705c69bb628dcfea6af054fc7ff266c57f45bd063289572b6ad23ee5bfacae4f

Analysis

max time kernel
157s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
Size

712KB
MD5

02f1d1a290d28cdfd1da597722aa0d5c
SHA1

6fbe442a85e254a2a2075295c952dd94a0ee28d3
SHA256

705c69bb628dcfea6af054fc7ff266c57f45bd063289572b6ad23ee5bfacae4f
SHA512

d3f70762c454d8d11a509a7ce538f25a5cdd8caff150a7f178a4ab914477cbaf15277165d5525460762ff1f298cd4eff8850b855ccb5e1e6e94dec8111789505
SSDEEP

12288:BtOw6BaYoH/uLJOyo937vGFWxwFJI+yeuVb8r+ZP712Ii+51cjVWtVj5J:z6Bw2JOt934J7Z6bQaj1BvUm9J

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3456	alg.exe
3600	DiagnosticsHub.StandardCollector.Service.exe
3492	fxssvc.exe
3204	elevation_service.exe
2804	elevation_service.exe
3388	maintenanceservice.exe
1772	msdtc.exe
4840	OSE.EXE
2764	PerceptionSimulationService.exe
4552	perfhost.exe
4492	locator.exe
3412	SensorDataService.exe
4464	snmptrap.exe
2916	spectrum.exe
3036	ssh-agent.exe
4672	TieringEngineService.exe
4376	AgentService.exe
3828	vds.exe
4864	vssvc.exe
3372	wbengine.exe
3980	WmiApSrv.exe
1292	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

msdtc.exe2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a4db9bdfb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5fcb5c38eacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000478a73c88eacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002dfcedb78eacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c34c5ca8eacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e69deec98eacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000732941c38eacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c14e1eca8eacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009119f0c28eacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efdfb3b88eacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe

pid	process
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
Token: SeAuditPrivilege	3492	fxssvc.exe
Token: SeRestorePrivilege	4672	TieringEngineService.exe
Token: SeManageVolumePrivilege	4672	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4376	AgentService.exe
Token: SeBackupPrivilege	4864	vssvc.exe
Token: SeRestorePrivilege	4864	vssvc.exe
Token: SeAuditPrivilege	4864	vssvc.exe
Token: SeBackupPrivilege	3372	wbengine.exe
Token: SeRestorePrivilege	3372	wbengine.exe
Token: SeSecurityPrivilege	3372	wbengine.exe
Token: 33	1292	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeDebugPrivilege	3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
Token: SeDebugPrivilege	3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
Token: SeDebugPrivilege	3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
Token: SeDebugPrivilege	3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
Token: SeDebugPrivilege	3432	2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1292 wrote to memory of 2432	1292	SearchIndexer.exe	SearchProtocolHost.exe
PID 1292 wrote to memory of 2432	1292	SearchIndexer.exe	SearchProtocolHost.exe
PID 1292 wrote to memory of 4416	1292	SearchIndexer.exe	SearchFilterHost.exe
PID 1292 wrote to memory of 4416	1292	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_02f1d1a290d28cdfd1da597722aa0d5c_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3456

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4528

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3204

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2804

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3388

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1772

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2764

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3412

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2916

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3536

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2432
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
1f7a1f56671c9c00ec3f8ecec04e8ddf

SHA1
4167476f06449631ea80dd61740e37004374c055

SHA256
3fc7d404404e4b14cef40350931069576d4ea8c9c83749192b1869a0bc02b94c

SHA512
70c881e83c127d99e900172f818e29d0b145869670ee4769cc8e6d6b7cc3ec15124708ca4fd7f5f6d80afea0985a8fcac7fe2643c7ab1fa63116a2b42831d95d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
80109ed5a90263272f7140328c47b340

SHA1
ed0c5cecdc87e3330b3d74c0268e504ec748e9c2

SHA256
ea983744815f10a5c2d73f519b440089403f973d7c2b84e3a9dffb62c09311cd

SHA512
ade155d59974cc11e0c87f3daa77d990e9bc6ba2268850f39391697eb932338df669e125686b989cdf1a41a1fdeb089c951be444a375e244ff7b5aa11fcb7e6c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
0ebd4e32327fc736c4878e33de50d994

SHA1
fda96b6c99f95d724328ad7af5842a48fdcfaa42

SHA256
14f6a62b497691bfcb787b3cf7951681c0ca3be390fa8ec8be6e6b3c33ca53a2

SHA512
cc44d24a87847bbd3487dba40612d42535412307d94dfb1b2b14d349fa3152c6e1d8f1a9c07003f5c223ff0b1654146e2f1b53c4bbc4ab72294c05aa6020e4ce

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
693d1716fcfdb0f04175c88b1f6d0d89

SHA1
90c9a4d92755629515f80c26e9ee3b946d062c71

SHA256
1a45db32d35dcba49a9c13c87c47cdee243797c8f3a116cbd56023d5403088e8

SHA512
bd47523247eb69fe27fb4cac39c177bcf970d94687ee42f995246d099b87f6519fb09ae2051ccc127c064c79808ea951885d67d36ec613260da4f45fe212f061

