Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 16:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
Resource
win7-20240221-en
General
-
Target
2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe
-
Size
1.9MB
-
MD5
18c78dfc24bb49d3ee22177bfef0805c
-
SHA1
50f25b75197d5e5117be139ca8c3553c4fd0092f
-
SHA256
32b051163c443fa5fded1a8855e5ad9da9837f4c6afe2c4ff7d0f2f79bf41b8f
-
SHA512
e4470ae213b7c9f7095f9e2d72a5f6a79550a5d13cf7819ebcf8a2aaedf008fb8611af28b2a784767e5616c39783840e7df25a1e156182306e118babcbeebe1f
-
SSDEEP
24576:B2lmh4RRX7bHsMQ4/O6yMLprOInyT/Swl8Mi9:B2Mh4RRXvYMLprznyDSga9
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 3104 alg.exe 2384 DiagnosticsHub.StandardCollector.Service.exe 3968 fxssvc.exe 3540 elevation_service.exe 1156 elevation_service.exe 676 maintenanceservice.exe 636 msdtc.exe 3320 OSE.EXE 4576 PerceptionSimulationService.exe 2796 perfhost.exe 1968 locator.exe 1624 SensorDataService.exe 4196 snmptrap.exe 4072 spectrum.exe 408 ssh-agent.exe 3112 TieringEngineService.exe 2740 AgentService.exe 2572 vds.exe 4888 vssvc.exe 2356 wbengine.exe 4924 WmiApSrv.exe 1480 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
Processes:
2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\msiexec.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\db254d08b3e2edcd.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\system32\locator.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\System32\vds.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\System32\alg.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe -
Drops file in Windows directory 2 IoCs
Processes:
2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exemsdtc.exedescription ioc process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0910648f7adda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6957c44f7adda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015492249f7adda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0790445f7adda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7c6a739f7adda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0860c44f7adda01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exepid process 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 656 656 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe Token: SeAuditPrivilege 3968 fxssvc.exe Token: SeRestorePrivilege 3112 TieringEngineService.exe Token: SeManageVolumePrivilege 3112 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2740 AgentService.exe Token: SeBackupPrivilege 4888 vssvc.exe Token: SeRestorePrivilege 4888 vssvc.exe Token: SeAuditPrivilege 4888 vssvc.exe Token: SeBackupPrivilege 2356 wbengine.exe Token: SeRestorePrivilege 2356 wbengine.exe Token: SeSecurityPrivilege 2356 wbengine.exe Token: 33 1480 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1480 SearchIndexer.exe Token: SeDebugPrivilege 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe Token: SeDebugPrivilege 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe Token: SeDebugPrivilege 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe Token: SeDebugPrivilege 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe Token: SeDebugPrivilege 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exepid