32b051163c443fa5fded1a8855e5ad9da9837f4c6afe2c4ff7d0f2f79bf41b8f

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
Size

1.9MB
MD5

18c78dfc24bb49d3ee22177bfef0805c
SHA1

50f25b75197d5e5117be139ca8c3553c4fd0092f
SHA256

32b051163c443fa5fded1a8855e5ad9da9837f4c6afe2c4ff7d0f2f79bf41b8f
SHA512

e4470ae213b7c9f7095f9e2d72a5f6a79550a5d13cf7819ebcf8a2aaedf008fb8611af28b2a784767e5616c39783840e7df25a1e156182306e118babcbeebe1f
SSDEEP

24576:B2lmh4RRX7bHsMQ4/O6yMLprOInyT/Swl8Mi9:B2Mh4RRXvYMLprznyDSga9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3104	alg.exe
2384	DiagnosticsHub.StandardCollector.Service.exe
3968	fxssvc.exe
3540	elevation_service.exe
1156	elevation_service.exe
676	maintenanceservice.exe
636	msdtc.exe
3320	OSE.EXE
4576	PerceptionSimulationService.exe
2796	perfhost.exe
1968	locator.exe
1624	SensorDataService.exe
4196	snmptrap.exe
4072	spectrum.exe
408	ssh-agent.exe
3112	TieringEngineService.exe
2740	AgentService.exe
2572	vds.exe
4888	vssvc.exe
2356	wbengine.exe
4924	WmiApSrv.exe
1480	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\db254d08b3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0910648f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6957c44f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015492249f7adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0790445f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7c6a739f7adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0860c44f7adda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe

pid	process
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
Token: SeAuditPrivilege	3968	fxssvc.exe
Token: SeRestorePrivilege	3112	TieringEngineService.exe
Token: SeManageVolumePrivilege	3112	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2740	AgentService.exe
Token: SeBackupPrivilege	4888	vssvc.exe
Token: SeRestorePrivilege	4888	vssvc.exe
Token: SeAuditPrivilege	4888	vssvc.exe
Token: SeBackupPrivilege	2356	wbengine.exe
Token: SeRestorePrivilege	2356	wbengine.exe
Token: SeSecurityPrivilege	2356	wbengine.exe
Token: 33	1480	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1480	SearchIndexer.exe
Token: SeDebugPrivilege	864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
Token: SeDebugPrivilege	864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
Token: SeDebugPrivilege	864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
Token: SeDebugPrivilege	864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
Token: SeDebugPrivilege	864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe

pid	process
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
864	2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1480 wrote to memory of 5032	1480	SearchIndexer.exe	SearchProtocolHost.exe
PID 1480 wrote to memory of 5032	1480	SearchIndexer.exe	SearchProtocolHost.exe
PID 1480 wrote to memory of 1980	1480	SearchIndexer.exe	SearchFilterHost.exe
PID 1480 wrote to memory of 1980	1480	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:864

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3104

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3896

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1156

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:676

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:636

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3320

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1624

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4196

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4072

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:408

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2372

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5032

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:5424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
Filesize
2.2MB

MD5
54af7adb0ed67e321370099204d705bf

SHA1
29bb91c465434d7b67d6fef8e95bb3dddf903d54

SHA256
2acfeadfe31d8fccb640f4bf9335f932866ea2871994f33a99dbe3b702e2c7bb

SHA512
a50d16b2ab57fcf908de5a110a4b6869616bee7176307c1cc61ab66baf87a95f4ce1335de34fc7808187d460aefa2ff49526573e710f1d8bcb84dff7006df59f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
0b9a307bbad9754a911035244afc7b67

SHA1
5a5b9a4ffa6973c237f10ea421020dc6baa45173

SHA256
5fc6f0e472d1bdcd034f323e7b2f96a027fd32099f5f4dc93121ea80707540a3

SHA512
0e06259fb8787c4b201fb5e0a7c4e39c77cd0e4a9fe3bde422dfc42cb8b6a49adb9e5c00b650c3a69c81c9fc48fd11514f4a68b784ab1dbf0f1c6c0b6f1007ac

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
eb989b1faa6981e97a1ebf91dd0e223a

SHA1
925f5ebd0f3e4855a685b0c43e7d756f466c5e25

SHA256
dfae5e4cc3c2baccf18844c5ff51bf501011ef42930202353c11d8d7f4523db4

SHA512
10b120e34a29c2f2beba6ae6f7cbb5eca0bf34dcc7e4e4cfea555b724e8301dd51bc58d32172a9850039bb63edfcc15e315cfb9ebb23de48eec51bd047a54129

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
4f5c207fb2b4980f3dc6420fb639ec94

SHA1
5ee433dbfda9e8269e08a4545318e2d1f3463df1

SHA256
ba19bf29cd3ff3c87f8ed4b533850cdc00ffb57d9472fafff4d089a51d1f32a4

SHA512
52fb225474a98969d003250e7d8826fc4593b509e401bbb585fd838f8423cacba8ef3e31785cba32c061ea0601595cefa237bc10d59bb8ab838e4beb20dd178f

