d33978001acf7334879c8abfaf815471fc8f04ec45812de899e6d81597422d45

Analysis

max time kernel
143s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
Size

712KB
MD5

6ae569ae52a0812f67d914e1f4703423
SHA1

e96fced988304008e30e97a834abfa8589b0364d
SHA256

d33978001acf7334879c8abfaf815471fc8f04ec45812de899e6d81597422d45
SHA512

fe340520d927d9a5e96d9ca2c457639c4564e65202f7d5f8bb0d92d947018b313c9d2137ece76540c65db353cc42f55c5bd73140012c975a079523d9f841d8b1
SSDEEP

12288:9tOw6BaoGZFExQZsVp9c6kH9ZcoeCzS0cUpUpONqHEtKfUAsLE5:n6BdGrExQZ+W6kd55S0c8CO6bcbE

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4288	alg.exe
2820	DiagnosticsHub.StandardCollector.Service.exe
644	fxssvc.exe
1968	elevation_service.exe
3592	elevation_service.exe
3744	maintenanceservice.exe
5016	msdtc.exe
2012	OSE.EXE
4944	PerceptionSimulationService.exe
4348	perfhost.exe
2992	locator.exe
4804	SensorDataService.exe
4792	snmptrap.exe
820	spectrum.exe
1652	ssh-agent.exe
4740	TieringEngineService.exe
1532	AgentService.exe
3036	vds.exe
2040	vssvc.exe
1392	wbengine.exe
4180	WmiApSrv.exe
1976	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6f5c927cb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9e50b3e83b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000636faa3a83b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aed99b3d83b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005af2023883b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084a5a83483b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de462d3e83b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a150193783b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009592763483b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004053243883b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
Token: SeAuditPrivilege	644	fxssvc.exe
Token: SeRestorePrivilege	4740	TieringEngineService.exe
Token: SeManageVolumePrivilege	4740	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1532	AgentService.exe
Token: SeBackupPrivilege	2040	vssvc.exe
Token: SeRestorePrivilege	2040	vssvc.exe
Token: SeAuditPrivilege	2040	vssvc.exe
Token: SeBackupPrivilege	1392	wbengine.exe
Token: SeRestorePrivilege	1392	wbengine.exe
Token: SeSecurityPrivilege	1392	wbengine.exe
Token: 33	1976	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1976	SearchIndexer.exe
Token: SeDebugPrivilege	1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
Token: SeDebugPrivilege	1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
Token: SeDebugPrivilege	1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
Token: SeDebugPrivilege	1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
Token: SeDebugPrivilege	1384	2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 5224	1976	SearchIndexer.exe	124
PID 1976 wrote to memory of 5224	1976	SearchIndexer.exe	124
PID 1976 wrote to memory of 5276	1976	SearchIndexer.exe	125
PID 1976 wrote to memory of 5276	1976	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_6ae569ae52a0812f67d914e1f4703423_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4288

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3088

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1968

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3592

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3744

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5016

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2012

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2992

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4804

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4792

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:820

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2272

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4180

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5224
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4004 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
dab479f3101403131806c957b4f84723

SHA1
f038eb347a46145fc9abf57848e5f3d752d4b515

SHA256
34e11a2207c6e40307bf8d92f873a332621fa4ac7c39638b068f0039fb95fa2b

SHA512
c78efa1c5ae158072871ab56d25f78a4198dc1119fa5570623ee81152139385565c8372fd81ab072b3b16754f09bdd815f82f693c058432427645527f9eed43e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
5f2003ccc1ba16a854b9efb2c28a2159

SHA1
1d2ddd4c1fed74d53ddecd5d5eb65fa07db870b2

SHA256
d8db99e741b8b71b9ecd1910c47a4dd8842423161c19110695cd613d16d2a54e

SHA512
4f2d9da0309aca4b920a6fbf3f04d4b799806530d2a64e2639cb62ad19907307fdffa3676f9759c80e7eb0d50cfd6ff3c39949c5587c56dd6a0628c5982c1a58

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
912d724ebd57ba7f99edd7e8f8ebbba1

SHA1
a62d7673ae5ee3cb0b544105ae4bf2dd2c770ba4

SHA256
d5fff89f0d1467895b096c69090c25360c584c7b37370588f9263083ce8a5806

SHA512
96a2c6f1a722bdb7eb99fb8b9087cc193a3662a7375660d9bb138375d6a2e2067bb9f81abd4a8030934cba53f98597f01a091234f2f31135abf4b1f1c878bc32

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0cf80571221599b9dbdfe130fa5c11d7

SHA1
a767341f208223212bab5bf55f4fa2ece2f553c6

SHA256
4c2c2e3dd72565798b87188b0ad1712723d72757fd15a4a6c8986dbcbc5f942e

SHA512
748e93c6de8fa4bb61c65ec33b8fdd412551047c3a9df823275ea2c22be401a1a7a71f57c03c48ba0b4fb872f6931a7b89e6d1447760059ed8a371a70218d718

