Analysis Overview
SHA256
ab255f62931d033e18a0f6656a139218f03feb6181a1eab68bf0367c5300d214
Threat Level: Shows suspicious behavior
The file 2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Uses Volume Shadow Copy service COM API
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 17:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 17:58
Reported
2024-06-11 18:01
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\ktab.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ieinstal.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstatd.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsgen.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jinfo.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\kinit.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\idlj.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\policytool.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\pack200.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\default-browser-agent.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javacpl.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdb.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmid.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jabswitch.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\extcheck.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\kinit.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ktab.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\private_browsing.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\policytool.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ieinstal.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\unpack200.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\mip.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaw.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ieinstal.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javap.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040eaee3529bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cf3bb3629bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b37fd3529bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c072f83529bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016a4263529bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003271173629bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002711f63529bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000abab313629bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000766e553629bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 432 wrote to memory of 4044 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 432 wrote to memory of 4044 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 432 wrote to memory of 3380 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
| PID 432 wrote to memory of 3380 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 54.244.188.177:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| SG | 18.141.10.107:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | 177.188.244.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 54.244.188.177:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | 107.10.141.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 44.221.84.105:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 44.208.124.139:80 | przvgke.biz | tcp |
| US | 44.208.124.139:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.124.208.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| SG | 18.141.10.107:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 138.136.73.23.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 44.200.43.61:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.43.200.44.in-addr.arpa | udp |
| SG | 13.251.16.150:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 44.221.84.105:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| SG | 18.141.10.107:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 34.193.97.35:80 | fwiwk.biz | tcp |
| US | 34.193.97.35:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| IE | 34.246.200.160:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 18.208.156.248:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.97.193.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.200.246.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 13.251.16.150:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 44.221.84.105:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 54.244.188.177:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 35.164.78.200:80 | nqwjmb.biz | tcp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 3.94.10.34:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.13.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | 200.78.164.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.13.160.165.in-addr.arpa | udp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 54.244.188.177:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 34.211.97.45:80 | jpskm.