cc48129c4457460c4ebe6cdee9dc03789b760e92232f045ee404383dc59118ce

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
Size

1.8MB
MD5

af4829afa8b7ec1faf89bc0f7c982d9e
SHA1

681528afb2022682de588820c3b223136644e361
SHA256

cc48129c4457460c4ebe6cdee9dc03789b760e92232f045ee404383dc59118ce
SHA512

e64f282fe7286e78ecc4d03e442c33b743daae10da08d5be7a625d7030cc6ffd9b6828551f6b35ee6c00cbaa27805cb04190da36f7dca75e40b2965bd10d979f
SSDEEP

49152:ME19+ApwXk1QE1RzsEQPaxHN2/snji6attJM:x93wXmoKeEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3004	alg.exe
4924	DiagnosticsHub.StandardCollector.Service.exe
3712	fxssvc.exe
3868	elevation_service.exe
4408	elevation_service.exe
3168	maintenanceservice.exe
3552	msdtc.exe
224	OSE.EXE
4792	PerceptionSimulationService.exe
4812	perfhost.exe
4956	locator.exe
4980	SensorDataService.exe
532	snmptrap.exe
2120	spectrum.exe
1748	ssh-agent.exe
5012	TieringEngineService.exe
4060	AgentService.exe
4868	vds.exe
2344	vssvc.exe
4284	wbengine.exe
3584	WmiApSrv.exe
4796	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ad755deab3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081d039e657c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000648a28ec57c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000005d35f357c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064c923f457c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6a646f557c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
Token: SeAuditPrivilege	3712	fxssvc.exe
Token: SeRestorePrivilege	5012	TieringEngineService.exe
Token: SeManageVolumePrivilege	5012	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4060	AgentService.exe
Token: SeBackupPrivilege	2344	vssvc.exe
Token: SeRestorePrivilege	2344	vssvc.exe
Token: SeAuditPrivilege	2344	vssvc.exe
Token: SeBackupPrivilege	4284	wbengine.exe
Token: SeRestorePrivilege	4284	wbengine.exe
Token: SeSecurityPrivilege	4284	wbengine.exe
Token: 33	4796	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeDebugPrivilege	3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
Token: SeDebugPrivilege	3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
Token: SeDebugPrivilege	3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
Token: SeDebugPrivilege	3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
Token: SeDebugPrivilege	3012	2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 5496	4796	SearchIndexer.exe	122
PID 4796 wrote to memory of 5496	4796	SearchIndexer.exe	122
PID 4796 wrote to memory of 5536	4796	SearchIndexer.exe	123
PID 4796 wrote to memory of 5536	4796	SearchIndexer.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_af4829afa8b7ec1faf89bc0f7c982d9e_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3004

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1912

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4408

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3168

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3552

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:224

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4792

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4980

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:532

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2120

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2168

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3584

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5496
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3872 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:5276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
30c19aabec3b95a291a56b8cbdc4a299

SHA1
2930a32b3125d9176972b458359428a3a1614166

SHA256
4ff1c789b8c8565d4c6708bf37d91904ae0770ad980d38b5d91d5b718e666200

SHA512
56a21f8397b1c2390aa973dea8586035a91d450d1f62b65df74381184d9846608d94ed7a01682e84be5f159f915c9e6eb196357a7a107855f811c74ea6537017

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
7e7390d7075c55cd315e80ad59771c55

SHA1
d12c6b4c6ba8ed713e96909e36aac4bc14a87bff

SHA256
488f4dfbe760bd38c8f57b9582d391950e2e59dfea7098e394f1ae2d35bae25f

SHA512
38728645c56ae2f844e08e3f1c6f198c83d5074b7544a8b361f84bb261a7499c59fea44ba266a3abb7af67cd157d4027bc14ed37e31a8978e93740334537abc1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
685d977bd9cf93aecbf2b465475a88bd

SHA1
163a94ba4a60bf767e3b4add43ff8e27b343b392

SHA256
b5d5ed169be273e6f16a6d786654589a6c584500ec3b8305d4d213b532fab855

SHA512
6f9e82ffabb6565153bb943d1c4397dd3838e1a8965248597d7930e99eed752814f27dacfca92ed8612abbe3ee02780f2afd732c31d60a01b6877e6359f57260

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
de6e26bc673e080b3796088ac14cc320

SHA1
e6e900d6c09cd3c0a0beb8804eeff166c86cf2db

SHA256
151d7bac8fb79a1a7e47266229e411caa2051dc02733352e0c8b3df13c6346ee

SHA512
352c5ad34dae705009acc4eba80a4c014464171eb450dbabc78f508474df8e5675d2b7442f4365c6c05d966ecb0fa1fc6460480ff2cc0c48b23530b13a110845

