5ddfa0bcabf11506702b941492fc5042615890055103e45db6a4b22f78cacb68

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
Size

1.9MB
MD5

6f109cd9ec35806813d484ce457e28fb
SHA1

463ddf88da33a39db376b5f4778a664c927a694c
SHA256

5ddfa0bcabf11506702b941492fc5042615890055103e45db6a4b22f78cacb68
SHA512

7f5eb2de898d4ecbdd0e8dbb938ee862c9b06cc34dae1b848294c96e8234d927cbc58aa5381b8de06d8de4e87f0e186e6ac995588f697957383e0ddb23bb65d4
SSDEEP

24576:t2lmf4RoTNjx+mZCkt76f/24pN+XNqNG6hditW:t2Mf4RAf9Ckt7c20+9qNxUW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4760	alg.exe
2324	DiagnosticsHub.StandardCollector.Service.exe
4144	fxssvc.exe
652	elevation_service.exe
1368	elevation_service.exe
2384	maintenanceservice.exe
1360	msdtc.exe
1020	OSE.EXE
4596	PerceptionSimulationService.exe
3684	perfhost.exe
4496	locator.exe
3876	SensorDataService.exe
4936	snmptrap.exe
4928	spectrum.exe
5036	ssh-agent.exe
2280	TieringEngineService.exe
4520	AgentService.exe
1848	vds.exe
3192	vssvc.exe
4672	wbengine.exe
8	WmiApSrv.exe
3100	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3a8a8e64b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d38a2c6feaadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000018e0a65eaadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013da1b6feaadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be5a5866eaadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000032b656deaadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd884865eaadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059f8dc6feaadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe

pid	process
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
Token: SeAuditPrivilege	4144	fxssvc.exe
Token: SeRestorePrivilege	2280	TieringEngineService.exe
Token: SeManageVolumePrivilege	2280	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4520	AgentService.exe
Token: SeBackupPrivilege	3192	vssvc.exe
Token: SeRestorePrivilege	3192	vssvc.exe
Token: SeAuditPrivilege	3192	vssvc.exe
Token: SeBackupPrivilege	4672	wbengine.exe
Token: SeRestorePrivilege	4672	wbengine.exe
Token: SeSecurityPrivilege	4672	wbengine.exe
Token: 33	3100	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeDebugPrivilege	2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
Token: SeDebugPrivilege	2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
Token: SeDebugPrivilege	2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
Token: SeDebugPrivilege	2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
Token: SeDebugPrivilege	2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe

pid	process
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
2748	2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3100 wrote to memory of 1904	3100	SearchIndexer.exe	SearchProtocolHost.exe
PID 3100 wrote to memory of 1904	3100	SearchIndexer.exe	SearchProtocolHost.exe
PID 3100 wrote to memory of 4424	3100	SearchIndexer.exe	SearchFilterHost.exe
PID 3100 wrote to memory of 4424	3100	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_6f109cd9ec35806813d484ce457e28fb_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2748

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4760

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3304

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1368

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2384

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1360

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1020

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4496

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3876

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4928

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1560

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:8

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1904

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4352 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:5796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
Filesize
2.2MB

MD5
aac4339084a35c7190166edea05ee69b

SHA1
b5a7d1421de66bd5e708595547f78010b4360bc1

SHA256
946060fa0a48914777594cffaf7c39b3f3afa0ae3a370c36397bc1c9173a3237

SHA512
051757038bcea3f67809c59cd6deef3797df45be492c2db0dad9b3d436e9f919b9169bcbb79eeba27cd4b32eae62899ef838f1da209a428b36cd10d326784824

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
105c3bd11a3ea850bdfe165ef090ee24

SHA1
bfa01301bf229d4fe39847b45f97be9768811d50

SHA256
664a2eaf60712f87f6fd0808c507704d85de9009161bd9549bb4d1055590c177

SHA512
3285cd8c6e73d782a14669cd7986fd797d31cf23ef25885d9bc7fd1cb4c2d21d442aae46632900f28bc27b26bcb43d5c0bfff28c88fd72649a9ccdb7174882c2

