace1986ec021bcfd04f017f9c35bb3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5f54bdbaadf780a747c7bbab40862d18

SHA1
b75a914781993bf37225f79781203baa98a6669e

SHA256
883d32a24e5c686e80c072da960a5cc00378dfb3d349f605de7b44231fa73efd

SHA512
956a542d30f0a8107d04893be23323a422fdfd8f0ed75bfb2bc4ef08cc09f41e822c058e6f29cd399fc94c6328d00b8630dc6c9dd7bab72c6012f4083cd52b81

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4aad2d67523f6d20351075f16f8e9bda

SHA1
fcdbca81986a149dbf21d4e091dec2a8b0510cde

SHA256
64d6a2b79fad04be137e1d535b2464174f80c24dc576d6cff7a596fcd485f7cb

SHA512
b970ff1514f0943f5b0204f8dbae2ebb6b5f10acc783852c0981bfcf66a70df3c65720264621796c094b0623c048c54e3be0a97e4ed2019f73e8d9fc985f77b0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
6eb6ee8560aa75599f68b6cbcb3f3b23

SHA1
e657d800804314f605c1975a0566990b3dedd037

SHA256
f0a7ec7d5496a8d12ccb7148f8470acb4e0f0a8fa3cec33adca647df559779e8

SHA512
ed636e254959cff24af398749ce4048ef1a3c3a2be4d06ff26d11474ca58c6868d29bd3bf12553bf24166d12a620061887234a4e9e00ab9861de68db23a8669b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
abfd93b36e7c4f4241fa39b3aca8194e

SHA1
08d6981b059fe4b679e070c765e198cb5dab5e5f

SHA256
9540fc03bb2070e9fdc6f234221edf5d1d568dd8a45eb57c245be2e081f5ef66

SHA512
b48bb6784923afd3db1c9ebaa2df0b16436443b0c5d225c9b119b14710497b966f570b1123731bdfafeceba48ea0c253b34389165a9ee6d4c9213a397027c2fd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6e004962d637dfd1989f4a19d70b40a4

SHA1
0814682b2429bfd85263daafdede537cdf861aaf

SHA256
a3bc5730d92349f9bb2334f22273c0d6201f19d1192af3f73c2395b82c4ff1a2

SHA512
9a0a5b5c2b8680df03fb5e49f25f85219f5baad28e5c0d95d451231ddd35ded412c4274ae6440115367e9f17d3108e00a7127ddc0b3d1a9a379b4f3cee64c987

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
37963a8d5b758c9eb012d5114caccf11

SHA1
2b9bca7fa7ccfe7a1c45d103180c57749695c810

SHA256
1efef26b4ccd4d6f165c5b4c95683efed48bd14baeb90695592edae06e576c85

SHA512
92dc6f6ca1bc2c6b9526ef91a6e99567c3d7b96fadc3673a577317ae37cc14c15213669bd7961bd5fd3272e8ce86dcc3f306753f24a5f3123c9f17395574a3b2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
6c45a52268774b26ee2c7ce8b3f3a9d9

SHA1
efe4ef7b37072f3097c11dd1e35741d71d0b02ad

SHA256
047e64271d1b319bc72bb3017ea260b9af5da34262ba60d08d0c4e5692ed7ce8

SHA512
84cbbaeb7353bccb07a7ef735ffdce2d8da755c8e7c94cc6318eb0782ab2525682a7ecaa32709e88b48d355843c5e383ce7052f794f58e829baa23f89d2208c0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
1.2MB

MD5
b2474297e31e8d63db8a6038bed6e9a8

SHA1
a62f2618fc2505e4c8e0a8de48d219720eb454b0

SHA256
45fc212aac88a8212c37103601d66e1675e2ae697ddd8e679ccdc50b1979a9d8

SHA512
6e2631a3cedc8f4296d0d7d0556229b9fcb68215eb4057c03ca9165eb8523e3a2b6b4328c93a2315c903d9331399d3cb452b7be635bd15aba5270b7024ab4c05

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f55838d30a87b2af448fdb142299a85b