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
fd44469a33ef6a7bc64e421835985eb0

SHA1
ea92cf9f76a141ee24e5353819d000848e06b9aa

SHA256
845438e35d8b3a68b86c964bab321e369a6633723672b06f5aaf38f6d82ee739

SHA512
ea8c5720f03e4b56cfcde216f315efa66b496a697a46e60b13490704972e1973ba3b9f0c85dd50df089bc0fb3e88d6869549030665e2f31422a31ac338cea4be

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
711a4676dd6b42f881d389861d07f6bb

SHA1
2d7b6956451324db9f578ec965fc42cc7c7c0cfe

SHA256
6aea69a8d5861871a402a1619c1190ebbf8255f5e26d8e3307eb9ee287c093bb

SHA512
646634116bbc2d51b1d739b53a25d3492b8847025c51b4c404422724c9093500aa3e7bad072d3f0da315457353243f6059a3c6bc3ad099f0524ad2f4efdcb3ce

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5685ecec8341ecb2dcc5a2d4dc113119

SHA1
1a7a405667a04246eb59380b4700a9d5f388bfb6

SHA256
2abd9d1be7d8b333bd7268ca92cd9cf77de3412d7765d40abbf1e3fdb6707d29

SHA512
a552690db7eb5624b9553c1347fb3778f071d247327499254a107828289dcde8f8dd068e09bc3b61b27aa05bad63d43a95c690a8f9eeceb40b576b5d2c25138c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
795b60cd25b1d68e86907bb67dfdebe0

SHA1
7b20ae9256a63fd08e1107fbf6075cc612449719

SHA256
816bbb7e17fdec07ab7c886f6ab27e45d3f8497e080ddd78366c356f02d70844

SHA512
cbb0e9e2f85f7ec899fd87c354e078fce77b1a508b052a294bfc74935dc99689bd9154d33056fd1bf1d890f69227d7ae016fed68d210863bc0ed9e7a72880b0b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
70bcee26a5ad221d1bcb72addadd622b

SHA1
7f937ace085352c58e26287c5b041410546ee0f3

SHA256
48a5564004c1a5ba54a35a2c8db22d10c7191140318916103787a154abc63e72

SHA512
19ecb121afde38fa8d8bf43814f71b3d732d48cb97b8c38210b99b5c81d3be3b596b4ab4243365ac93b3d4ede6465ec1f3b39e1d5dc41e08a703de4620dc3bb8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ffaf4690552ec880b9a795b6a897ce06

SHA1
954fefddbeee7e8798ca9f997988afb9d0dfdc89

SHA256
26070e0606665129ee1097c7d35a37a398fa87099c34b9a5e9aaae13439ae701

SHA512
3e90ec92b43d2cee00289a632253b54d84ff521f6dfac7ed0c32653472cf2ac53d307878f7861669c900e2e1623d1fe42631235908abd33ec22f8edf476ff060

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
acd9d1ed0fb16e1e919a41e9eab18e11

SHA1
bbfed54f8dc09c243de979fbb8952d682ef9d00d

SHA256
32d7ce1d5a13854227b9ae6569779b79ef719de7cb3d19ab9f3d71661ccb7115

SHA512
33f02e9d26aaac120a0377654517ea07c623d3afde29b4c68cfa1671cc4ee0a6572791195f5a115698c28d77b13cb7749719d8d5a88dcf5e85b61ecb415f69a4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
eef64b369264b43937d59c230dc52dfa

SHA1
faa833cdfad298f43b1a89289e6e9c9f02646b9d

SHA256
785b75282eedf5b80948057a8d9fd9365e29dedf5577c0906dbe1b0932a7e346

SHA512
5578a6cb9769a40c794446c6c8b6ba249490f755e2b819814f4d22aa33a720f66ec555c07b9e54db83b07f1ca62e33173a8bc50dd54b0dbd7070a0d775e0a8a6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e6d777d07fe43da694f7251c2b52420f

SHA1
acadaaf6f2c9dcb149e4483eced3467d18fa9430

SHA256
b251ea9fe0e01a513fd49932d702f31df6acec77e23e6e60c763caf6bf3b9078

SHA512
4d2e647e88100876c36d8975a7e69b6709b0daa085cac2db203515c40ef313fde7f5b17a1e375faee4fe166bf4b5ee9c7324e8480a3d4b85bcae9043e48a54b3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bf8830b72b01cad42e582cd34511c20f

SHA1
de1739a05733da2dfcddf3771cee7a1f3774fd60

SHA256
682b4817ba179a51bbf742fb0d1326a59d7530138164e0d40908a1f54b2a2e53

SHA512
7039699f74a193a0d2f271f335d45ad6aec3d148f168a69b310bd953fddce234d6cebbafdd1514b224ba2890aa188c2538f4b8aac916f38b392b42aed5d390b6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7d4d81098ed0f947345b149aa3127b8d