process 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe 864 2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 1480 wrote to memory of 5032 1480 SearchIndexer.exe SearchProtocolHost.exe PID 1480 wrote to memory of 5032 1480 SearchIndexer.exe SearchProtocolHost.exe PID 1480 wrote to memory of 1980 1480 SearchIndexer.exe SearchFilterHost.exe PID 1480 wrote to memory of 1980 1480 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_18c78dfc24bb49d3ee22177bfef0805c_bkransomware.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exeFilesize
2.2MB
MD554af7adb0ed67e321370099204d705bf
SHA129bb91c465434d7b67d6fef8e95bb3dddf903d54
SHA2562acfeadfe31d8fccb640f4bf9335f932866ea2871994f33a99dbe3b702e2c7bb
SHA512a50d16b2ab57fcf908de5a110a4b6869616bee7176307c1cc61ab66baf87a95f4ce1335de34fc7808187d460aefa2ff49526573e710f1d8bcb84dff7006df59f
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
1.6MB
MD50b9a307bbad9754a911035244afc7b67
SHA15a5b9a4ffa6973c237f10ea421020dc6baa45173
SHA2565fc6f0e472d1bdcd034f323e7b2f96a027fd32099f5f4dc93121ea80707540a3
SHA5120e06259fb8787c4b201fb5e0a7c4e39c77cd0e4a9fe3bde422dfc42cb8b6a49adb9e5c00b650c3a69c81c9fc48fd11514f4a68b784ab1dbf0f1c6c0b6f1007ac
-
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
1.7MB
MD5eb989b1faa6981e97a1ebf91dd0e223a
SHA1925f5ebd0f3e4855a685b0c43e7d756f466c5e25
SHA256dfae5e4cc3c2baccf18844c5ff51bf501011ef42930202353c11d8d7f4523db4
SHA51210b120e34a29c2f2beba6ae6f7cbb5eca0bf34dcc7e4e4cfea555b724e8301dd51bc58d32172a9850039bb63edfcc15e315cfb9ebb23de48eec51bd047a54129
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exeFilesize
2.1MB
MD54f5c207fb2b4980f3dc6420fb639ec94
SHA15ee433dbfda9e8269e08a4545318e2d1f3463df1
SHA256ba19bf29cd3ff3c87f8ed4b533850cdc00ffb57d9472fafff4d089a51d1f32a4
SHA51252fb225474a98969d003250e7d8826fc4593b509e401bbb585fd838f8423cacba8ef3e31785cba32c061ea0601595cefa237bc10d59bb8ab838e4beb20dd178f
-
C:\Windows\SysWOW64\perfhost.exeFilesize
1.4MB
MD53b449c3d4ff1773c0c5c4ecb080acf91
SHA1bc30c6bde7ebddd85633b719de5d2b4116fb3dae
SHA256cffd160d40f6c1c09f2c2319c56c37f5aaebefcc2484f7d8174f0d509cddd674
SHA51243d03c975bb6a9023fc08e3c20b18ec9fcd984e3634c9cc8545e9a0f95b5b2497f5fa88feeef95dee2a92668492831b74b2cc57e02873e2a20736d25fcb7ba38
-
C:\Windows\System32\AgentService.exeFilesize
1.7MB
MD5426d99996088773679b2e9a851ddb5da
SHA15ee1de2ce8d07f4d96fae6e0d63dd78e4208f2fd
SHA256cc9bcdb457157977ccd6c4ed1a1b7d6df20be2bd6f35d9b02e7742d742504cd4
SHA5125a5d20b1ba651600a2d9063d8c430c5543745a953e0e23aa7d16806b2c8efa568bace8ce4721a70b35a0f60513a045132fbc083846157a389c640c321f9f7b78
-
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeFilesize
1.5MB
MD59567e806d299b41a90b1fdcb5c94ee49
SHA19809d1e6e2d89c3bf6b8e734ff145443798d09bd
SHA256a7163df94d25e74ae6e9096d60e9492a60eb91c0fc9530c33e218a042e4c8af0
SHA51245015abb688e664181068e683283995103f83b9e76eeee468bfa84e62832984ad66c2278acd16c51dddde73993972f6115188e6f6c73bc521bd276e93252c97e
-
C:\Windows\System32\FXSSVC.exeFilesize
1.2MB
MD5f7d387e032c7ca60d649a3777999580c
SHA11088244ebcb0b8154287fcacf1024857457a25dd
SHA2567b3cf15822a184d2cc01ecfd361f5ccdcef8737680868ebdd82bfeabd291eb99
SHA5121cb1282fe27f790c8d0b3ca8f4b5e9df6c4713800df7c701275a6905dc1dfacd73c15aba62c6695a51c7be9757eff4653b491f1d5c4a5d7f8d4f1d3741ce15b7