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
c3b103828ba11edf58ec3d7dca52503a

SHA1
79de462d5c84bae2150d41118c9f6356c6d105a6

SHA256
4406f9f961cda0e6c3aeccd2dfd37bbaf484ba132a0c759b2fd982208c843ee0

SHA512
40871e23b801f95b9dab0b81ba1120084e25f0932a22b490eec0a45552345655e54a539fd56190c36ac063c1ee1772d86607f12101318f70d1d3068f29b9c548

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9e359a303eb570ea1bf0fc0b4349373e

SHA1
b4032488525315fbfd94d582b8b0cc641ba1f03f

SHA256
988fdbff3194d6f361e4d6a70444842ea8a4e5a6f02e0575923355da812df452

SHA512
f2b3ced38f3e18d608eb07b38a4e972b79a9e8b32e3aac604a24398b548c205a5f4d0ece1014131e7bf23e382b8070ce82331fffaf913401620827d2988b3176

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
af0641136dd3d755d9fbea75290fe553

SHA1
b1fbfe143e84b5e1569e3c690ce3110f3ce2e9c1

SHA256
36905ad42b6f5d93200da88b38a9a7c51efe30197ec7d37178bf4a2ab65733b5

SHA512
c836a07a2c80a5ed8c45ede412c9999e297b432e98240832f01154a570b26b881e5a4efea03835e6038fe6d1f4f80d60da2279ca4a632038dbeee69fdf59966c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4de6a04209990c98a366a9ae2ca4fab7

SHA1
3f1ed312f335ad3cc2bc6d81118e65f13a16f000

SHA256
5dfcee4cdbfd3180db56a8485ecb8c3c47d79f7b1f20936bd4253199bdeda55a

SHA512
d638c2be2e3f88ac91c10239bd97548db60b021b174c176d0e316fd578065cc993ec4c0a54f8089ad1f4785ac27a202af82436fb565dc91b234f15a4bdb2af4f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d815a6ebf9d4db6214c24892e0c020dc

SHA1
442e328d8b7b74ad2785053777760b4b46f31ea3

SHA256
c79f2b212a51e4b634f370fcda1dfe67c64bdcf122084e748a00749c965a55df

SHA512
084e6e4c737e40772d4f225f1170dd757a2154d1761d5cb6e6dc6a2d35c989fb2d6ee22779b4a40cec4b40afca7bbcc18b4c460b48859e515001feef238aa27f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
6128c2e361df60e169a5a8b4debb77dd

SHA1
e3df5339901af405e5fe96cb10e0602c4440ca02

SHA256
380ceabeccaff7968cfdfec2a6ed78251f1f40b0d82c58e4a4857a1358a53e35

SHA512
12cafa96754aca3bb407eb47a451ff1b1a43b8f237391a968d8f93fcae08a4a33c7c98c4bcf6255f02566924d40e5f3caa0e7a9216293c79f185e46ca5589dd0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
994fee069868798bfe01787183128a8f

SHA1
cb8621436441cc2700b79ef5b34bc7d7bd097106

SHA256
40709a83c7d6787dd5916b4dc1107031e874f2f93d6e903f0b8349c2b140ec27

SHA512
32e930eb41399f3106561f671e75c5a58408d18881d2d58b8ef8d0432ff0545d39d3ba619048931883235223447b36ec456ac54b6c95e4185958cdf73125df1c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
403a38b84fb68a9b810192eb8e723f65

SHA1
ac95eee753c7d2a068d1a3e2a91a4f3bded3dd45

SHA256
d59cbf3dec82141c5227154a407209049cb842d97ce6d7597892f961ebcc6acf

SHA512
5b64e77c91fdc0bab420e253c5202bde07c684da7bd74d9956edad7550369181c2f1b1f4e916c2465b7712fc50adf3dd64de9914fdcb4ccf38ed3f4206a08773

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c5bcd80c1575c43637650524f82a14f8

SHA1
5abb7bf06b4a0f21d51ca7f48d6d789cd62526f0

SHA256
6d0344e0cc8923613239b1f3da064e07eb8b2491a015b6762ed40159c6576e6f

SHA512
f4229f1324d31e725323c1f79b789507032c633e9bd5eda08830a56a38572caffeae31cfef7e306befcd14d84805e3651967a78c77a860f355746000907fef7e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f5bcc775118da73d5aa5f8342624ed8c

SHA1
d455e5009240ca01418c0f12cfe916a0f71c1b98

SHA256
891c55eb599d5865d4996dfee1f93c1adea4552a41b62c0e3e0da640a0ff3a46

SHA512
554757aa27a3e943b841627301c26f2e456197f73a253af44d5d4461f1d33c61feac0e118962ae8f3ba47ff5fc05d5eb876817ec599c1b637a5c43c21d02648d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
aab8d53499fbf9245224200d2084848c