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 54.244.188.177:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | 45.97.211.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| SG | 18.141.10.107:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 18.208.156.248:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 44.221.84.105:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| SG | 18.141.10.107:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 44.213.104.86:80 | vyome.biz | tcp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 18.208.156.248:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 13.251.16.150:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | 86.104.213.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 13.251.16.150:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.211.97.45:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| US | 34.218.204.173:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| SG | 13.251.16.150:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | 173.204.218.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.211.97.45:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 3.94.10.34:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 44.213.104.86:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| IE | 3.254.94.185:80 | brsua.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| US | 44.200.43.61:80 | oflybfv.biz | tcp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 34.211.97.45:80 | yhqqc.biz | tcp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| US | 44.200.43.61:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | 185.94.254.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.228.214.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 18.208.156.248:80 | opowhhece.biz | tcp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 13.251.16.150:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | mgmsclkyu.biz | udp |
| IE | 34.246.200.160:80 | mgmsclkyu.biz | tcp |
| US | 8.8.8.8:53 | warkcdu.biz | udp |
| SG | 18.141.10.107:80 | warkcdu.biz | tcp |
| US | 8.8.8.8:53 | gcedd.biz | udp |
| SG | 13.251.16.150:80 | gcedd.biz | tcp |
| US | 8.8.8.8:53 | jwkoeoqns.biz | udp |
| US | 18.208.156.248:80 | jwkoeoqns.biz | tcp |
| US | 8.8.8.8:53 | xccjj.biz | udp |
| US | 44.213.104.86:80 | xccjj.biz | tcp |
| US | 8.8.8.8:53 | hehckyov.biz | udp |
| US | 44.221.84.105:80 | hehckyov.biz | tcp |
| US | 8.8.8.8:53 | rynmcq.biz | udp |
| US | 54.244.188.177:80 | rynmcq.biz | tcp |
| US | 8.8.8.8:53 | uaafd.biz | udp |
| IE | 3.254.94.185:80 | uaafd.biz | tcp |
| US | 8.8.8.8:53 | eufxebus.biz | udp |
| SG | 18.141.10.107:80 | eufxebus.biz | tcp |
| US | 8.8.8.8:53 | pwlqfu.biz | udp |
| IE | 34.246.200.160:80 | pwlqfu.biz | tcp |
| US | 8.8.8.8:53 | rrqafepng.biz | udp |
| US | 44.200.43.61:80 | rrqafepng.biz | tcp |
| US | 8.8.8.8:53 | ctdtgwag.biz | udp |
| US | 3.94.10.34:80 | ctdtgwag.biz | tcp |
| US | 8.8.8.8:53 | tnevuluw.biz | udp |
| US | 35.164.78.200:80 | tnevuluw.biz | tcp |
| US | 8.8.8.8:53 | whjovd.biz | udp |
| SG | 18.141.10.107:80 | whjovd.biz | tcp |
| US | 8.8.8.8:53 | gjogvvpsf.biz | udp |
| US | 8.8.8.8:53 | reczwga.biz | udp |
| US | 44.221.84.105:80 | reczwga.biz | tcp |
| US | 8.8.8.8:53 | bghjpy.biz | udp |
| US | 34.211.97.45:80 | bghjpy.biz | tcp |
| US | 8.8.8.8:53 | damcprvgv.biz | udp |
| US | 18.208.156.248:80 | damcprvgv.biz | tcp |
| US | 8.8.8.8:53 | ocsvqjg.biz | udp |
| IE | 3.254.94.185:80 | ocsvqjg.biz | tcp |
| US | 8.8.8.8:53 | ywffr.biz | udp |
| US | 54.244.188.177:80 | ywffr.biz | tcp |
| US | 8.8.8.8:53 | ecxbwt.biz | udp |
| US | 54.244.188.177:80 | ecxbwt.biz | tcp |
| US | 8.8.8.8:53 | pectx.biz | udp |
| US | 44.213.104.86:80 | pectx.biz | tcp |
| US | 8.8.8.8:53 | zyiexezl.biz | udp |
| US | 18.208.156.248:80 | zyiexezl.biz | tcp |
| US | 8.8.8.8:53 | banwyw.biz | udp |
| US | 44.221.84.105:80 | banwyw.biz | tcp |
| US | 8.8.8.8:53 | muapr.biz | udp |
| US | 8.8.8.8:53 | wxgzshna.biz | udp |
| US | 8.8.8.8:53 | zrlssa.biz | udp |
| US | 44.221.84.105:80 | zrlssa.biz | tcp |
| US | 8.8.8.8:53 | jlqltsjvh.biz | udp |
| SG | 18.141.10.107:80 | jlqltsjvh.biz | tcp |
| US | 8.8.8.8:53 | xyrgy.biz | udp |
| US | 18.208.156.248:80 | xyrgy.biz | tcp |
| US | 8.8.8.8:53 | htwqzczce.biz | udp |
| US | 34.193.97.35:80 | htwqzczce.biz | tcp |
| US | 34.193.97.35:80 | htwqzczce.biz | tcp |
| US | 8.8.8.8:53 | kvbjaur.biz | udp |
| US | 54.244.188.177:80 | kvbjaur.biz | tcp |
| US | 8.8.8.8:53 | uphca.biz | udp |
| US | 44.221.84.105:80 | uphca.biz | tcp |
| US | 8.8.8.8:53 | fjumtfnz.biz | udp |
| US | 34.211.97.45:80 | fjumtfnz.biz | tcp |
| US | 8.8.8.8:53 | hlzfuyy.biz | udp |
| US | 34.211.97.45:80 | hlzfuyy.biz | tcp |
| US | 8.8.8.8:53 | rffxu.biz | udp |
| IE | 34.246.200.160:80 | rffxu.biz | tcp |
| US | 8.8.8.8:53 | cikivjto.biz | udp |