-
C:\Windows\System32\Locator.exeFilesize
1.4MB
MD51f9c5c0212ec57af46349b7ad5ade304
SHA11a39b9c1d9801841771644c56289987f40763d61
SHA2566e0de6fa94415d7ee38a51a1f5ea0c2014d3406c727ab66684ca43163dfa975e
SHA51253e23143f172ee4ed19f02494021b3fb1c9115471433c76a42ef5f61b7d0af4b1f5da927d9349f055fe51bd2256b8b8e61e113ff3450134cb037a107d576d439
-
C:\Windows\System32\OpenSSH\ssh-agent.exeFilesize
1.8MB
MD5e6029997be37cb7c4f9b6e5956b5b666
SHA1c2ee6e1422ad88e3ed3f8a868f0405385182b241
SHA2567bb279d82b6f8a9bce205b8a7be3501035597be80c0ee2961aa91434ea5cc758
SHA512b922ab961eec19e655100fc169d212ede904731c408d98824f4045962e849bee443508cb704239b71b781026bedb8f95b54cd02d7ddf0e6d032644e2c7a7b969
-
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeFilesize
1.5MB
MD59af742e84ccd0e29cd286561793ca5da
SHA1f3121642af28263fe6a0f9c399fbc070441c662d
SHA2560e2c6af1e289ed8b5d21eba919e4ac1e5e27896de3bd5462f38a3b7ce21f2be1
SHA51252a4073bb4dff8267dc05ea88e782d117d637e44b9a364166cd40fd9fa252e15874bd83a39c76020ad7802d24d8fe453820cc9822cdf3ff9fd25e5b3b4df4772
-
C:\Windows\System32\SearchIndexer.exeFilesize
1.4MB
MD517f68ad2c299d466fb6b75d13e43f9a5
SHA15a41eca23229cc0c73f5fa6421d6a8c5e4479ab4
SHA256c41d137c0501418612d0897a955755f10a6ddec0d7f5afd79f1fbf6c2c6463ec
SHA5120cebf541e6849dd6ce200997c9e9fa1eade02f2e946aa728fdc3b9028ae41621fa2a59e288513f95575db2e1f20e175cb365b883c8f4f8d64dfb63a7c3379492
-
C:\Windows\System32\SensorDataService.exeFilesize
1.8MB
MD59636adbc7873bc95c7c8c766094fa543
SHA169a5cdadcba861656ca2fe70442ad5e02418062d
SHA256c6041a61249d29f9da249fd8bdd3d09f5d9c96774cbdedb1bae2cb4ee670d9bf
SHA512a11ddcdf21aba833fc752ad872840daa2a3ede2677e56870911b453a8f415ffcd31700c2129bb46c446f83ceb273fc6a0914aac81bc5523d1790ab4d136dd7b2
-
C:\Windows\System32\Spectrum.exeFilesize
1.4MB
MD5bdf57cc9a5022a020e2c68477680e92d
SHA17c7290eb132ac4f826c26241a44a41a408a5b5f8
SHA2566ff63391cd3a3346e3140834c9f5c4d642bd5ba5e5f673f93b614f73e4ed4a18
SHA5125f5ae743fb09fafba217006cc3988f967d6630e40d36c146bd8d7e0161d7bf13c40b30d84483acf2b22bfe6347055ca76bdd5004d712945913a200c0125eb6ff
-
C:\Windows\System32\TieringEngineService.exeFilesize
1.7MB
MD5a8f4487c20b25fee2c6567830ce11c89
SHA16ea01c9d362dcf16dd5e00d410b3f0b580760441
SHA2566f39093bed6bece39ce9bf783c18b6d6f73df619f32e2bef2e22ce9b9b5fc3c1
SHA512774cfefa7bdcb5e6717308d06e337ffe27f07e48a3e0335612c077ebd3a633627dddebb69141d91257c0db93e063b27a29590bc8d22abca7330407779ba8768c
-
C:\Windows\System32\VSSVC.exeFilesize
2.0MB
MD5d961d1d3b4efb2a7574bd9f4f35289c5
SHA10e787dc709e843e0a93335e47c74ddd5ea9e0116
SHA256c84dfcd098c7c2ee114d30d50e67ea67145fc4803ff6f2cbed908820641f7e97
SHA512a90cd65078bafcd6a0ae03744ffe4010f861cfb6a326e5255ce0b4c3eca6f1a1760ccab353239238a5f384d49554fc9cd0996453202c68d23dfe5b8c1ed39c87
-
C:\Windows\System32\alg.exeFilesize
1.5MB
MD5d5e812f1d92370641b04b0730807f167
SHA18b0fc3f0fc50256c03fb60cf48fbe31786ef5ded
SHA256aa5b5ca1fc279e2f58821012ca9335871213fafcb93d5f15732a5efa7161adb6
SHA51290849b7f67526029182274b5313ef0aebe191ab5fc170d6cf40a8088a264ba71914de06cbc31fdc68cbfeebd3dc9007cda3d0e3dc1cc07f79cb6567b05e5b2c9
-
C:\Windows\System32\msdtc.exeFilesize
1.6MB
MD592b7108b6c2c46e842cae277ded59ab3