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
3b449c3d4ff1773c0c5c4ecb080acf91

SHA1
bc30c6bde7ebddd85633b719de5d2b4116fb3dae

SHA256
cffd160d40f6c1c09f2c2319c56c37f5aaebefcc2484f7d8174f0d509cddd674

SHA512
43d03c975bb6a9023fc08e3c20b18ec9fcd984e3634c9cc8545e9a0f95b5b2497f5fa88feeef95dee2a92668492831b74b2cc57e02873e2a20736d25fcb7ba38

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
426d99996088773679b2e9a851ddb5da

SHA1
5ee1de2ce8d07f4d96fae6e0d63dd78e4208f2fd

SHA256
cc9bcdb457157977ccd6c4ed1a1b7d6df20be2bd6f35d9b02e7742d742504cd4

SHA512
5a5d20b1ba651600a2d9063d8c430c5543745a953e0e23aa7d16806b2c8efa568bace8ce4721a70b35a0f60513a045132fbc083846157a389c640c321f9f7b78

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
9567e806d299b41a90b1fdcb5c94ee49

SHA1
9809d1e6e2d89c3bf6b8e734ff145443798d09bd

SHA256
a7163df94d25e74ae6e9096d60e9492a60eb91c0fc9530c33e218a042e4c8af0

SHA512
45015abb688e664181068e683283995103f83b9e76eeee468bfa84e62832984ad66c2278acd16c51dddde73993972f6115188e6f6c73bc521bd276e93252c97e

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
f7d387e032c7ca60d649a3777999580c

SHA1
1088244ebcb0b8154287fcacf1024857457a25dd

SHA256
7b3cf15822a184d2cc01ecfd361f5ccdcef8737680868ebdd82bfeabd291eb99

SHA512
1cb1282fe27f790c8d0b3ca8f4b5e9df6c4713800df7c701275a6905dc1dfacd73c15aba62c6695a51c7be9757eff4653b491f1d5c4a5d7f8d4f1d3741ce15b7

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
1f9c5c0212ec57af46349b7ad5ade304

SHA1
1a39b9c1d9801841771644c56289987f40763d61

SHA256
6e0de6fa94415d7ee38a51a1f5ea0c2014d3406c727ab66684ca43163dfa975e

SHA512
53e23143f172ee4ed19f02494021b3fb1c9115471433c76a42ef5f61b7d0af4b1f5da927d9349f055fe51bd2256b8b8e61e113ff3450134cb037a107d576d439

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
e6029997be37cb7c4f9b6e5956b5b666

SHA1
c2ee6e1422ad88e3ed3f8a868f0405385182b241

SHA256
7bb279d82b6f8a9bce205b8a7be3501035597be80c0ee2961aa91434ea5cc758

SHA512
b922ab961eec19e655100fc169d212ede904731c408d98824f4045962e849bee443508cb704239b71b781026bedb8f95b54cd02d7ddf0e6d032644e2c7a7b969

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
9af742e84ccd0e29cd286561793ca5da

SHA1
f3121642af28263fe6a0f9c399fbc070441c662d

SHA256
0e2c6af1e289ed8b5d21eba919e4ac1e5e27896de3bd5462f38a3b7ce21f2be1

SHA512
52a4073bb4dff8267dc05ea88e782d117d637e44b9a364166cd40fd9fa252e15874bd83a39c76020ad7802d24d8fe453820cc9822cdf3ff9fd25e5b3b4df4772

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
17f68ad2c299d466fb6b75d13e43f9a5

SHA1
5a41eca23229cc0c73f5fa6421d6a8c5e4479ab4

SHA256
c41d137c0501418612d0897a955755f10a6ddec0d7f5afd79f1fbf6c2c6463ec

SHA512
0cebf541e6849dd6ce200997c9e9fa1eade02f2e946aa728fdc3b9028ae41621fa2a59e288513f95575db2e1f20e175cb365b883c8f4f8d64dfb63a7c3379492

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
9636adbc7873bc95c7c8c766094fa543

SHA1
69a5cdadcba861656ca2fe70442ad5e02418062d

SHA256
c6041a61249d29f9da249fd8bdd3d09f5d9c96774cbdedb1bae2cb4ee670d9bf

SHA512
a11ddcdf21aba833fc752ad872840daa2a3ede2677e56870911b453a8f415ffcd31700c2129bb46c446f83ceb273fc6a0914aac81bc5523d1790ab4d136dd7b2

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
bdf57cc9a5022a020e2c68477680e92d

SHA1
7c7290eb132ac4f826c26241a44a41a408a5b5f8

SHA256
6ff63391cd3a3346e3140834c9f5c4d642bd5ba5e5f673f93b614f73e4ed4a18

SHA512
5f5ae743fb09fafba217006cc3988f967d6630e40d36c146bd8d7e0161d7bf13c40b30d84483acf2b22bfe6347055ca76bdd5004d712945913a200c0125eb6ff

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
a8f4487c20b25fee2c6567830ce11c89