| US | 44.213.104.86:80 | cikivjto.biz | tcp |
| US | 8.8.8.8:53 | qncdaagct.biz | udp |
| US | 34.218.204.173:80 | qncdaagct.biz | tcp |
| US | 8.8.8.8:53 | shpwbsrw.biz | udp |
| SG | 13.251.16.150:80 | shpwbsrw.biz | tcp |
| US | 8.8.8.8:53 | cjvgcl.biz | udp |
| US | 18.208.156.248:80 | cjvgcl.biz | tcp |
| US | 8.8.8.8:53 | neazudmrq.biz | udp |
| US | 44.221.84.105:80 | neazudmrq.biz | tcp |
| US | 8.8.8.8:53 | pgfsvwx.biz | udp |
| US | 18.208.156.248:80 | pgfsvwx.biz | tcp |
| US | 8.8.8.8:53 | aatcwo.biz | udp |
| US | 34.218.204.173:80 | aatcwo.biz | tcp |
| US | 8.8.8.8:53 | kcyvxytog.biz | udp |
| US | 18.208.156.248:80 | kcyvxytog.biz | tcp |
| US | 8.8.8.8:53 | nwdnxrd.biz | udp |
| US | 54.244.188.177:80 | nwdnxrd.biz | tcp |
| US | 8.8.8.8:53 | ereplfx.biz | udp |
| US | 44.213.104.86:80 | ereplfx.biz | tcp |
| US | 8.8.8.8:53 | ptrim.biz | udp |
| SG | 18.141.10.107:80 | ptrim.biz | tcp |
| US | 8.8.8.8:53 | znwbniskf.biz | udp |
| US | 34.218.204.173:80 | znwbniskf.biz | tcp |
| US | 8.8.8.8:53 | cpclnad.biz | udp |
| US | 44.221.84.105:80 | cpclnad.biz | tcp |
| US | 8.8.8.8:53 | mjheo.biz | udp |
| US | 44.221.84.105:80 | mjheo.biz | tcp |
| US | 8.8.8.8:53 | wluwplyh.biz | udp |
| SG | 18.141.10.107:80 | wluwplyh.biz | tcp |
| US | 8.8.8.8:53 | zgapiej.biz | udp |
| US | 18.208.156.248:80 | zgapiej.biz | tcp |
| US | 8.8.8.8:53 | jifai.biz | udp |
| US | 44.221.84.105:80 | jifai.biz | tcp |
| US | 8.8.8.8:53 | xnxvnn.biz | udp |
| SG | 13.251.16.150:80 | xnxvnn.biz | tcp |
| US | 8.8.8.8:53 | ihcnogskt.biz | udp |
| US | 35.164.78.200:80 | ihcnogskt.biz | tcp |
| US | 8.8.8.8:53 | kkqypycm.biz | udp |
| SG | 18.141.10.107:80 | kkqypycm.biz | tcp |
| US | 8.8.8.8:53 | uevrpr.biz | udp |
| US | 44.213.104.86:80 | uevrpr.biz | tcp |
| US | 8.8.8.8:53 | fgajqjyhr.biz | udp |
| US | 34.211.97.45:80 | fgajqjyhr.biz | tcp |
| US | 8.8.8.8:53 | hagujcj.biz | udp |
| US | 18.208.156.248:80 | hagujcj.biz | tcp |
| US | 8.8.8.8:53 | sctmku.biz | udp |
| US | 35.164.78.200:80 | sctmku.biz | tcp |
| US | 8.8.8.8:53 | cwyfknmwh.biz | udp |
| US | 8.8.8.8:53 | qcrsp.biz | udp |
| US | 34.211.97.45:80 | qcrsp.biz | tcp |
| US | 8.8.8.8:53 | sewlqwcd.biz | udp |
| US | 44.221.84.105:80 | sewlqwcd.biz | tcp |
| US | 8.8.8.8:53 | dyjdrp.biz | udp |
| US | 54.244.188.177:80 | dyjdrp.biz | tcp |
| US | 8.8.8.8:53 | napws.biz | udp |
| US | 35.164.78.200:80 | napws.biz | tcp |
| US | 8.8.8.8:53 | qvuhsaqa.biz | udp |
| US | 54.244.188.177:80 | qvuhsaqa.biz | tcp |
| US | 8.8.8.8:53 | apzzls.biz | udp |
| US | 34.211.97.45:80 | apzzls.biz | tcp |
| US | 8.8.8.8:53 | krnsmlmvd.biz | udp |
| US | 34.218.204.173:80 | krnsmlmvd.biz | tcp |
| US | 8.8.8.8:53 | nlscndwp.biz | udp |
| US | 54.244.188.177:80 | nlscndwp.biz | tcp |
| US | 8.8.8.8:53 | bzkysubds.biz | udp |
| US | 3.94.10.34:80 | bzkysubds.biz | tcp |
| US | 8.8.8.8:53 | ltpqsnu.biz | udp |
| US | 18.208.156.248:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 44.213.104.86:80 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/1248-7-0x0000000000400000-0x0000000000677000-memory.dmp
memory/1248-8-0x0000000000900000-0x0000000000966000-memory.dmp
memory/1248-0-0x0000000000900000-0x0000000000966000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | cec28e183a75625ccc874e480a85243a |
| SHA1 | ba526c9b0b598af232a22db16591a85103653a88 |
| SHA256 | dbaac6177ef8889ff895a278677b003aca4e8e91ce89dd984b6a9e32753d72ef |
| SHA512 | e8329b01032773e0d778241f353e984aa30560add84f87978f2cfdbfacfcdc8837f15affff0a571903793926518588892563f1025fd6524b034bc6e8aa633915 |
memory/4248-13-0x0000000140000000-0x000000014021B000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | 1ac820a777e89ca1801a00e368a3afc4 |
| SHA1 | 3822ea7c5f1b2a35122b73efc2a463506507ee7e |
| SHA256 | f513a76cd9cb370075150043b0f95d89fd0053b3d33ad29128b7dfbd7e4d6e63 |
| SHA512 | 08a73b0ec636283ae8e65f0a41a0b8307125fecdb8b0e44e0903521bc9d3933922b74e8fc2cda671177fa3a36ceedd266ce55daaa118715b59eadbf58a605702 |
memory/1248-17-0x0000000000400000-0x0000000000677000-memory.dmp
memory/3556-19-0x0000000000710000-0x0000000000770000-memory.dmp
C:\Windows\system32\AppVClient.exe
| MD5 | f597efd8bbfe3afe88658cf5e2266ca3 |
| SHA1 | 728bd883e52878674eb5c952f9072f241c38025f |
| SHA256 | 4fb31d83875b13cf6e96e2e19ad976d3f50ae1b126f46d24e8b9754189b43dc2 |
| SHA512 | 5af4b1e5a8cb9ad43e3b8d4aeb81131af8657f9ddce79751559ca4d3231b3dabd97ee09e771a19f3e6ac7265fdb8a3b3b8313f469508a1b5ae33d3a634037a99 |
memory/3556-28-0x0000000000710000-0x0000000000770000-memory.dmp
memory/3556-27-0x0000000140000000-0x000000014021A000-memory.dmp
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
| MD5 | 531ceef5eed066b0db33bd49063c7faa |
| SHA1 | c2a2856448368a89ff0235f47db9a9f00cf2f2f2 |
| SHA256 | d79820a1753760dccbe36854190fa701df2c135f5290cff5fc41407a2de81607 |
| SHA512 | c78e721f8cf0070ac4ae9f634a0c9b7f575c9ee8f64108b677194d6571386b95cef4e0dc173f4e3265b79954e88e0875ea88c603ad9a46c0e3222e4d014a1622 |