SHA133ae56b4fab89eebfcd2a38b4475576cb04f7812
SHA25610a5ad19d45524c3bf21e0f5375aaa7e15e8034597d52f9aa01d079db189c6f2
SHA512b2154908dbb96493b645edda6a8edfcfac2187f0e4dded61b8df6da3f7e959b8626b935178bbc05369faada9a1c1cd8792f2e4220c72462c0329fe54e351867f
-
C:\Windows\System32\snmptrap.exeFilesize
1.4MB
MD5dca8074b85ff9b88ea983f7ff80d4ee0
SHA1665666d633985e0bae7f761ec3f151edee50b253
SHA25633e30cb22440de20734971c87c68a5cd66e5954d8dc304224dae2fe2878ab09c
SHA5125ab65f677af13fd328b7f76cdea3a6c6df6cadc5f19ff96cd7f87ad5c8c33a40a75e36bb360a04cd75d63eb2dbb145db17c6e3ff205f8b93842458bf9cbde135
-
C:\Windows\System32\vds.exeFilesize
1.3MB
MD50046ceef004c8ad9df7a9b5e7acf0cf2
SHA1c6e906287fef8b6ea80a5cae6f519a2af5250c83
SHA256501650d9575a5c3774c7d8a74dcf44d27d2b82364efc292ba6bc7a346e28130a
SHA512ee6faa7dd1dc4e8355c43260dcddd513fccbbb25e3ab3bd370e0251cdf3978bb7646843700cbd2f27c7cb96c29bbc56b52b1a19ff0217671d82038888af09f4c
-
C:\Windows\System32\wbem\WmiApSrv.exeFilesize
1.6MB
MD56889bd491b8fbb4e1d0f593927ce1703
SHA1563f519d86b6e15dc7ad90168eb71ed23f923359
SHA25660b3d364951685645b29d8f4bc6f437506eacd856a157a2d3c921adf42693832
SHA512c95b497bcdb8d26078cdb142ee30192e99dbe1726dc2c530333bff2c9cbfccd8860216cb05b2071caa2bcebe54c95d5d0a950de7af9210d8b2ff685fe4705e4b
-
C:\Windows\System32\wbengine.exeFilesize
2.1MB
MD52c98f56298c06bd9ab271a3bd5758919
SHA1dc397e4c168899de34d99526becc2d4476a47d4b
SHA256c40c5112a2912a82724a488b26accda01a7636be902fa70e1b613f616ce6f313
SHA512220715b5436ec7db60c239f48a7fc623e3a00c7cc7c6f13e6879e849b30d9f3d5e062ed513a6e853c17f0fbafacaa94a7a21344ef9838a9c74af33e5dd09e540
-
memory/408-234-0x0000000140000000-0x00000001402C1000-memory.dmpFilesize
2.8MB
-
memory/408-143-0x0000000140000000-0x00000001402C1000-memory.dmpFilesize
2.8MB
-
memory/636-70-0x0000000140000000-0x0000000140278000-memory.dmpFilesize
2.5MB
-
memory/636-149-0x0000000140000000-0x0000000140278000-memory.dmpFilesize
2.5MB
-
memory/676-55-0x0000000000CD0000-0x0000000000D30000-memory.dmpFilesize
384KB
-
memory/676-65-0x0000000000CD0000-0x0000000000D30000-memory.dmpFilesize
384KB
-
memory/676-68-0x0000000140000000-0x0000000140289000-memory.dmpFilesize
2.5MB
-
memory/676-63-0x0000000140000000-0x0000000140289000-memory.dmpFilesize
2.5MB
-
memory/676-61-0x0000000000CD0000-0x0000000000D30000-memory.dmpFilesize
384KB
-
memory/864-43-0x0000000000400000-0x00000000006C5000-memory.dmpFilesize
2.8MB
-
memory/864-0-0x0000000000400000-0x00000000006C5000-memory.dmpFilesize
2.8MB
-
memory/864-1-0x00000000009D0000-0x0000000000A37000-memory.dmpFilesize
412KB
-
memory/864-6-0x00000000009D0000-0x0000000000A37000-memory.dmpFilesize
412KB
-
memory/864-7-0x00000000009D0000-0x0000000000A37000-memory.dmpFilesize
412KB
-
memory/1156-52-0x0000000140000000-0x0000000140245000-memory.dmpFilesize
2.3MB
-
memory/1156-44-0x0000000000890000-0x00000000008F0000-memory.dmpFilesize
384KB
-
memory/1156-134-0x0000000140000000-0x0000000140245000-memory.dmpFilesize
2.3MB
-
memory/1156-50-0x0000000000890000-0x00000000008F0000-memory.dmpFilesize
384KB
-
memory/1480-326-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/1480-171-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/1624-216-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/1624-170-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/1624-114-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/1968-111-0x0000000140000000-0x0000000140254000-memory.dmpFilesize