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
768KB

MD5
5016735c25034578d2559293f0485ae9

SHA1
dacc0d8c428a8980a12ad37acd99d7a32f6203a5

SHA256
e0a9fa22068612a52319e66d51c2a507e827a0c1827df3089fe7f0d7416e2754

SHA512
36d0bbaf2635d4148f9478a43432915b30ef16ca89e65a84f61a1b57ed40800ac58c0fe99157f1afff07057cf1eccd533a509e41d306fa190a541b9d57af209c

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
832KB

MD5
98e727623248256fe2ca7706a694c32a

SHA1
cc7ed6bd20a0e6b8a0f4be9027f908518b61b831

SHA256
e2bf2711bebe36128ebbef685a8ce14f85b3fcdf12574a293ac4b38803d1deb2

SHA512
be72d785c276624ca69d41159f01e275935ece758bd0fa2ceffb202f15fcc63caca984b2eb67802da94c4eaa2289fd80f5ba08d2d0200ef96131fa57a8715680

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
704KB

MD5
9ec12669df5ef7d97536813eda4ef33d

SHA1
b5956b1e59ac89dfb0dc32c0854c7ea5a6677661

SHA256
a3c9315d970d2a3b614b1197ee55ef855be2a003add8dfd8235fdbb7c402d74d

SHA512
b5d35a47594c0cc6e8302dbeba0bf7f9b921c38bcf93eb904535e53ff0fde692f1030c0717e38c9fcd553c153d9cd28498584627640a8f44e7eeb75b6c84161e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
fa74d58e2cf2b773a97527c750b74661

SHA1
11742237075af5649ce300060956152b8286fc40

SHA256
d1c51f153c9dd9f38b0e13a4aae74b1ca734412b535a8453f05ce54802c5f599

SHA512
9dd18ed81616f890d4c866cc3a8e5dc4b0f277b5692486700896ba2640f798a7f44942c79ed06c56e017d0cea976be1a2bc8ffb90e95220bba2eac32d86be689

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
887f9ddfe4c68d2b862619e71bcf2868

SHA1
bddecadc35cbbb130ffe9dba8a6d40d5781320e7

SHA256
39377f5f6768c92ea9002241d2b6512fbdd2a1a99ef3e04f269a3fdc1b1d9904

SHA512
9ad4c164ea795e7ab6210e8d43de7a97c8842839ce13ea7e42efdbae582fe2e721bd3f244257796b31d6697a2ea8679e634c7e588252eabb3b33524cc6e18345

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
960KB

MD5
cf044af198deae23ba7cb3348e96ae83

SHA1
1ac0e03bd9d82ca28ad198421406fa70ab829447

SHA256
44dcd978ffb240460c1fb3214a72449743e676c810e138b3135c34d0bf91795a

SHA512
9843820c12f50ffcfdedaff19e5adf5686e87ed9ca4eeecaa5409852e86da250bea0fb26f9cc54bbc69f2dda3021be4e168ea1ba458837aa0886f82fe8ba02e7

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
ff3c328b22eb3bc5c3252beec859a982

SHA1
db0fb11fb8545c2fe21aaa8d73a2b25edc0cc9df

SHA256
83639775b6f5c5e50e1fba2226a87e97e210fab63faedfa416f5e703587d2432

SHA512
bd669003f5c89367063c83db56e216c7d23e450cad3e0da5a867e528467bba13bc6e0ca14cfe838cda771cae2989b839b6485165f78ce1cac91ef76af77bd8d3

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
a13d7c181a924bedd640ce5d47a9b49b

SHA1
77ad1e3470968d7571a4f5ce732ee493c859858f

SHA256
0cefa051dd3c9b113cb02ec233f4d54652d5b550007578efb3f3181f7f88f2f4

SHA512
516007394bc96843b1dc5c365768c39cbe98b6cbdf7fd400765fb857497b385e0109bda7b4c09fc87154f2955802e4279fc7249fec57f56ce6f45d958711e8b7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
8c49e0a9fa1dc4e2df52098514b2bd5d