memory/2592-39-0x0000000000D70000-0x0000000000DD0000-memory.dmp
memory/2592-41-0x0000000140000000-0x000000014024B000-memory.dmp
memory/2592-33-0x0000000000D70000-0x0000000000DD0000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
| MD5 | ce09376cce0f8828f458dcc03272d42a |
| SHA1 | 52df98c2f94de6e4a8eb7f323d3b4eb57785d4b0 |
| SHA256 | 4232aed19360196adeff2bd2e9f595f096cdae5c619516f0e060891ba6972f73 |
| SHA512 | cafaab238820a70ee133039dba56b954efc8d7f4737b2d39e2c07721f7ead23a4acaaafaf9416e2560d8e1a70417d1f587311b4a4f6adacb4c0cc5cca6212d2c |
memory/3720-44-0x0000000140000000-0x000000014022B000-memory.dmp
memory/3720-45-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/3720-53-0x00000000001A0000-0x0000000000200000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | b4bb7f5fab14ca9e6b20c4ed74090b51 |
| SHA1 | b24fa6d11da54329e439f59ff0543811f7995ffd |
| SHA256 | c345520f8b4b8a8c37267113eac8c2ab82e6b05c12b61b1f3ff9e42777480dd7 |
| SHA512 | 32495b1a3fed9f5e534ea1f6ab075f17bc11d8cfd890e2243457e577557c4888a0e1ceea63bd160389ef93f1db12c8c2851d517a05f03aad22f6376d6286fc70 |
memory/1932-56-0x0000000000CD0000-0x0000000000D30000-memory.dmp
memory/1932-62-0x0000000000CD0000-0x0000000000D30000-memory.dmp
memory/1932-67-0x0000000000CD0000-0x0000000000D30000-memory.dmp
memory/1932-69-0x0000000140000000-0x0000000140240000-memory.dmp
memory/1932-66-0x0000000140000000-0x0000000140240000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 27b75f0aa01687ec3819546778fff95b |
| SHA1 | 6eaabdaebbfcce087290078ed5053fd47edf13d7 |
| SHA256 | 398792f7fede7856fb0c0ca63e3169664e9b9e23b34904418c9727b693cd85e2 |
| SHA512 | cdca0ac6ba1ef5188c172e5f9bbeef4f64f1c96904f19d16a3c7a98d16d234800f63610b905f22f25ddd7f8aeb52137ca91f959f313ab6240a9ea9f90bbb6c96 |
memory/3052-77-0x00000000007F0000-0x0000000000850000-memory.dmp
memory/3052-71-0x00000000007F0000-0x0000000000850000-memory.dmp
memory/3052-82-0x0000000140000000-0x0000000140240000-memory.dmp
memory/3556-238-0x0000000140000000-0x000000014021A000-memory.dmp
memory/4248-239-0x0000000140000000-0x000000014021B000-memory.dmp
memory/2592-240-0x0000000140000000-0x000000014024B000-memory.dmp
memory/3720-243-0x0000000140000000-0x000000014022B000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | 4891ebf7120fed3e02f1da191e8a2c81 |
| SHA1 | 0e42f07ee653b10cdea871b191fd51085c61e9ca |
| SHA256 | 86c3c8bac582afc1182b3e1bb0c18c510dbab400680cdec7546b79df9bf7bb00 |
| SHA512 | 8d50b88737c70950094124f933436dc1bcc82d175e0732c0185058b8c9f2e9ac78e23eabda76101d1aa887930618f064e6ceac4061c84379f2ce32c647aa062c |
memory/5028-248-0x0000000140000000-0x0000000140135000-memory.dmp
memory/5028-251-0x0000000140000000-0x0000000140135000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | 540c2d00300fb996dcd311fcee07a6d9 |
| SHA1 | b285963e50b92ef9dec0f02e61f28620cb70a365 |
| SHA256 | 7952a6dcea912d1c55a79adec8072aa2bf0cc899e4912545e4055d59ee5e5ffb |
| SHA512 | e7608c8929c35ce967efbee268545f572f865cfbaa33e81dd5aad233c9d79d4a9ff9339db3b11cdd995fc2a7b4a371d5e8005df0d91a817dc05092a92e78a5d8 |
memory/2000-253-0x0000000140000000-0x000000014022A000-memory.dmp
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | f8b627e94565ea4965d5f2e51b8c9f9c |
| SHA1 | 8fd6aa89b3d27e210ce7c127cdc0b9260621fe30 |
| SHA256 | e0934377778dde177cfc4d2adb42b467e71e26a54e779e1e21184be6aed9328c |
| SHA512 | 285a601a0295025877b927b7f8124c51ccdfdeaaf7a8467bc034ba70367eea526b0a1bcf7e6d1e8390f29571f05529d2bc2df26c870be39d34263867090847a6 |
memory/1696-260-0x0000000000BF0000-0x0000000000C50000-memory.dmp
memory/1696-266-0x0000000000BF0000-0x0000000000C50000-memory.dmp
memory/1696-268-0x0000000140000000-0x000000014021C000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | e3aa253ddd4da145b7b67ed8b822fa87 |
| SHA1 | f96bbb0d5bee0c20348f9b5317feaf6a6c128d8b |
| SHA256 | 15f0533b91409c48248447ca57d255b077ca56039f55d734a1bc63026abd5da9 |
| SHA512 | 3583400e08f46f2d6bedb816e38563e0d7bc7874ddfdb5762a8808814d541d41620adc5eed100ae99ac3a18fdf49fb8a267252a5e98221b3805ba2206ecd3d8f |
memory/2372-271-0x0000000000400000-0x0000000000608000-memory.dmp
memory/2372-272-0x00000000007A0000-0x0000000000806000-memory.dmp
C:\Windows\System32\Locator.exe
| MD5 | 14282d963248cc2c216a57b39720b4ca |
| SHA1 | dfcbbcd67da308b7adef63eff0e739abb89ee998 |
| SHA256 | b733d4c82a1ab1b299c5cf6d7bd6691d1574a8d78e40e91ec0b03ad9262b128a |
| SHA512 | c8216adf5964995df0037bf84c28778c245e68c23df124d9a69b5c0f929ddaa3deb5355712e2970639dd96b10706fb008440040af19f270ec9850e5eaf8b51da |
memory/3440-281-0x0000000140000000-0x0000000140206000-memory.dmp
C:\Windows\System32\SensorDataService.exe
| MD5 | e6edd7b228ac198d290a94e849f3d0e9 |
| SHA1 | cd3ff6d252220d192735031d3e683835e771cce1 |
| SHA256 | 0acb5f51caf5feff667c083d2fef2a92ab0a6516f7ed5752114a2f1d899cdc98 |
| SHA512 | 69023f7cf1a72ca4c28f9a40ad234791de1694e0c659d2e6f222a88fd37f3cff3f01b6762be4d46d7c6f738755fef9e7aec501d03fe660aac1234ab39ce35564 |