2.3MB
-
memory/2356-163-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/2356-307-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/2384-22-0x0000000000540000-0x00000000005A0000-memory.dmpFilesize
384KB
-
memory/2384-16-0x0000000000540000-0x00000000005A0000-memory.dmpFilesize
384KB
-
memory/2384-24-0x0000000140000000-0x0000000140268000-memory.dmpFilesize
2.4MB
-
memory/2384-100-0x0000000140000000-0x0000000140268000-memory.dmpFilesize
2.4MB
-
memory/2572-155-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/2572-284-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/2740-150-0x0000000140000000-0x00000001401C0000-memory.dmpFilesize
1.8MB
-
memory/2740-152-0x0000000140000000-0x00000001401C0000-memory.dmpFilesize
1.8MB
-
memory/2796-162-0x0000000000400000-0x0000000000656000-memory.dmpFilesize
2.3MB
-
memory/2796-107-0x0000000000860000-0x00000000008C7000-memory.dmpFilesize
412KB
-
memory/2796-102-0x0000000000860000-0x00000000008C7000-memory.dmpFilesize
412KB
-
memory/2796-101-0x0000000000400000-0x0000000000656000-memory.dmpFilesize
2.3MB
-
memory/3104-12-0x0000000140000000-0x0000000140269000-memory.dmpFilesize
2.4MB
-
memory/3104-99-0x0000000140000000-0x0000000140269000-memory.dmpFilesize
2.4MB
-
memory/3112-146-0x0000000140000000-0x00000001402A1000-memory.dmpFilesize
2.6MB
-
memory/3112-246-0x0000000140000000-0x00000001402A1000-memory.dmpFilesize
2.6MB
-
memory/3320-74-0x0000000000420000-0x0000000000480000-memory.dmpFilesize
384KB
-
memory/3320-82-0x0000000140000000-0x000000014028E000-memory.dmpFilesize
2.6MB
-
memory/3320-154-0x0000000140000000-0x000000014028E000-memory.dmpFilesize
2.6MB
-
memory/3320-80-0x0000000000420000-0x0000000000480000-memory.dmpFilesize
384KB
-
memory/3540-40-0x0000000140000000-0x0000000140237000-memory.dmpFilesize
2.2MB
-
memory/3540-38-0x00000000007F0000-0x0000000000850000-memory.dmpFilesize
384KB
-
memory/3540-121-0x0000000140000000-0x0000000140237000-memory.dmpFilesize
2.2MB
-
memory/3540-32-0x00000000007F0000-0x0000000000850000-memory.dmpFilesize
384KB
-
memory/3968-28-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/3968-29-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/4072-122-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/4072-219-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/4196-118-0x0000000140000000-0x0000000140255000-memory.dmpFilesize
2.3MB
-
memory/4196-215-0x0000000140000000-0x0000000140255000-memory.dmpFilesize
2.3MB
-
memory/4576-88-0x0000000000BD0000-0x0000000000C30000-memory.dmpFilesize
384KB
-
memory/4576-158-0x0000000140000000-0x000000014026A000-memory.dmpFilesize
2.4MB
-
memory/4576-87-0x0000000140000000-0x000000014026A000-memory.dmpFilesize
2.4MB
-
memory/4576-94-0x0000000000BD0000-0x0000000000C30000-memory.dmpFilesize
384KB
-
memory/4888-159-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/4888-299-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/4924-166-0x0000000140000000-0x0000000140285000-memory.dmpFilesize
2.5MB
-
memory/4924-322-0x0000000140000000-0x0000000140285000-memory.dmpFilesize
2.5MB