SHA1
212f7afdee10a32e315d12f3353d7063801f2e68

SHA256
f2f46ef44f22ad534ea4bfc5a77e9916445468d8e83e59f2162e1281bd24bf85

SHA512
3841b51ac119e0c20b158505d8cc21662ed4b1327cc5c5bc03d20640ed0ec9653c6394d5b3f49867daee37cb867082e51376dd27fd6471a116882f9f86877a66

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
21b3bda97e3c0234ecd7c9e4494824d2

SHA1
7af31ebb525217bd1c97346ee9a12a2bc80f0e53

SHA256
5e6abb4b871fc22e4e13d0a6614a3934a6fbd17390aa30ce6d52a3ac986c1264

SHA512
2c14c78169894b63e4b2462aaa579475f52300e96ecab6136ae4fa475f81b7117f3d9a52b225c5e81a3694cfa7f236b362c4de4f47ee20f252149a978a1a423c

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
c34008fbeda1ee88fcbc8c0b252cdb02

SHA1
54e5a40c6dbd04195ef6728e0aba84ec1d13bb7f

SHA256
474bf883fa42e217dd0f9cb1ed6762769bc4fbdecbff5dc11be6acc73b39d95f

SHA512
5862af201e67fd076fd20a2d8caae171b9a2f0a2c83d8d364669f40a3d36069a50ef7aeed4b0626e595d9285336523352fbeb9c1c47ac730490449b2186eb523

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
4a1dd567fda6b658a264e202b4b0981a

SHA1
c9bb26abd455c097536bf42f9a39f745ebe7751d

SHA256
29767dba78fccdb7128d1adfdcd77c52b129df39b18b0db9eacb750bf2758e76

SHA512
90b35cf740a6cefd3b7361e49aade2c8548e2cd50c5b9defee3bbe1a5038d2d759ddf1c63bfac380ed893a5ad39d863d62cf986956d514dfd5f42348dba8fc7a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
6fd5a3007003e5e5bb4e1c56f7f478d4

SHA1
e454082aa38f94a859a96b6451e516b745b4ee19

SHA256
ba28815a9b8e8875905afbcdea1fefedaf779833e99e66792ff278be0ee61b28

SHA512
60c6fd84d2924601ebfb154d1ec0adfe63d5be2b272e7b3c942879e41879107709678d02d21098fdbccc0e8dddeb5a6f67dc48c4b1820d06fe4c6077501e5329

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
e21e5b3291f55eaee7b4c6188ad6b89e

SHA1
d8382eed58753811f5905fc4ef663f36ec0a3800

SHA256
67b8676eb98dfed02f5accef94bcd21b38db3254ebaef3c06d39911cc399c7f5

SHA512
f5ab320dd1f356db44c1dcfe8f9f99314c760768bcaa9fdc0a38199f17fe239cc478f607cb3ac892a64fce0dd7a96bdcb7ebf51fd9ea06b12044dad2c968f27b

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
3bbec5e9b451e142d68707ae058bff63

SHA1
0674196ae332dc424d1d75f256fb82babecb0c79

SHA256
efc8c4f4bb5fe0b06d8799560c2c8df18547f83ccf477bc619f46e0ca08c1e85

SHA512
00b5a3e39be5c16bc0e4866779e9763827d1013987f6e94cbb501c801528bee2680359bafa2b01cf5f99c080c56dabcada006d9a973ed9ee3fd6fe0fb6903914

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
f0e7e2993cee891975deaa6f7b8f0070

SHA1
b86822fc456ed46a150a959527f6317b4a983d87

SHA256
fee5001adc1e4fe41b9a576aae80854cc122a2d6295c2c440e163d46b81db83f

SHA512
a5a01f4bfb9c6515aefe75db8755b3198072bdc6d8bdf9b0dd491e246c9f5f90e0a4d429c7bfe8b5e112abffc2b656dba1df12a5954e4e9254049085c81c96ee