SHA1
6ea01c9d362dcf16dd5e00d410b3f0b580760441

SHA256
6f39093bed6bece39ce9bf783c18b6d6f73df619f32e2bef2e22ce9b9b5fc3c1

SHA512
774cfefa7bdcb5e6717308d06e337ffe27f07e48a3e0335612c077ebd3a633627dddebb69141d91257c0db93e063b27a29590bc8d22abca7330407779ba8768c

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
d961d1d3b4efb2a7574bd9f4f35289c5

SHA1
0e787dc709e843e0a93335e47c74ddd5ea9e0116

SHA256
c84dfcd098c7c2ee114d30d50e67ea67145fc4803ff6f2cbed908820641f7e97

SHA512
a90cd65078bafcd6a0ae03744ffe4010f861cfb6a326e5255ce0b4c3eca6f1a1760ccab353239238a5f384d49554fc9cd0996453202c68d23dfe5b8c1ed39c87

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
d5e812f1d92370641b04b0730807f167

SHA1
8b0fc3f0fc50256c03fb60cf48fbe31786ef5ded

SHA256
aa5b5ca1fc279e2f58821012ca9335871213fafcb93d5f15732a5efa7161adb6

SHA512
90849b7f67526029182274b5313ef0aebe191ab5fc170d6cf40a8088a264ba71914de06cbc31fdc68cbfeebd3dc9007cda3d0e3dc1cc07f79cb6567b05e5b2c9

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
92b7108b6c2c46e842cae277ded59ab3

SHA1
33ae56b4fab89eebfcd2a38b4475576cb04f7812

SHA256
10a5ad19d45524c3bf21e0f5375aaa7e15e8034597d52f9aa01d079db189c6f2

SHA512
b2154908dbb96493b645edda6a8edfcfac2187f0e4dded61b8df6da3f7e959b8626b935178bbc05369faada9a1c1cd8792f2e4220c72462c0329fe54e351867f

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
dca8074b85ff9b88ea983f7ff80d4ee0

SHA1
665666d633985e0bae7f761ec3f151edee50b253

SHA256
33e30cb22440de20734971c87c68a5cd66e5954d8dc304224dae2fe2878ab09c

SHA512
5ab65f677af13fd328b7f76cdea3a6c6df6cadc5f19ff96cd7f87ad5c8c33a40a75e36bb360a04cd75d63eb2dbb145db17c6e3ff205f8b93842458bf9cbde135

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
0046ceef004c8ad9df7a9b5e7acf0cf2

SHA1
c6e906287fef8b6ea80a5cae6f519a2af5250c83

SHA256
501650d9575a5c3774c7d8a74dcf44d27d2b82364efc292ba6bc7a346e28130a

SHA512
ee6faa7dd1dc4e8355c43260dcddd513fccbbb25e3ab3bd370e0251cdf3978bb7646843700cbd2f27c7cb96c29bbc56b52b1a19ff0217671d82038888af09f4c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
6889bd491b8fbb4e1d0f593927ce1703

SHA1
563f519d86b6e15dc7ad90168eb71ed23f923359

SHA256
60b3d364951685645b29d8f4bc6f437506eacd856a157a2d3c921adf42693832

SHA512
c95b497bcdb8d26078cdb142ee30192e99dbe1726dc2c530333bff2c9cbfccd8860216cb05b2071caa2bcebe54c95d5d0a950de7af9210d8b2ff685fe4705e4b

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
2c98f56298c06bd9ab271a3bd5758919

SHA1
dc397e4c168899de34d99526becc2d4476a47d4b

SHA256
c40c5112a2912a82724a488b26accda01a7636be902fa70e1b613f616ce6f313

SHA512
220715b5436ec7db60c239f48a7fc623e3a00c7cc7c6f13e6879e849b30d9f3d5e062ed513a6e853c17f0fbafacaa94a7a21344ef9838a9c74af33e5dd09e540

Download Submit
memory/408-234-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/408-143-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/636-70-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/636-149-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/676-55-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/676-65-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/676-68-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/676-63-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/676-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/864-43-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/864-0-0x0000000000400000-0x00000000006C5000-memory.dmp

Filesize
2.8MB

Download
memory/864-1-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/864-6-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/864-7-0x00000000009D0000-0x0000000000A37000-memory.dmp

Filesize
412KB

Download
memory/1156-52-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1156-44-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1156-134-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1156-50-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1480-326-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1480-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1624-216-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1624-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1624-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1968-111-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/2356-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2356-307-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2384-22-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2384-16-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2384-24-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/2384-100-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/2572-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2572-284-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2740-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2740-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2796-162-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/2796-107-0x0000000000860000-0x00000000008C7000-memory.dmp

Filesize
412KB

Download
memory/2796-102-0x0000000000860000-0x00000000008C7000-memory.dmp

Filesize
412KB

Download
memory/2796-101-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/3104-12-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/3104-99-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/3112-146-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/3112-246-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/3320-74-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3320-82-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/3320-154-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/3320-80-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3540-40-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3540-38-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3540-121-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3540-32-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3968-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3968-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4072-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4072-219-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4196-118-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/4196-215-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/4576-88-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4576-158-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/4576-87-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/4576-94-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4888-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4888-299-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4924-166-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/4924-322-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download