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f846f4f3dfab65def9f6ae5951b9eca8

SHA1
a383600174735195598a714c4fdb7d799dd23c07

SHA256
2c37fc7e22a843045c5b985ce354650643a071d15b8ea8c8d4832b98ad4d11d4

SHA512
f408ce56cad98e68e8b98bf33942c0463ca28666b185a68d2ad72250833a3ac6020757735a8ba2bedcd7660310beacdd5bd4b24172df54001634d28511f8e758

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c27d73a288e8f171a93d10dd94f17db8

SHA1
4a938ec24f2b99bb38726c1740ac7e7d1f16e871

SHA256
c37ac0494732d31bba476e221a4c1049583427a8407f3eaaf3248ce56495dde6

SHA512
a3f29b6aef71b0667f1b72e6cce26ba59d67584b4833d528ea3e1ef98919d26140b64209c2e9ac7b79717cf3af49603b993b7e82245fb356f07d3e2d3bdde0f0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b4bec9ee2dd0a4b938137366a574ad86

SHA1
5e6d77b92ee1beef10535b1adcf93da9b1e6710e

SHA256
ad8e57e32e3ff6816dcd1dd346f29d41c48c064b83a1ef45afe599859868d86e

SHA512
923f88706f969c1f2d8cec87f5a596127a04e22c281cd957c5b360f937b375eaac8f7aa8b010dc38dd4c8be3b817f2cce089d4b5113d462380bca601c83e7143

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
46c404991a74bbf7632940cadf6b9c77

SHA1
f7a023872dd84b8e7d91e6c9be028554c258d35a

SHA256
3b922b034a812e4bf46c5150bc4607522e6391ec2d9c1c7c65def501889b856b

SHA512
ff7a37515b39a3b9af20cb7414d637edfa0cc7171998db39adc396799ede6a184165323c22e2d7f11b56dd4fab2e0cde2d16357b0fcff378520c4fadf1c7119e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
0a334399afeae618a43318c87109ad20

SHA1
488a7652c423243f0c92a00f1cddcaba735b972d

SHA256
549912a84a74bb1f1218dd8d6c36b2e5378d2ed7d95d5090c3a84fd1469b2901

SHA512
2046855069623afb1b06f5ff05351ff6b06343ecb80ff3d4aa927fe02eac8223be3d4aa5fc6ad5c0e1d4906e6d79b1d1f4f657574246e88139962ae85a88bf44

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
dc89a27c71552217f7e1671201023455

SHA1
ee431b47bed8937214819443824b12dbc499b91e

SHA256
6451de4403565a7976419433d06381c44bb5c68467a27d9d409f257e1985300a

SHA512
246f4cf2fc1fde85f7f45098d6795f17e735f9157b914a674d9cef9a882b4460099cd00f69ef5571d8d8ddc6c51a04ac2a5cd813ac9600dcea86940bab675546

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
1674eff0c3e7d2f972eabe4ff8855789

SHA1
97832307e353b4db386fda65a9bf6bacb1319c23

SHA256
72b6efea243ab041af7b7119b4f33557d19030427da348d1fd9a550d654a0c95

SHA512
223418f8b3697bef7fafaee12a74bb6e10ed0f202ec0a0d7ea71a4887947c2a8f75320cf8778b394c27b826bb18abfcae9b6205eab16e7e14fef6f8fdf81e44f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
feb2bffa68d17b420453f1d646de8836

SHA1
2968adae70396a3041612a3c63afbe27905c1e13

SHA256
9b9148563cef9e7527ccacd6deade3f26653780d121d0916a7f5f127982da6e1

SHA512
7227933acfcb4e5c3ea77228c59a049241903346ddba5b618817c40e7a537f8d8f2009f48ee29525c536d8b67ae69863fb0809de803a0825ac78a5fbbfd7c7a1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
08203db77c82cde0f8a6da9bf778f8f8

SHA1
00fdc3d608ae48112771092d693abc376559f1c7

SHA256
9bcf866453695e0ae1d15b9a863d89981ae7bf9b30ac5ced399c64274927eff3

SHA512
35e1d02257caa7485e38edc39e8fafbd872eb740c90e643ba1c06130319e3d662b58b084ad43f5c7f9425ca594d72c8017fe77246342172af475e328a132ee94

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e2380df6a7570b728bebed3b7733e7b0

SHA1
9d99d9cb262ba3584e4875e66f00a6309da87d56

SHA256
34a59deb2cfe32312555148743fc2e65959e20da0e67cf09b096fa28bd4ee98c

SHA512
ed9e957ce1aea83ae3ce633cd1015ae69d8ef744174f693c48881a92f813da85411098cca25a4e9a19492bc74d5a9510ffec9a43877da5d78cd15f2282b49422