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
ea00db7d219a27f21201ede7f537c8e9

SHA1
b5da3c110b617cea617c25c4b5b8a30be25d1f1f

SHA256
0a77d68b0aca4582ce71c7bdef3a25e6e2dcf34a90a4189574393e45b87e65be

SHA512
9959733504ab73ba7dc539f3ea5c5630e796245536dbccf5cb0f9eaed31a60385b2773ace26a1dd2480873d80e233dbe9fb95da1bbbc77b1f7112312cd937297

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
bcead02de17cc2df41ccc30325a7f6cb

SHA1
3885fedd8526473c4512bc03fc19bd1306ea939a

SHA256
b21577b11b25865d9cc55b936d60b8a5456ab52ac0bacd93e1e2ea374beedec9

SHA512
d175bd85808d7402c86295b3e099ffde2580f37e6f637f0f41e6de5ae32eeb8739bd0264401292e384881e5c6da35ff223d70bb80443104ed2a2e907b1712cd1

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
e3d5d63b9ff3b092616148209e66c004

SHA1
402446461ade7aeeabecdf8160c382db63bedbbd

SHA256
9c43c49ebdd90d62432441e3b152dbf5427dc6f196231f4388e90b05c12237dc

SHA512
0916a9894bcbccfb61d662be08b3b5645ee12a9b877e63321a3db6488931d548e5ea18bf448595a5e7b67175dbd3bb9ef95b83c943594d863e1fd79d34bfaeb3

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
ddddc87c9cd043b5b294e02afe067346

SHA1
5f1fb9bf8f39a97cb466a9b2585ad8a1fc92992b

SHA256
f3af6b3b0425323420dae9b5f56119b65dc3d0cace7f1902be850a2bd5b73054

SHA512
23dc52a46683edc9d164492ef085fb0aff4f6abe0be3d0d0c7fd11a73172b2924ccc6230b5a7dff6822b87bf612d202653a06ed70f1828e203f5024eac4540c6

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
3d36dc327a55d17ff3a41e1175c2a237

SHA1
fe736a74d781c612dfe7c241804be34052045be4

SHA256
4ed6cf9371e158a09066c95ee81dadb0b33f2ab48e602eaf85559ce1d85d7133

SHA512
d9eedad1f6eec4e79ab159f66cc58e047f3aa21f62b1457941bb3f3b3b7abbe0b37a7804623c7fd347ea4812656eb7f2507e66279621393e03005c6c4b8fb395

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
51b71601bbbab4f5d2cd068840fa5685

SHA1
0d712c5b342f35c9237db4e0240506b4eaade5b6

SHA256
45fef53b3b79db6dec41f7c4eef2e4ee9245bc207c270ba4ab8c4050b285f4e8

SHA512
f1d66f8097ded1e469f079aff209a4cdcc51220240261d276aed6cc5524886d3323d29306949463111b50e7df2dca722d4c7bd761ff5f827175da90135830496

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
3348eb18c33093e0d50ac7d11c6572df

SHA1
ed55998241bce8e092a393cca4a45265bd5f3c8a

SHA256
27847f8f4b552a68be0e6ea22cbbd7af016e3a5b4e2fcac407ebc8ea790cfc29

SHA512
7c873c280a3a39d20ca3dc99d42dbc9fe525ccf330312437923738a8016e32263b51506cf481db3e9085520421433ab5db26dcfb55b6a12711ef684684293364

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
b95570e277ccc4bd2fe18d02d3c23192

SHA1
35e11f2b696401eb507cdd465abe6d0a41080b4b

SHA256
91640414b083859ddbb6a4bee40d37edb0877bc294e0c8b8229f620872e57001

SHA512
42e7e9126570247789dea909d5788c75b1bca36e6cf456c6f01ba424ebc574e92f97d3cb252cb84c0609b54700c63d43c5ef4f0efedbe2d4a549a978c5ee9d8d