SHA1
6d08b1ba74d300308a9807f061e0c9bfd12ca097

SHA256
17331380f8a7c7c126867f9f385c6d0b3809283823dfdd5da82b6870ae7458ba

SHA512
985e4b06a8339f51f42dce26fa47dfe5a58188494dc54c7b768cd272c0437b9366c0d4cde2adc4058ac14cdd56c431a2db3b45b855c5f3ff985c9e3f0fa9c2af

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3023475acef7082f9cf08aacc93568d7

SHA1
e7b223e07cfe543bce68a1e64a24a1b9df3febf8

SHA256
09fab29cd35e1d3bb6951d16562813b2bb72068caa7558f09e3826d16fc7a3d5

SHA512
481d0a2bb69a74654d4fc2ba14edf4b44ce10cff834b58a55af93ed9e01e0f0bbbf4661bd5b29923246b90ed93b036b0ee846242767aa634f0ad749db3d5d62e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
c212711ec7ec60321e222cd5fe1115e1

SHA1
9ba5e3a8076e1752aed7896f144307b562cc6dc7

SHA256
034380dab25317a1ffabf086660c6265f462e5b8a47b4c59b5e98621a6fa7165

SHA512
aa757fbfd315166299b47421fc2003217825c58ca6e8e20822d73ee3a1b7b5b5b4144676e6a308d57cd5348623dfc26a5cc229dc3c482037ad1e957448288671

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
8235e6b3560d0ede3973d3296209ef16

SHA1
ea84601c9fbad62df32fa5c481c19bdb2d9f2c1c

SHA256
35dd9fdded22635c97151127769a185d5925f97e5950543b4aca9b405ccfdfb5

SHA512
71f7f7f7881b356a333cad7ff312ac34fa7a99b5917bedd8a1105c3bd56bef285c16ff51268f6d678113c9ec24a8f0b6bf638b493dd261c00a298fc99a210dac

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ccb9c61d76cde990cdfdaf0fdb81b249

SHA1
7e4c5ee43b46dadd0e66e4a02a0a895af64d203f

SHA256
a6ce770ca057a7da89e71d37d7c442d9e300f10a03592adebc8ebf85c8fe5c81

SHA512
9897e7fd273b2e7da402b2f0f95208d364b268c7801fafbcf0303d02c896bfab94e41ae217505b45d82875a4b40e7af00fd2a7d12e3def533f75b486f77f1b18

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5cef30be1ce3ca480458910c48de60dd

SHA1
72ee30cbcf9d44c34e2efb0c8ff651bffb32f891

SHA256
dd88bac8ed7dbaa9e74b674a16bc6d0637bd435e7dbbb34a957b466f506f18f2

SHA512
361940d8d47290622866eb28b60ce90a8aa84fb83c48a2fbed4ec8a36cf5b5a761929712de5ec00f5b070cdf49f90196d92dd135ae74eb9edde8c01916f474ea

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
213eefda8de84231e3b783f738f5a174

SHA1
e5f60d0d738fe057ba9f17d930bb6307f3f1c884

SHA256
b0220d60b2ffe01d8bfc014aab981f5ef52fa236a959c99d3fac845e60fd6b62

SHA512
718727cf4b23df5734377e051a88e458fa151767878f6ca02faaf1cc3c0b991602aec9db45730a424db1a6add9f03dc4184f0c1d3832f71f02a78375f4159f33

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
74281ec9361cc6c68a13a2596e8f704e

SHA1
dbb378d23a8439ce972a5f751402afd64539c947

SHA256
3f7a2837d78bb17e78e8fb5acf7bc4cbe1dfdaac2d9ffcfc60aeaf4e91735d99

SHA512
a577b1434e702dcc44c09f656ca68072411df0108198e462183c86e0dbcfb30637799c0b5e390f2602a9ff7ec15c6371c8ca587d3e34239ab4df2573e87bb9a9

Download Submit
memory/644-38-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/644-44-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/644-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/644-47-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/644-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/820-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/820-320-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1384-7-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/1384-25-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1384-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1384-1-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/1384-6-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/1392-239-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1392-405-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1532-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1532-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1652-323-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1652-178-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1968-58-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1968-52-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1968-164-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1968-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1976-264-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1976-448-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2012-215-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2012-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2040-384-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2040-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2820-33-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2820-27-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2820-126-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2820-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2992-130-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2992-250-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3036-348-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3036-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3592-70-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3592-177-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3592-69-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3592-63-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3744-80-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3744-75-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3744-85-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3744-73-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3744-83-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4180-436-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4180-251-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4288-100-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4288-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4288-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4288-19-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4348-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4740-189-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4740-324-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4792-153-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4792-279-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4804-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4804-275-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4804-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4944-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4944-112-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5016-200-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5016-88-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5016-89-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download