memory/4624-284-0x0000000140000000-0x00000001401D7000-memory.dmp
C:\Windows\System32\snmptrap.exe
| MD5 | 83ea41b057dbbca1751ac4ddbac9da9f |
| SHA1 | c3a3268d85a501530962f279f8689ee3d1162752 |
| SHA256 | e8c33f2a11e6c2c4ad78a272db55ba9d07622abdf3161c2399dddb4cd60fae14 |
| SHA512 | c7b9abcc6bd8ec473f456c710f7259921dbb93d5bcb38467b248a97f0cb1d0ddd18da54600ebd9fc943c5ad777c400f5c39045d55038b6a8a79046cc1548c1c6 |
memory/2420-289-0x0000000140000000-0x0000000140207000-memory.dmp
C:\Windows\System32\Spectrum.exe
| MD5 | bc191f381965b1c1642d5895dde5e678 |
| SHA1 | 20d2606a6a52dfafdf0a2b2f111f1c22832df59b |
| SHA256 | ae12946b607475c444168d3b0e1e9250e126c35095e1d128f84196c1da2e1c67 |
| SHA512 | f317c6c32e688ac6f5cd7caa934b37aee2b5eaed70460c074275c71f743e1fee729672b4bb81f8b5ed9cdd4ff014daec772a00e26cdd0ac849bcf1fdae718b1e |
memory/3608-291-0x0000000140000000-0x0000000140169000-memory.dmp
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | f543b2b65d25140d17f61e2937ba8845 |
| SHA1 | 9ed9356eb74be909fad557cfeb4b4de94738bb59 |
| SHA256 | 079e402a2cbdc275776e4d56b14857bfb03eb7bde743a8b8101f61b23eba03d0 |
| SHA512 | 259e6f0a87f813d843e23632f6fe009b65898ef6c257d39a29ce2d3c27067db9caa9e4522859d717f31d8c0954304d56662fe5aa3eacfdc1a556c76eac0c27b4 |
memory/4500-309-0x0000000140000000-0x0000000140273000-memory.dmp
C:\Windows\System32\TieringEngineService.exe
| MD5 | c7f4239727d3ff0036c053f5e73774c1 |
| SHA1 | eb2c588cc25e0b708dd3660d1337894d6b394b99 |
| SHA256 | f132bbd55624e61c33991d9b81a7787c05487682d61cfc8af18fee738428b82f |
| SHA512 | 9416be6e0fdbe664722fc4f9b008f7c363c9d21a7f88cda456d49a1d70a5e7a1dffc5cac0f35b07161d5e22f1ecc462d25581b8dc83700c712d73ade85104856 |
memory/4472-314-0x0000000140000000-0x0000000140253000-memory.dmp
C:\Windows\System32\AgentService.exe
| MD5 | 298c7822f597a46df0db7ff0e6fad7a6 |
| SHA1 | d7b86f4207b74b7801b00e7b8a6da14535a17e5b |
| SHA256 | 710c447ad4a82778c10cfb297f26ce942981d8e3b6068531f8181ba3985e8355 |
| SHA512 | d27ce80fc832dc7b06d529006b77774b548add99463acafaad35319032f597b560651e64e32560e631da03be6dbc0745b3578c3ee659e3889c367e108cd6e057 |
memory/4644-317-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/4644-318-0x0000000140000000-0x00000001401C0000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | c99f04737d359a9294f9dd34a01cc92c |
| SHA1 | 779fe2756b5e38c3ab5a667f42c01a8f1792d255 |
| SHA256 | db3fe4331961afa3724b660a7d8dd317a5a87a69e50d4f60163148313a71ba35 |
| SHA512 | 646ba284d2888879a7a76a1b103b91fad8f6890f73577f9dd08a3e4c9d7aa110017b21aaf8f21a36aacb3b279441859f351f427eb0f38fd7cff5ca7e80aa01df |
memory/3272-322-0x0000000140000000-0x0000000140147000-memory.dmp
memory/2000-321-0x0000000140000000-0x000000014022A000-memory.dmp
C:\Windows\System32\VSSVC.exe
| MD5 | 8d0ab9678768450e2dc6d6c21d8baaf8 |
| SHA1 | 15455fb254191a3e3f482ce0ec8aeec372754ff2 |
| SHA256 | 4f65339b916bf0f2296be50dd6e89f76bb7e84944e826492d3ceeb8721229f61 |
| SHA512 | 45b99b7539605960cce0b7b038f8e938108fd0de21d1a9f5823b16e15a2359badad5076adc54c7f8aac40be5fa73eb0456ed4712d1c164c78ac8213e091466f4 |
memory/1696-325-0x0000000140000000-0x000000014021C000-memory.dmp
memory/4488-326-0x0000000140000000-0x00000001401FC000-memory.dmp
C:\Windows\System32\wbengine.exe
| MD5 | 334cecf0c19557a95aa35b0bd5f7d797 |
| SHA1 | 584f1acad75590a1edb2728d0bde3da1f9c24dee |
| SHA256 | 8da18bcbeef4d14927096ab18bfa40b2cbb1255b81685e0a606ea4ca8d706b3a |
| SHA512 | fc5c400fe6ff43183a04ae5b9b7b30c3f9cb3479e9b51e06847e637c82a74f345f0b0aadfa5d972fb5d2745a1101afcc0b05c8dfc8ad65e1513d7ae081a10567 |
memory/2372-329-0x0000000000400000-0x0000000000608000-memory.dmp
memory/5000-330-0x0000000140000000-0x0000000140216000-memory.dmp
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | 6c7ccab3e8c0bbdb3f77f231231f914e |
| SHA1 | 16660e5b48988750ba1d5bbef32053ff28178fa4 |
| SHA256 | 400010914694f3022d84575a6990a13f3aa54d0925e3eaa9c73fe4ae89f1043b |
| SHA512 | e8c682da854c18966d4789e8f5ce72713f210047d62e936911ed941d0d6e1a7ce5b3a9e141fbee0fe492164970204b5762b3f4dd8e277b2676ca7862c547af32 |
memory/3440-333-0x0000000140000000-0x0000000140206000-memory.dmp
memory/4600-334-0x0000000140000000-0x0000000140237000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | ce68bdbcf3893747f024e14eca378766 |
| SHA1 | 6625c73c6e3cd0e96ce52a1a420099ba09e35bfb |
| SHA256 | 5ce8e77bb93ed8f09905e584a763b2d339a7664387c49378f3a16ef2c06c5867 |
| SHA512 | 01a9d693cd2a53593efc8d3f3b6f33544e4fd3371190f8fff56b70227150e45b2f86d29b2176d84f34d973b9801d7832dbe47d6d3b605ae760ed92eaf748776d |
memory/432-339-0x0000000140000000-0x0000000140179000-memory.dmp
memory/4624-338-0x0000000140000000-0x00000001401D7000-memory.dmp
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | dc33bfd4bb4f6e5fb16c77ebcb47f5c7 |
| SHA1 | d4cad9db44fdbab95101b290a82013184d53208d |
| SHA256 | 7f1ad905f59d9fa0ed105e00386c21e5ca0c6cf3bc0cbf3f74ef7571d6b436f8 |