SHA1
3d847dfde4be28c0c5ba322b55652c48007f0f2b

SHA256
675a275882d4c55708e681c4ba3ef9ad9489a7469e4206ea4851dc7b5c872ef5

SHA512
42734e2614dc5543bd39a237b1f1286414a9b49aab5671a7b2cfb508a5a2db971a854243a29293447b0645f69e803fda63a9409dbe237ee783028b0627023217

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d5a20efeb71da256389d616d4203ae89

SHA1
7f8291eb54cdc2f1a5284f54207ac8ce4f9b4a80

SHA256
07c2b4de0070c7a263829551e605376f7f2b7d5f649009af9ef600b765828277

SHA512
b6cf018dda71c4856e3ca255967cc114310b012f17b0fda3d9be9e6a30ae6050f658227bbd54d3133554b0a8e6cab6d5bb7a90c6b4bd984ba18687d1c62997ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
3e94955f9bec9d4f0a3e62a9e922a0f6

SHA1
66d71f10e95acdb336e8fc89d8c5fae44846b283

SHA256
1471e684fb6ffcbfdb1acccd9b4a5da67c60d5c31c54129ade74f3ec6b4ac2eb

SHA512
cb7f938c807b9da1374af46a60f9bd69817ec25eb8f5c403b25d7f21eecaf731e7780f588d9651f037f0335d727d9dfdc05699312fda6a6243c2c364f52fb9d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
8641597bda037c646b3cf1c4306816d9

SHA1
019806a39cd05678b46b412331856cb874850c3f

SHA256
69c6efcce4e9c594d355ae8da3ae1b44b92849a09ef003bcdd8402cd5e88e93b

SHA512
1e3f6a304e19b82649c02548db42570f56fcbc32e7d288020a93fe6eab56c596ed269272d375a5cb686cd327135a6db87409500b1e0072981e3ddab1d681bfd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
4b369b4b5376ffcac92d55ec2900a04b

SHA1
09e96a2d5d8fcf4b03df4fc38677109f9b7194c5

SHA256
4772e4b87f6970c0ded40e4fdccca34f4b4b6a7866a0187bcb7ef74d98735435

SHA512
181e6bb39097bfd22479c9c1a2cf65aea5b01850d71ed1bb4af714b58fbab69ad14c73bb750ccc4caa25b1bccd445cd8784903d34a06204aa375cca5da499696

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
b967916fad57c9ee046f95052f15a615

SHA1
6203e44479a59a521e95e5bad7cad194fb639b3c

SHA256
c74ef9964163d6354845fe9b68aa392c9be2446692bab4123c34ad49746f295d

SHA512
837967b03b7406b47e02576b8fa7c3efca7c5b259f619dd73427499402311ac788ea59bd1d876b95d090937b1c628e4385db1bead443e9b4fbd01b637814b97a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
1f71cd446f73f25fe61d3e551b451e9a

SHA1
44e03f1dbc926f9777af36cd879c8b3bc822c7df

SHA256
1bcc4edcb79a604cd0203010c24d844496ad062f65cee4ebb832bcc037e47a51

SHA512
a2e84c163f61b80cb90717c82b99eb1799e752d005cb0425e0d1abb7e67ed9fe8a92c815413efe1e995d0defc58b377d2a04a5125e79f06315ac99bdeae15279

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
0df183857d74738af5fec7fb93a57c9c

SHA1
0eaf56a1a395d60a6f3433b4bc2dde668af580b5

SHA256
22844bed334e167d6456d053afb0ed725c1d56a33f1432e074cff4dcbc6ede74

SHA512
0159a3ae66dd6d7250884fdaab845515e4ce7410fdb0c7ff7499813b045d68342886574688756999441405928b2a49a0698b900f083f260df3e849532d6b8b22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1503b55ef621d6a04017e7f24f05eadb

SHA1
477c673373e3b65bf901bc58be6f0e33c696c09d

SHA256
d9e3fc4c009962953bd0541fadd63198e1a2dc710d72a003a7f848301ac714f4

SHA512
49e33f144e40cf1bb3e081e193eadb0d6b78020e50e23cab299aae85cea5080d9586f58ad75af88b5934810f3a1710da789ccfe8bb83a185e0d9772f853f18b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
35acbd9ec33cc7c56c57d4b072aa807a