Download Submit
C:\Windows\system32\AgentService.exe
Filesize
1.4MB

MD5
f82a2a6d1e5ee71f8f5f74cde14b9e41

SHA1
2098db701c73db0e61099d0279939296fe1be88f

SHA256
c21684a8f787b408006f0796b58016e25f13f3d5f73c594b17d6fb6eda5140fa

SHA512
816129c86d078af9d31525765bfc1591958505286c3702d94c9b3d249bbf84a5e0e2ae08b00d61402f3a0a149887b31cb346eaff2b9d28eb762aabacc5a7acac

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
8c805f457f9bc2efcf6be52970aac468

SHA1
ae88fa824071142007ba16f4398e28baac75509e

SHA256
866cd2a8822ade026f69170185e8de298018d47183ac27185ac9bc83d668bcf0

SHA512
86c48a9af854e13b8630436042627c3d940252cabd35b90c81aaff8b78e211d73c7adf48aa82e18aaca6459ef9748d2d569738ece457e3f75539d77ac5029c56

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.4MB

MD5
f9ad909f8763fe2c6367f60517833811

SHA1
0cee19894bd1b196eac564c9e393d5a0f6243531

SHA256
53d873c4f8c1bb822f57661dd811fba443c4f28d85e3f9c2681a4161ca3c2aeb

SHA512
45ce344a4a4f3b02b0be9270d606bc91902ffa0d46fe831b45f71ad9f86a51667e99597efdb611eaa0b06a5b4e957b3510060a8e9aa86ab63f9baddeaaf194a8

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
1750fd34c8d235b43ffa0b20f7f2b6ae

SHA1
dcbc7c64578486524058e11501caa3d73b3c60de

SHA256
9f7bec67a00f5b1d62a30d379cf7015c0e159ec6f89ae8815d107e368746a4c7

SHA512
b316731ce0a825d466017e67c164710b60b265c7585d80f2b068e4cd6c5178696a6059905151deeb503c2823af6956365298188a8a914853c223e0eb137eb834

Download Submit
C:\odt\office2016setup.exe
Filesize
768KB

MD5
90ab6a5a58ac8d250eae277f44d0c27b

SHA1
e5edf021416771b28a9b65ff92ea6134ebe5f96e

SHA256
d2827134a421c59d370444f00f2d4b6a8ac1ba0b4cc47a5fd6ee71b3f5e22a45

SHA512
8110c02576930c5a7ef76a0ee01f472af5c4d6b168aebc5d6459b7fe4d816106d60994c7c8029640870942653f90f5b7b65daa4be45e62ced085ffb15ae2046b

Download Submit
memory/8-439-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/8-253-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/652-166-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/652-58-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/652-60-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/652-52-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1020-111-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1360-90-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1360-91-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1360-202-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1368-178-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1368-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1368-72-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1368-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1848-406-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1848-215-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2280-387-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2280-191-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2324-27-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2324-117-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2324-35-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2324-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2384-88-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2384-86-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/2384-82-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/2384-76-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/2384-75-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2748-71-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/2748-7-0x0000000002480000-0x00000000024E7000-memory.dmp

Filesize
412KB

Download
memory/2748-6-0x0000000002480000-0x00000000024E7000-memory.dmp

Filesize
412KB

Download
memory/2748-1-0x0000000002480000-0x00000000024E7000-memory.dmp

Filesize
412KB

Download
memory/2748-0-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/3100-266-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3100-442-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3192-418-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3192-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3684-240-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3684-129-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3876-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3876-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3876-314-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4144-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4144-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4144-39-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4144-45-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4144-48-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4496-132-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4496-252-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4520-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4520-225-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4596-228-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4596-126-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4672-437-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4672-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4760-110-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4760-13-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4760-21-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4760-12-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4928-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4928-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4936-155-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4936-321-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/5036-367-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5036-180-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download