| SHA512 | a9ed7aae861f630240d21377f07a174ec62a816e114b5aa2d2155a5e8d3e749017737ab050430f14335230d3727805470e83545f6e892596cdfec680723453be |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | 95f1102dbddd703e20814c02f524fb89 |
| SHA1 | bc8b6acc3f299415ba3c754ec83f3aad94772702 |
| SHA256 | 2667c16bdb0a054c4897988760f1a1c1f3c60307b36be11c4fe46760137cba4d |
| SHA512 | e29123e3929ff0376bab04fbc3ca135f9148f8afdcbddc3abed47dcf40fe5ecc5042875a73664366519396af6a634718502bb21e3d88ca2957e0496ff1580b30 |
C:\Program Files\7-Zip\7zG.exe
| MD5 | 1124969a3ff4e6c048deb0b544988edb |
| SHA1 | fed3327f01ef2cf855ff0db700235f053b2bdf15 |
| SHA256 | c3e5914ebadc3203f7050342099b0cac89f0bc76d9f71b8ee5e77303fab414a1 |
| SHA512 | 785c26943ed24221b641fa93ebad74c7725359faa9c3afe2147449751c3f1403c8f74541ab38b7ed572613b38be29d463a5a946700f0b0759efb7ff127d0b262 |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 91cccab7a691391b748ea1b39d4a6fca |
| SHA1 | 342f00d07403d916490241e59200eef8a3e9797f |
| SHA256 | 2b8666beb9498be4b2c2d020eb84cabad721e2a2eb5f8cd65d939a152f8bd4fc |
| SHA512 | 818a9fc5c444ff56fee5377e191f94979600bab171eab9ca60ddbe1665826d4f084aefbe0ad10e0e801185502dfe4152381dcb7de1690232daf809219933a8af |
C:\Program Files\7-Zip\7z.exe
| MD5 | 8473b6bf77b0c340b4a190d786905d30 |
| SHA1 | cf1151362642c4b7d407d6cc3317677a800ae421 |
| SHA256 | 307a4a8c5e76120c4bcbde5cae21b966422897912ea3388d54d41014d702de84 |
| SHA512 | 9c26a6ad25bfa5d03cde3dd663624434d9dcd67afabfdbb27ff7d95f7f2c0c4913b2ac2d7c99d8ee8d8168db7d67e751f1cd0fc96e382a3c79007e9b601ea292 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
| MD5 | 738e6c1d93674dfcff394768662f37b0 |
| SHA1 | 703edca1412943f193602f522a35cac916ca3bfc |
| SHA256 | 8f85e9c53d8f8390b9428c06cbb3178347c34d5e85a068ffa8fdacef801d2b27 |
| SHA512 | dd3741ddff87848a5d8c7b27f67d026f01a07d80a2f85df08fee06bdb139c77c6136f1d02d4d9cfcc48a717e54f49730b60188e614ebfd877f3d5cee4f94515d |
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
| MD5 | 92aa8cadebc7028073fd1526fd093907 |
| SHA1 | cf8f748470c1ad7fbe2a1b15339a18adc7afc23d |
| SHA256 | 7e1a254a32c983ae15cf318110c6dee0f9f2e0b665170a1ef5d5577f9683762b |
| SHA512 | 921e16a43b4f3f8f85ac1f88863f13ebe3dbe57677a104a12c1952597a50130e3edb8f81c835c94353039d0c8d13aceb9e515e1d4785aafc4002fa59b73dc656 |
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
| MD5 | e01cc67ce0feb17b86405b97878b9386 |
| SHA1 | 6da7d76fdac7770dfe6992a7b4502cb2a29dc5e9 |
| SHA256 | 440056b355d2b1319ecbf94d3c3c272426c3c113c582ca14566c50767a1a04e8 |
| SHA512 | 8b043856281202ef1befb84e5714b83b9a82885e4c414c82538a39b538052a5ae907ddf432c4756c93099dbae7c6e6f75a3ff04f41ff976c6e9f4aaeaa70b88b |
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
| MD5 | 7950391e8d9d8fd0d651389a63b5c61c |
| SHA1 | 6d148c1910ae072153b5ff7e168633b7b78d278c |
| SHA256 | bd8bb43a4bde856e9ad9da367c75992ae00e7f8d56a917b9ebf168acaddbe88e |
| SHA512 | db04b7d9f37f6f20cc5d50dce20669b0eb08d4982c68d808050ce72013b87a58889f781413f0c66e3997e09dad18d37dd7a27ceb3e587c3704d9dc3ec3bd8514 |
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
| MD5 | a6b18fa3d5a044ca9ddbb4632d1886bf |
| SHA1 | 160efe637c8893bae74f2aa203b20971b14b09c1 |
| SHA256 | 0b2e14c0836a481da3be720fc74c639a13a201cf37593987f0267fe23626c08b |
| SHA512 | 862a778a02d73e066ceeda2a01b1bad8f4f43188921828dc8f100960fd71b692d998d2eb42b48b6def107948ff16ce517cdc53e95b011056373a0e4dfe414e19 |
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
| MD5 | 41e823d74a7b28c88315ce56986692ed |
| SHA1 | 1a1feff57c566acb60f91f111ebfcbaa914fc081 |
| SHA256 | 68d702ae03b952a897da5e2c37954c6a3d531e120c61b1545867a70cd2569133 |
| SHA512 | 78a4efa3ab6997293ec6687ebdf0c938eb9ab4d5078343efbb84d2fccf093497a197d05561f602ce601fbecf8b2c195f6ff83293fc2850a11710c6660043fd59 |
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
| MD5 | bc88e4c333ed280362f59712ff073fe9 |
| SHA1 | 9fd22b496a6017f740dfa66122b7a0a238bc49bd |
| SHA256 | 0ccf42b1e8663868992b76ebc0cbb9bfff19e093b5efcb03e7123e729e649691 |
| SHA512 | 4d3b1071e6f831df6eef61d4e8970d7488091445e51835450201b5822b12225b2ebffc10111e391bac2cc146ddbc985b64ba29a46e9fc4a2159b08fddb00c764 |
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
| MD5 | cfc281554ad28b6d3ae7dff4f4ea6878 |
| SHA1 | dc7d83bf85e67e254c4b1d25986d31f86cf4bde3 |
| SHA256 | fbba86a3c686e1fdf11b5bae1ce4083e4a7369ce6deaaf51bfff64e5def3513e |
| SHA512 | 44d90c41c6a7be0104fe53d592c28bcbbaef8249b4cf19d8a6b585cc852394579ee829d99f3cd33a837bc67273873c86457ad2733bd1446b3e77dd9c42078ae1 |
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
| MD5 | f1bbaa143d2cab7ce17457b3f8e669a3 |
| SHA1 | 39581666fd82a60f86848133d29d800b6337ab7d |
| SHA256 | 92cd174757a86f06975a81966608cba3f403b01620ca30185f39bc4193c4ee56 |
| SHA512 | 4ab4fbb2604a6326d3b5263ad82c258c8feed7576cdf795b35ff320cb173aaca142fc91733d1f0513d878779ffd11973b9dd47ec5eb8e734deaf9e730ac3db93 |
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
| MD5 | 9f3d39ad328f49659593d1b67e0421e6 |