SHA1
556b158c663e3fa20a80973224dbde1ea65c62e6

SHA256
1c77a5392d11db796a4cb568ad3cad1f85142f4a8d1dfcc05af806a269180e16

SHA512
f659a558a79e5e0067cdd9f9e4cc0b2106b63a6ca36b4298b84e38044a12f26b548c44798e8a26c995ffdf44930d3b316b6bcca028247b1eb93d6e9173b18b19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
def6d33c1a69d985e302483dd8d504fc

SHA1
0637e22a3840ffa66f0c4e0a6c5141f224fa9358

SHA256
5ee4bbf7fbb26e79a82d669ecb7fef26d129755b771aff6e83f111c1790aa8d2

SHA512
300aa09c01ca50c87ef13b299289285f0728ae53fd9c2c2cc1e3df40a7bd244b5ab02de9123950d1e6a09d78a5689c0f0059aa8ea67a2cbdbd9f8ea3dbee42c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
7469ff7b77505783bc04943a2e4f9661

SHA1
aeb1c140a3f3390372d4cc8b0a19837af3109476

SHA256
5ed2165641e8b3efd6d66d34a965e7f1ac38848adb485a96b82cab6a4fa7f3a0

SHA512
3ac2358a0ffbe4dc4e94b4379426f4935099b8fc6b744afda2f3ece0ed1e3f4e051770e91e12acc3f85d46cf7fa0a430398b94be00821eb92ef8d9eb31aed743

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
c537284b00a7f507f0da49f9bed2a079

SHA1
b7da1261bd5cd866e85a728886cacc6a179b9c42

SHA256
ac79881798dd37ed3f9057ccb9adc34203074c5aafc8d4219c593a77a6d11c3e

SHA512
be288a0073022b07f9208c23948bf923959d6428ca4707eae7c7bdf10f2d07896f028bbfd3212a41fb3e0a0ac3cf02b96209ececccdbbd33209958f6b98b5f80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b7822bf7e2444e826de0cb3866483e5d

SHA1
42db772461991beb0faa65e93ced01f149fd4dc6

SHA256
875c7e2f9732c9e0dd9e32036eabfce7563e1ffb04694f71fceaf5f2161acdab

SHA512
971ee23c00374978e979b2a87487ebc57c0710a42f21aee6505330cb984d66af25877b13947888abe4e1e59323459137eabdad0bd3ca12b60f431e5ce5b32e13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
9d15b954fc3e280197af8da6bfcd0807

SHA1
03a09d5151297059a4792ac57d41b0817c8bf6bd

SHA256
1b4e05668a9e307bf04791480da58c8f6c77894f154f0b220d5a96190317452c

SHA512
f1666fa259ac21c26af21418bee21389f6dc0860384973e27b702f4eb84e7b96ae009d071550587b334c3bc44865a8645caa0fe12c2b82003c1e9969102b170a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
96e1711bc0212dee91554934922a8eb8

SHA1
4b20d143c2a766e6f062e3b22dddabd73936a194

SHA256
8536548fc301dcb24d998be0ab77d0b015d39a0cef53068eddf473a2b6b076ae

SHA512
d514ceb73c19ecf69821a7839427fcb4a06f8950852f218f53db85118ccf323694e6b14d99bf59c9d9a744631be2a3a502ec1435f9ca3a497c1ee6fc26632037

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
9d35a6b4bc43cb1888210982e7d4fd6f

SHA1
67d210ed7f6786d3ce9255d1c9b70d4f1589d9a7

SHA256
ab26b9d3cf9208eb2752833dc23bce0376973b5a9835fd43317f8769b8390e3d

SHA512
5966aae451bc0240c00d413737515e62ecc101e5a9bb3f61d070ba9be4a9689ce4c6631c27969fbbece0b2c2b28a7ec51510bdb20a2cfb0bef45130861461c07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
677532673a8cff20a33e8e5c7164f1ad

SHA1
db59561d5f8dee327e771136ae5226d9f15a1d9c

SHA256
4ab5fabe1b2dc8013338f95b104e51584de68778e0729d7c69b85651f5bb62a0

SHA512
118c105c5fe518c78183d550c460310641287a4ce1610f4565268a4a4c5ee59d6fb517e8699462b0aea24575c7b5686d1f4b1ea4bc1e6ce5b7c3e68359d1c9f3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a3fc067cb84154ec7b4897ddd9041087