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
09fdd8c9239673d1c4aca8fa8347dbdd

SHA1
96ef92e625d796d0e90afb3f7540be9381373f71

SHA256
b18315e01d533476d253a4ec01f5046ffad60d3977cbed1e6f59393d4867209c

SHA512
7116632a2ceb2131dd07bdeaec32cfd5e07edb384bb27aa833acc4cce401e792cf491cb615ffa8aaa00db3993a009066132f6e5fa5015f551867266551c6012f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2381f5404c0157b51f5beb662d6c30ab

SHA1
188479e477ae0b00a6855297934af8e8b49d4fdc

SHA256
6061ecb576bdcc73123a9bcf9fafab58c7b2f5a61c273b99b5ef64f5ea54aa25

SHA512
5a32807719749f3d2f283fcaa45e51fc7e742d9bfd436260b56c88180db56886d76871c47d84e79e0de9614c81ebf5103149d954a25122390d2b3df016c3a08a

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
4b4788c19bca0ef4a3c1aff66d618367

SHA1
c7ae7070f81a1c423bb2a5714fbc33e3b21dc5a8

SHA256
a93bf369bc0faa2571a871075b561cb6c727bc989ba5b0694b66c01d5d536a67

SHA512
54f90c79c0b32273ff274b8756c8c9b955959e728c731193a70a47a262c2083d753a723677151d366932cd76a6ed373198a10db9374001426ba7d3c6249bea40

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
dfcc894330d40826a023367bac33daec

SHA1
106b81561679ceb41a488b70ec1fe236b7e2bd2a

SHA256
ee73bfc45f594f9faf7f291d45592f2459acbdd5505adb8609ff171be14b18e9

SHA512
0eb2aa062960035821b0f57904f0da4a26b15707df02114281463926ec8836327eb223cbeeee9f1ce0dcbc48cad64682b6a511f1f149d1f65799c325ef9afdf8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
9dedce7a030876669e2fba34b694f46b

SHA1
054dea1fcc8a787e107e949b12c52198207ae588

SHA256
0fb44b6ee003fcd928c39dc75e3e4e6b64d9fc9aaa7a16e2b6e0d77e030a46fa

SHA512
432ee82472499c5deff680c51aa10191c225a22bb1d26b724116498b0b5b7592beafd8e5dcdc7533c2f93f3dad8d49c88d12c650b448d231b0369fb4fc1b30e8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1fb3a8696050187506f608bddf973f6e

SHA1
7d48399e66e2b5d38c79499319fa9645731a8d19

SHA256
3c11dfcd84bd82980c7a4d4528a447dbc4b816f4f6175432c6ef1cb05dbd57d6

SHA512
bf4a0545e21715daae32a1db14d8960187285efa7fffca3d96459c51f3fd6115b4faea237f9be95b7962e91bc3999fc10a0ed6dda3a7286654b22401206361ca

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
328b6083c07642d44e7ec05450540370

SHA1
8340dd8587382304c090b5a7cc3edda7a10ad723

SHA256
5b409fb65d09debc50ca5cf0f43eb68ad3e5a5c21eca3455708771df8b1e9ea0

SHA512
31fa80f5e031065ba05d3a1dd734bb0f9d72e879f4a14ad546c1411abe66f396db26144c88c8ed6783b503a0f5bb4b94cf3d76a38b920a4fe35b874c9749964a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1c60ed7edaae4c127ee3265d5c3b3441

SHA1
7d3c4f43a93c3ba5040f01fe1c6720692c1d1d35

SHA256
9e05fe1202c09b7442b0e69d35fbdeccfb806ed0a792a0336db07151bcbeb2fe

SHA512
d3aedb8902c353df62dae1ae3d9e21ca071587efa95ca01d7c7c841730e1c42b91134293131947c1b7896e2fa6005b62040e0d898275f839534eb131d386a517

Download Submit
memory/224-223-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/224-111-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/532-161-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/532-325-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1748-185-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1748-351-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2120-335-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2120-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2344-401-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2344-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3004-19-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3004-14-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3004-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3004-103-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3012-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3012-51-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3012-7-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/3012-6-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/3012-2-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/3168-82-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3168-86-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3168-84-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3168-74-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3168-80-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3552-208-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3552-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3552-90-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3584-260-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3584-428-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3712-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3712-46-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3712-44-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3712-38-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3712-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3868-60-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3868-59-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3868-52-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3868-172-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4060-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4060-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4284-415-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4284-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4408-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4408-184-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4408-71-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4408-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4792-235-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4792-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4796-281-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4796-447-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4812-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4812-247-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4868-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4868-399-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4924-127-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4924-27-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4924-33-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4924-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4956-259-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4956-138-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4980-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4980-328-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4980-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5012-197-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5012-371-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download