| SHA1 | 425a60d6b41706d104295e2daf429226db261b1d |
| SHA256 | b9caa378fd4b695efcb31bc82168112fb11b97eb035ef84f5d2f078d53173300 |
| SHA512 | 2aee37c7be8cf5f22569130e773907def4877419cbcc46c764cb40fb6dff59c08a867418d6f03476245e689dc71403f064e856cd448bbf744788ca6a437813c9 |
C:\Program Files\Java\jdk-1.8\bin\javap.exe
| MD5 | c0ab6b6f17cb36e7bc97d3ef8bf13fdb |
| SHA1 | c4d6520f437bad47aafae5c37d3a6178dc4dd54f |
| SHA256 | ec96b06d735ed08fbf799b7d0a1245ad91a6eb76bf4e38bf86f3f3fbbfd5f004 |
| SHA512 | fa7e99c129f3e43916ffcc33e1588ec6a04ae00ec43110c7630c535c2408b62a91f03d12d7b35740eb18aa306e303696f0d7ed138839d30940985bae7790b24c |
C:\Program Files\Java\jdk-1.8\bin\javah.exe
| MD5 | 64dbd8317b89c4b5a08cee0e6647193e |
| SHA1 | 70115aea64794d99784f5fc2e8f7eec04eb5f5a4 |
| SHA256 | b1863fc8ba5b029c54b61d7347362f57374ac605e822ab5dc1ce99148ac810d7 |
| SHA512 | 3c7afb0321fa0a41b34a23b652e7ef0c0b6004c3bb264d020ec5df5bcd907f1dec42d713d6fcd70b2707d4ddfceffe6044d394f16406c8a83b609de6bc88551f |
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
| MD5 | f359db87a5c14c2c514e7b563317a431 |
| SHA1 | 469c576f2a9178b5c379e1c346deb887170c0cce |
| SHA256 | 12d159a970893535601ccd65cc32d41d0e849db393488a45dc343e7e28dfc03d |
| SHA512 | 797b90242f4ebcf82b7e19b66eebef084103f4e368e2b0346638838f8f5ebc2c01429055f32f3038c0a58d173b46b209a4f8434e50e2027a0413efab2df1f1bd |
C:\Program Files\Java\jdk-1.8\bin\javac.exe
| MD5 | 5ba426b6bd866dbde4648db287a77d17 |
| SHA1 | aeff3f52f4659a9d60a2b57396355863013ccde9 |
| SHA256 | 5522983397c0cfc724c5dec5d13e258af063cd73fb846462e99fa0474527e943 |
| SHA512 | 3a5599dee394b6dc1817b1c7b66090772a56c2012ef912e8a31a514c5ea7755f63a38a04cc1b66235167468594f9dab44630e1fe0eb38b94f843ea9fbed4fcfb |
C:\Program Files\Java\jdk-1.8\bin\java.exe
| MD5 | bbc262b46a06d0418ea5867ff073a7df |
| SHA1 | 183ab43cab7190349072be73936022416bc5a6df |
| SHA256 | 9ce0d415b24c675a7e9260f27bc0a2ea1631517e6395f9fab307422980ada27f |
| SHA512 | 131069b4c463b6f29b70c52b6ee5ee3641ee573caa473eef8371db57bff3ce07776f04ac20b59f666c225204600610c7a03b9c238a4cd4f76c91a3f65e0ed6c7 |
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
| MD5 | 507ba83face66965c9c2913b1b03c53c |
| SHA1 | b540dafd459bb4be169355192d39efcbbd2bdc68 |
| SHA256 | 9afa77b92052db90dd5f1ce001c9e3a583587043b5bc8e820d032c809b888aef |
| SHA512 | 4c4b5cbf16e69ff0cb4d7effa6d510b3ddc6d7d95574ac4fbd0f2687c01b560f7a12220b6803a97080c2d827ae7dc7f031d6af8a187e99660bf8f099022f13fb |
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
| MD5 | 8b50dcca1b62e6e63f5d5cdc9238f491 |
| SHA1 | 00afe58cadfd2e26f4de764e6ffbfcd5881b26d4 |
| SHA256 | c3d30e8135933d2fae4b9c4622b71e94f0c6ab204df63225093c0e4e5b4e1443 |
| SHA512 | a239f6767b976e26a29f292f44a1591e8d4f28dc6c410ccbea0055bdabee8cd3ebe71c454294a4e26762f6bb0d83f8f47329ee4a15ebf565580a9d5fe67d9148 |
C:\Program Files\Java\jdk-1.8\bin\jar.exe
| MD5 | 59e8083b36f7462f80bea379ca24e920 |
| SHA1 | 8c30a477991afcfa6dabe2c2eff1d4a4b4863fd0 |
| SHA256 | b918fde496fe25e73ce6e46b2b02f50197436c4351b068206f2832fc8da8c6be |
| SHA512 | 1ceee9cf61d93a2ba15b11961575e60f11e663162f589de720454304093220ff31e831b737306271d66cb27198d4b0f17f2880cd5b5ba62cc4a4bf1a12b4037d |
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
| MD5 | d1e2221f0be5b59ff959e0f57e979f31 |
| SHA1 | 97b9f678dcd18ee5656bf857a5d1e646546e4c99 |
| SHA256 | 073f2a60fed6e243b719149f7828dffe7a7274052ec51b20e29800441cb45fc3 |
| SHA512 | cdfcffa0f231fd29e0a5e4b7a1a031fc831a8142c7327b6e9ebe945ae1ab235cdcfbd9ce298fc20cd0dae1d36d27d5965525010d2156772b38ab63f069c3c0c0 |
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
| MD5 | b5803522824a76f0357e396865e86131 |
| SHA1 | 42219b1f283006f1fba5e8ed3618281dfe9c29b3 |
| SHA256 | d0520bc982eab5dd99038920021a1d0e152f4375e9859a44323c7f139b8ba23b |
| SHA512 | 3b71d274c03c46189eec76baaf1025b21b01b42f77fd89b242787b4d22253a869d8dd2de7ba2c5835e53208246b46378d74b8ad3110fcdffc9592cd3e3854aa6 |
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
| MD5 | f91dea9270c2a8d19012c4571567cfac |
| SHA1 | c10413584c9770f37e8cf14a18035981c70e588b |
| SHA256 | b6c04d7c9f1f4a70ab85cb2aea4ac2770abe5f610d3f3483c379e12b93dcd0a1 |
| SHA512 | 03709ab3a2098917161b023e955d291fde3e9e49623c5b294fc0509ac07260829e19da6a836d6754917fe3763fcf36a3913307f11ab1efa5609ff2f2cebd47f1 |
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
| MD5 | 1eb93f4750b96f92922773e9822b0d1a |
| SHA1 | 07b2eb234045d2de883cd623e55b69cc059d11f0 |
| SHA256 | 2ac485b181e381a0d1c019bfba8bf100f8f76e5ad74671244b265fa4b93dd5de |
| SHA512 | 441e786121984d6d0e4b962f97ce6c6f5de1958317733f3b38ac5564bab44fe00bdfd4488d0784a3a76b11e0e25a901a16804a1f047a0921a419d6bf43bcf33b |
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
| MD5 | 78b812eeea36e7c2d5b25c6b00fb3eff |
| SHA1 | c886d77c2ae2e1caca346de01dc53ab126db9968 |
| SHA256 | 5b6832f2331e203a339e3b76a4755ebf66da17fef74e2338001b54eb7ba479f7 |