SHA1
ca0ce523ac8a87d4fb229f4bb275844d559b0764

SHA256
78901c88f0b22ced4b7d3dcdba591bfbe80b9c1e2dcbec51d9ae186e8405b6d2

SHA512
240056dbff1f30b7374b526f52b6993e5663f5ee06988112bc75cbef8a721ea344d773fcc490f8a430dc0004d86bb7e9f70ec24e1e68d293243b28a798c8e50f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
291b3db7c5ad6355e861327ca992161e

SHA1
f34226f085c8d8caceb18d951e833c7c874c5f50

SHA256
f28c2e43b01145ac88bd51a11f04ec72c6afb4170322f46a3c918fbd879e07de

SHA512
7486629955acf195136b8f932f78ae20135cb079d42ac61f7e16c04b1702b4b9b324bb9a05996d872c19fd32da80dd0a2c0a86775fbd2a36a19faed1417426d0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6724433755a6147e245aceb35fe0d4c4

SHA1
fc626719f45fc9e9fedd9fbb3266639f24c26899

SHA256
d6d79b31f1b781d748aa149c06e6f33ded37d4c93659c23f5a4c24e658cec405

SHA512
a760657f9a148e4220c471bcd44220cf4c61859498960fe63956b8ebc04edeee05cdb56f771c2b08c54be8bafef788d2a707a04e0f5af55b49831b87d6855c5f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
deeee17d89b30fa8d62971db51fb1d0e

SHA1
93334591969eb0bb49ef91623b4f071e5cfea05a

SHA256
e7d61efeaa71def8ff70a89d254d6c13ecec35ebd667a7e9e82ce2eb201c94d9

SHA512
54dd39e1f68ba56cddcbfdebdaf3b5b175452b1152b00a5b863650d767aa3c174b408b412100811dbaabed05d193cca76730590e91a6e2fb16d813b2ef340c5e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4e68be73e242913ddbc72d3404689cdc

SHA1
50abe79973e94c64e9dfc7d8ef97aa70a01d4fa9

SHA256
b0aa13990e30a98d1e0717738622a2650e53900dababd60f627538969b1a3b6f

SHA512
d569f617b44399b0413fa43503455b7b65fd803f5ae93a0a34adb92402fe2e4c7d1117ffbc9d902e87b92e6a936677e26c00549f3425a361a42afff6f7060bd2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
489251e932ad26a8363d2e7ab707afb7

SHA1
a5ff69a50169994529bac056fd60989a428a0232

SHA256
706b112c6317a79df036fe16647e95f9a51508ed45ffa4f74725b33e8ff9cab2

SHA512
c90297f8f1db3d4c4ecbb1fc1b819d417ee1d831f87ba41c42cc836876e5f81e547dc3e30170b0efb8508b4df80678f37d940542c966bdb025b79c261e9fdabb

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
63317008ed2842433c5cab316621b178

SHA1
fdcfe20aa13116a2d738f5496a5ff39ff162bc8c

SHA256
d2adb342a43923b0433d2be1e958ab4bc3aef04e7257ab462ff39afb85ed3a9d

SHA512
5db46a849c8ead027627cf1fd57cbc4f41c0eb45938e5cf325eaeffb3bedfe38d97267bc0a6c933ddaaf350334d0162852bbec33d5d623693e1ebb7fa4adf8cc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
cc912f9e81fa865929dcf4cca8aef887

SHA1
e1f6da2c93ce59a618c6d5c3993e323a2bd5abde

SHA256
1ab0951fa068b3daef3d114779857283c01c2ae0698de390717c39c7f868cb6f

SHA512
59994f30cc064abdb65ec5fdb0ca88206923e894f381da84b11083f642a77d5ff7029db6c18499abd2a4ddc7f57dfc89e2ac50cc869a210f864f0b6675d6a512

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
11bbb6afca5add41440a1fa7f105e009

SHA1
eee388ea9ba1a174b1d1d21f3ade8266ae1eb3d0

SHA256
46f10246faca780b6719c13b4308654af7f04da5d51b5d95fbe650506ebd20f2

SHA512
8c0155601b4502f7a4f3e88c7fc87be67834ffc587afcbc6c48204aa5f1f24e441937a4af78f20ef3c213985b24615487311bbd3157dd39754ff01d858fb8547