SHA1
78ac11ccf96713a06f1529f289b1fc864cccc16a

SHA256
d65850e8df0732079565afb25a1dcf51ee6d38375f2ea448fdd8a37077dca684

SHA512
bf66eb660879ba50e8c4c3c1727a87543ae1b241e8bc3dc4ff62690ae67f6a697d479750f2b11493410646fe1f2a4923dedcf5b96d268fa9f32a020846037344

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
871d75d2bd7a69475fc8b8a3700a836b

SHA1
8ee376db86f4973a05b8693a5177367224cc01b4

SHA256
f1c6c2d21e8994bfde7b228f0f64aece0e343e011cf0e1c17e1a75ae86e9a162

SHA512
c6cabee2c068481e9fadf73cb89fec7f36a3f2d09bd07425f9a5c4f92d048d7d8990045c4cbfe394488f068274fee3111d7f1bee1ee764826a0b2716982b63ba

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
32f77b15c6b79d249d28624b995eefae

SHA1
bef966833487f93335ad4b34905aca340e5b01ff

SHA256
22b5cb3a67fcdf0ce0c47fe95636385d98b1a1390896de20a25efaeeb3c3f3e8

SHA512
85e2777b43595c655e2ae4b5d48d8d4b73f22ebea94d8b8467f4854fed9bf4f2be52e52c8e9105daf4871ce8845a93186d6ed9ebac22c4767da7f11693440eb1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
1a175ae2b0c58892f414bac8f6a05f7d

SHA1
13e5910e62cc54d88514e7ae40519e0fbf711a7d

SHA256
3bcbcf6024255a158bc3d86d570b98ae82785bd95fc044a524003f2889143769

SHA512
8f3bc5d0035af174a29fb89c600dfb5df969a71f899e96168543033e92758dce22818c1a0c959eb9b1944c466b17ac145334b3f3b81695104069d3a5ad94ef8a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8bec7c9be3aaea1d295909ed3360a6e6

SHA1
6e0233e0285a122fbe1986b4370181a09c1388ec

SHA256
7e8c094bfcd87115cbfbb9fce2e590cdeaa8271d146c38460cc892748f751ef8

SHA512
431403b4333a6d37913c5d2b955948298c63865e1b1e68fd64964da078685d907e026b8b24e291de03a85133db1ba2f38b7877ff2da2f88079c07f3c793815f2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f258e7180363b4aa7a4de99e9b86a41b

SHA1
632c367b72576692cc8e65de7d5203661d2476f9

SHA256
3df929f3fa9d8cfa3ebe8068dba99107df209cc2e89fcd81d3f82b8f150d9ad9

SHA512
eac62dffe6d622910f140803255de17a6303129e69809b456befcbb42c5b74cfa1ad8e7ebc87edda19aaf091b9a15ec3673c0dd9b9198b62849475ced1119585

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
475c72762a9f4681ff45ff3c68c90d3c

SHA1
1650a731d6c15837b65f75d1230d1ccb52ec06b6

SHA256
688e9540ba99740dbf57411f278a057a93b233ecfc96f4565f28373016d6db27

SHA512
be8bc7a1794543937f2b27b9a4d709527da9c70d97c46789476356889b6be34de974550665d770f2d6a498718d69aa8e26fccafcffbefceb3c36b7e891895641

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
11cc823f82e7c82e59850d2269bed25f

SHA1
bfade1e60f516e3b698485499b1fb76ba956e2d0

SHA256
96e4b4ad1fedb9dbbbb964cfc71e94020ca046070dedd489aee64466756bb44a

SHA512
572ff1776ba07d9a1c4113a8279c368ce083b542e5cb50b51cd26a339822a05ceec28a6eea00389e2f5704ae3a760c4ae62dae7400f38568cf7f8516a6a6393b

Download Submit
memory/1292-408-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1292-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1772-88-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1772-89-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1772-200-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2764-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2764-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2804-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2804-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2804-62-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2804-177-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2916-165-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2916-321-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3036-325-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3036-178-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3204-57-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3204-51-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3204-164-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3204-59-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3372-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3372-395-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3388-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3388-79-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3388-85-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3388-80-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3388-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3412-141-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3412-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3412-277-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3432-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3432-1-0x0000000000B60000-0x0000000000BC7000-memory.dmp

Filesize
412KB

Download
memory/3432-50-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3432-6-0x0000000000B60000-0x0000000000BC7000-memory.dmp

Filesize
412KB

Download
memory/3432-8-0x0000000000B60000-0x0000000000BC7000-memory.dmp

Filesize
412KB

Download
memory/3456-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3456-19-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3456-13-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3456-100-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3492-37-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3492-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3492-43-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3492-46-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3492-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3600-126-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3600-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3600-26-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3600-32-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3828-213-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3828-349-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3980-403-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3980-252-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4376-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4376-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4464-316-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4464-153-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4492-130-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4492-251-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4552-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4552-239-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4672-189-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4672-330-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4840-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4840-212-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4864-367-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4864-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download