| SHA512 | 09be0460136e18917c41aed7bf8ea73f937194f530f56f34b89c5d5e694f9b7b89492f10368b6f77e436bac2ae5d027ca6b282245b6576a7a4ef2a1a8cda5e13 |
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
| MD5 | 30092e88732b4659f9a14c7be9d74850 |
| SHA1 | 0f6e6c23d7e3b20f8e8543a25525db99e06bd475 |
| SHA256 | 8419ed9e775f698e7af04a541347da573e728b9fd2e20549fc39dbf7b1ab6cf8 |
| SHA512 | c86a99bff6d1979197bb3ad576f1c62fd1cf2b0a11166e508e97e1ba2eb342ec4b7bb229dca420b142b27a6942138fbb24042e6c1b95aaceac99d165cb6c2f4e |
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
| MD5 | 7e314b51a7788d5b73c6a31f80d5ada1 |
| SHA1 | 4ac9e7b0f0aefec4d9c61fba05039b1371927ef2 |
| SHA256 | 7d1475595c2be2de858fe971ba5177835d6bd34668660a7ad2bf78914e72c160 |
| SHA512 | e62010f7f36ad2bcefd4606c32213c32d70765989e52df6c0de758729e2ba11daf8b806a87fd5de08c3cc86b1c7141ea2e25a4096c1bd6263a6ae6fcb2c45db2 |
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
| MD5 | a3f32fdbfbe6d7064fa1d207142efa6f |
| SHA1 | 6de6ae934510122030d1e6b35d332fa7a8cee695 |
| SHA256 | dcba080cc3336ba253f92d9c6ea2e1d543f29865bf86ec53452b941db1595d19 |
| SHA512 | 93b933ff09067c0628f593ef28e22df53c4d7fe16704c37fb0fa175809b9ea459cc40533fcd4ecc3f63d9c07eb78cc0996bb84388f3bab6df148682edfa0f40e |
C:\Program Files\dotnet\dotnet.exe
| MD5 | 64d19abdc6969686790dac6810ad88ba |
| SHA1 | 6e21d91f24d21adc7e1657e9fe2d544782461176 |
| SHA256 | 12f10d0d2334eec4475ac60c650fa247f4689ce8897a77586ee59815064f3757 |
| SHA512 | 986b6ea68050c00cda7d3b23a5c071fa87afe739e4de22d113609782c5dfa16a5460fc87ba9b7fdb03d3bc74a0768d298cefbb47a41a92c85a227cda2724e5cc |
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
| MD5 | 7b0d9b156c2bc78176f4f2e085322846 |
| SHA1 | 5e1694ae09064efad3d61c9469e33ceca6263553 |
| SHA256 | 3649ce43a74252d15bb389a6cd5b41b5aa33e0c47da8d8b1764e9565e10b2a3d |
| SHA512 | c5fb4e5cf9358c88dbfe4ca2162f5a59449be137384f82aae22e2e5714f97556c449a89814df9eb50b151d13f898b3f44f4a871f9fb8a7152ec24a3a23a1accd |
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
| MD5 | cefe899f7c1edb201b0da41ae44ae510 |
| SHA1 | a5752e56cbb0fd9c18a077f8f63b2a2795ef8607 |
| SHA256 | 2cfa19b527577268fedec9dab5eccc0c38631ca401e6652fcc556d409f77242e |
| SHA512 | fb4316686252317cb5cc8dfbb55a37a84dde078ff7fe558014f0e9d18739027091e4f4c90fc1a6613f8c9b6a1dac566a76cf9bf32ae125636132258fd3a46585 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
| MD5 | b5299713f91e239319c74d5bb6a7afc2 |
| SHA1 | d983321e3f04ef3f4b1d8be2bc39ac23c1bdfbd9 |
| SHA256 | 4da104adada0cb6e5aa4f4fa669b0dc0dd2b4696916ac4a0d69b2532815cfacb |
| SHA512 | b722eec1d1c144a8fb22568b679593dcb02e7af9f7e95ffa33ba8552ba0fc202a5d3f3d44152f1e5fe44051c4399cdf5e3d514e3cb3d3e9f77911e756b9b4748 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
| MD5 | 9a860bac1478474af04ee80dcdfb62bf |
| SHA1 | 85be3df8bdb3d381c24f36e3b27b1f1561314e92 |
| SHA256 | 2475976022f60adf0bbdd49e65061af4e3f30a6dcaf4735c8b982ea52c1e50dd |
| SHA512 | be66f4e22f44d6d0763fad73167f45521a9d6474864081c726f8f4b6bdc63f2d608bd5612848a2733f9f385ba0a0ebc8522ddf6bbe3b9ce7cf3c65756f89fead |
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
| MD5 | a734f1e254f9c0214ec119ecb6ae0611 |
| SHA1 | 2bc443c8d823dbb4c169a6552babc33fe5cfd744 |
| SHA256 | 80d245c5e49e108c7b3a81099f0bf7bc352c5658c3d0905dfaf30cd3b58728ee |
| SHA512 | 13887bff945378aa80fd38bc15c02400d593aaa9098ef26452d97b6a199214c059c0b1ae359a61e07bc227d2d936ea92603faccf9e784069082652ea93119543 |
memory/3608-592-0x0000000140000000-0x0000000140169000-memory.dmp
memory/4624-593-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/4500-594-0x0000000140000000-0x0000000140273000-memory.dmp
memory/4472-595-0x0000000140000000-0x0000000140253000-memory.dmp
memory/3272-598-0x0000000140000000-0x0000000140147000-memory.dmp
memory/4488-599-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/5000-600-0x0000000140000000-0x0000000140216000-memory.dmp
memory/4600-601-0x0000000140000000-0x0000000140237000-memory.dmp
memory/432-603-0x0000000140000000-0x0000000140179000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 17:58
Reported
2024-06-11 18:01
Platform
win7-20231129-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\alg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
Network
Files
memory/2372-0-0x0000000000400000-0x0000000000677000-memory.dmp
memory/2372-1-0x0000000000370000-0x00000000003D6000-memory.dmp
memory/2372-6-0x0000000000370000-0x00000000003D6000-memory.dmp
\Windows\System32\alg.exe
| MD5 | 08a3b94022576dd70f1001adc558c2c4 |
| SHA1 | f2dcb1fccbc55b827db3e0283b801543a0fa3ce4 |
| SHA256 | 84131a779b5a84ccd4808f6911619cc5bf9fe0f018d8a0572ca34a8dad0e009d |
| SHA512 | 1e701d3f374c31e2317b7dc6701d9e5109f6fe6238e52ecffb13c78a0b8ed21f5d56d5f83826d6f1baec6ae64d229be1f56c570218e5c757653c613ef2a5fd9c |
memory/1736-12-0x0000000100000000-0x0000000100215000-memory.dmp
memory/2372-15-0x0000000000400000-0x0000000000677000-memory.dmp
memory/1736-16-0x0000000100000000-0x0000000100215000-memory.dmp