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
13a016de1ea78e62516aa2337769cc05

SHA1
4505dfa2c2b5865bd998b26abf7fce145abeb576

SHA256
04918861465c25751fe9a4cc4c686c91a1b5b2f400e64b381ae42a03caa9240f

SHA512
d597f769ac1df8e38098e6daa3971a2759806254c0afcb2a63068bb898f1f05ae40e70239f4b50e2a6c4e2797b2b3e095eb8262a11c09d0859eb9ce5699af80f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
62a6eef467b10e1f42b6d1c97c20e448

SHA1
98bdada4a51c78b263c4d85c6cba5627353b5119

SHA256
e430aff586a75553099905c99e3f145563e787f05a2d02d220463ecd87535019

SHA512
5ccb0aff03b1300ab4fca299472b809cb8a33ed143a2b183d8660194d5c0677f424e1e429c5a3eabca990113cb997ec63666544dabc6946d73e083108038d5c9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.2MB

MD5
2277a108e1ab9789abe0be53524fbdf0

SHA1
c168edc12e169b74ecfc503458fea029acfa3f03

SHA256
f936632f1d6f0ebc49e38fac76d9995e0a1cc52692de08ed3997ab3157bb130b

SHA512
36f333bc9a2e754b2d18fcfde6fd02d2d710c5f673e98ad60ffc226c7d211bb147bf663113cc5ef28e6f678d6115fc0c773fc910a649530560168bb07a535541

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
f29f6b0b40a6f75a02dd0ebb89d31ce1

SHA1
44bacda121332a5488cd1426104e197bbf7985bc

SHA256
bea184239f42e567ecb3cbaf75d8a7e307653a5a0098946e8de3b2cf7f6753e8

SHA512
8b8868466ea3124d0b39e47e323c72b350686587564ed2990e4ef793a4c91e3cf331ff69599ec54219470728b6ac2af069461c8ad2a79f8b670cbb4be48d4561

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
dbf0e992431437b2d5988d27cb6f36dd

SHA1
8349b11ceadd734d463655a22b60f564b43120a5

SHA256
4f2c38e878bed77fb519a97935b4fc4a071a738933f3f78ef0fb8b23cb7e488a

SHA512
906d9ecfe98e14afcda2eb157a0a9a515784b53c8188384d36e920609759595bd0124dd22a441e72ab6e1b44f1c1b821e52481b9bf835c6fb5ba77b50febeb4f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
724439b976c1bbdb99acc86f32fc0f96

SHA1
bb6c4afa24c759321a5e9b6b90aecc514e032adb

SHA256
b139ef94815b479bb236d50a060458c3e2e4d2f98708ea886c98c5f180b972a5

SHA512
221b00e2baecc4c1eee18ebc18794d9518b1fc15049a8c418d64ea8e50a7d9fa9e925fd0ab92c2b6b8b8169c538ce6344b7f2538d2e4451f39dab67b26451a69

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
bb686436b739355805d2e4865b509255

SHA1
72d8d2a4b4f9dca0b16ac25368047808f054bf68

SHA256
326bc374e7066587f17d4cdd02a4eb22288dbe33f37c329690e03b8df2756670

SHA512
0007181fa199d3fc7fb1b21699b6f9b01729c7db675f2bc8bb883d25c3ccc021ef3b9422ba251675bad3e4dc1aa891693a79cc935a9d3445ab169fb36dc8a440

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d5c951b302c3f8a8bcd7d039747c56ac

SHA1
78361917e0896f07fab404ba701f017a50f885e9

SHA256
9d50b5ae35e90eb7af07991919b066d804b71a36b34f33ce60134fcf8e6ae36b

SHA512
5d97082ca635562430cec53595ad2809d898107dfe976f55eca0e9ed20ada5082c1a52b0212c31badd1a44aefe126acaa38d6f2b97aac77052eeaa1a1b381d37

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
85268a39d53ccde7d83a5ef065e4022b

SHA1
6f52588008077305a7cf81a53a5a5b00f6d42b93

SHA256
f504269ba3087ba7113a24cd77f9620a1671d275a54bbe20cf51171e8cb610fd

SHA512
df047d223c51f76510f4f7405407e9a7fc0677dcd2f840ab5c94cdc109c743b192b12a3403b15c39b4295178b59cce20ef2228234c6ca2650515fd63b21b3a4d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
067f580c53a9c7474dcf10c341e2a259

SHA1
4afa6dd152a177d09f1a1daaa862dbe09a31a295

SHA256
04401ed06a635182478092471428ae9bfd7d6e02c1a11b548b27dfa8df0b99c5

SHA512
a1e9494d7b6b23aa5b0d7a27a9dd590ae8ee9c78d3c7d7887fc3738893b21edb7cb8ebf0e5b4dd5a7b90e5381d1e0c114594398849c1aa2f98f6544e1d70399d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
1.6MB

MD5
b2df66badf5893a1a44d4775843a195d

SHA1
c61c063268d4246c15947815c799adfd5873e8b8

SHA256
85f917e01e14c79ea8e7e25d855d97448a8c2067e7f14150e4770e9204f5d69b

SHA512
87f8eb6aa9382d7566a958d49bca60ea0cfb0397f0c20a49397a4c97f0ca866635f047140fa396072fdef4d8713eac4e5dd9a450e58f5d16516d9fe905e1d1d9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d771dc5c658d2aeb0418864ac896673f

SHA1
968c884c8174bc3ff65354fdc41321c99170e7ef

SHA256
d5c2dd27f4b40bc3491110e77c65dde32d1f57eb91a7f8116e887c77a860d0d5

SHA512
44cea7609ca67163d23dcfe9aa99e90f15f8f165b0bcad31b3495c2dcde16256a798af429d8f6aba39c71aca62453f37c4a7e590b46844186742e6b800d69eb4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
008c7a5b7fa050dcc7931155efa05459

SHA1
1de2f3fbe92ab0b08dc80e3c7834602e4eeb6c88

SHA256
bbbe8408a148375871b12df723f5bfef7e4866da1221daf63aa46b77ad5aebb1

SHA512
4809a8d9f623ac13066ec209634c5b3237ffc67283cb18cb7b4dfaf4f372b5aff3317bdb56f94a998ad2285ab37e1b00ec9108d8706192d8162d91313c18f738

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
8fc0fdf2e2c998d1e3460546673932ee

SHA1
cd6ab969daf232a4a47fbe2b929ee73481e8b7c1

SHA256
fe9b594dfd006d04ec45fbc8503bccc41b9ea8e3d160220f3b4f6ade2d3e1746

SHA512
ad463c028a5912d916c731f27de3b6c2b9a2b846c6b39b286d0857d51cc01ad13f48970a670c18436e2d6bf237f996dc8f50affe9a4e39310039d5a0db9e0ba1

Download Submit
memory/1000-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1000-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1548-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1548-660-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1608-229-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1608-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2092-14-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2092-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2092-102-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2092-21-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2468-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2468-659-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3184-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3184-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3184-652-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3368-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3368-499-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3388-260-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3388-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3604-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3604-217-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3644-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3644-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3644-47-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3644-46-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3644-38-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3716-128-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3716-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3716-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3716-27-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3988-658-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3988-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4088-188-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4088-649-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4104-0-0x00000000023A0000-0x0000000002407000-memory.dmp

Filesize
412KB

Download
memory/4104-8-0x00000000023A0000-0x0000000002407000-memory.dmp

Filesize
412KB

Download
memory/4104-63-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4104-7-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4116-155-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4116-444-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4140-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4140-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4140-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4140-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4220-174-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4220-58-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4220-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4220-52-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4260-654-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4260-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4676-655-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4676-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4716-191-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4716-653-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4928-75-0x0000000001EE0000-0x0000000001F40000-memory.dmp

Filesize
384KB

Download
memory/4928-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4928-87-0x0000000001EE0000-0x0000000001F40000-memory.dmp

Filesize
384KB

Download
memory/4928-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4928-81-0x0000000001EE0000-0x0000000001F40000-memory.dmp

Filesize
384KB

Download
memory/5004-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5036-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5036-91-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5036-202-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads