0443e5c3324c7e5a019576f339794d0c89649e818394c1beef71572ae6679729

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
Size

2.3MB
MD5

93c1aaeb5ed4e135f5ee6e5dcbf26e31
SHA1

9fc4bcbfabcd66cba8afb7c1bc12b4b5b9b4a42c
SHA256

0443e5c3324c7e5a019576f339794d0c89649e818394c1beef71572ae6679729
SHA512

5938145e6ae27f5e3510f30b7085211571d833d999717f4b35fd1729430a498d21589c3a9ab16adbc9981dd0148993f7d27770c9c32399ac106cc1822fccbe69
SSDEEP

49152:DDD0FZs/Yl7dYUMQ+fCi6p6O8IFeII8uxV1XL4kDmg27RnWGj:3D0FZs/U73MQ+fCi6AeeT8uxV1XlD52j

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2768	alg.exe
4436	DiagnosticsHub.StandardCollector.Service.exe
4648	fxssvc.exe
3788	elevation_service.exe
1880	elevation_service.exe
2260	maintenanceservice.exe
1924	msdtc.exe
4312	OSE.EXE
1976	PerceptionSimulationService.exe
4888	perfhost.exe
4024	locator.exe
2208	SensorDataService.exe
1480	snmptrap.exe
1652	spectrum.exe
1608	ssh-agent.exe
3444	TieringEngineService.exe
2060	AgentService.exe
4788	vds.exe
4544	vssvc.exe
4912	wbengine.exe
2484	WmiApSrv.exe
2400	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\634aad1dc3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5bc13ad27aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000deeec8ad27aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000433abbaf27aada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e35b98ae27aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008958d6ae27aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000852e67ad27aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b1ddbae27aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4436	DiagnosticsHub.StandardCollector.Service.exe
4436	DiagnosticsHub.StandardCollector.Service.exe
4436	DiagnosticsHub.StandardCollector.Service.exe
4436	DiagnosticsHub.StandardCollector.Service.exe
4436	DiagnosticsHub.StandardCollector.Service.exe
4436	DiagnosticsHub.StandardCollector.Service.exe
4436	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2760	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
Token: SeAuditPrivilege	4648	fxssvc.exe
Token: SeRestorePrivilege	3444	TieringEngineService.exe
Token: SeManageVolumePrivilege	3444	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2060	AgentService.exe
Token: SeBackupPrivilege	4544	vssvc.exe
Token: SeRestorePrivilege	4544	vssvc.exe
Token: SeAuditPrivilege	4544	vssvc.exe
Token: SeBackupPrivilege	4912	wbengine.exe
Token: SeRestorePrivilege	4912	wbengine.exe
Token: SeSecurityPrivilege	4912	wbengine.exe
Token: 33	2400	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeDebugPrivilege	2768	alg.exe
Token: SeDebugPrivilege	2768	alg.exe
Token: SeDebugPrivilege	2768	alg.exe
Token: SeDebugPrivilege	4436	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2760	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
2760	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2760	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
2760	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2760	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
2760	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
2760	2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 6008	2400	SearchIndexer.exe	123
PID 2400 wrote to memory of 6008	2400	SearchIndexer.exe	123
PID 2400 wrote to memory of 6052	2400	SearchIndexer.exe	124
PID 2400 wrote to memory of 6052	2400	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-19_93c1aaeb5ed4e135f5ee6e5dcbf26e31_bkransomware_icedid.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2760

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:832

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1880

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1924

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4888

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4024

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2208

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1652

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2728

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6008
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4268,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
1⤵
PID:5228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
ab70218769aad63331d055d625934344

SHA1
89649facbee1ef5f147732f6a10bccf837f0e13c

SHA256
3692c00e7ddaffb0bf85c0de7036b9b91ef08c2ad823911995e370ac9059ab23

SHA512
292b234e2d15568032f910b3710e91564810356d6ba5bfdc558bd0156c6fa46f0e2c84f2d91a4b9ec1c5438021e66840b4b2814d23e93e7bfdd8043788ac84e4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
e1baa4290e4959de895297050a764440

SHA1
893ba570179dcb9f0f063b0241185fad4a3edd7e

SHA256
617e1d7003882f3bd46eb35f7db017e230e6c77cbc34d099fa550db29fdbc078

SHA512
c577068fedf77b84b1f9a4945bcd265bc99aeb8fba3c58a57380ecd1181192ae98229c88d333033b99727c06869a08033980f46f00d77b75487ae74bcbc792bd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
99e6a099faa29bdec47defde385a30f5

SHA1
4e75c65fcad82012af8cd719d213cc9337f017fd

SHA256
02796dee93583e6069f858910cf06b6480c528e14bb31ba4e0c44ae13c71058b

SHA512
0fc3e4a97562b4772463f48c28670970d9100f1fd3f500bce61b1a27245c02fd3a4e70ea2f7c6510287ce434dcd1a3d25a655285ff20ecc9ce8774b71d9097c7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3b5702d5f431708e4bbbe5cddfb02bbf

SHA1
77aed9508f3e93ce04566817b3b4b4b38f2b28b5

SHA256
61f4d8e1fe770a09e6f0ef49f45d367545a0c1ea5e5704bd654a44b4e123a4fa

SHA512
fd6b923045adda7d747a9da53165f4391db96a1380b4bb9f3d16774970162ca9fe916e5bc08504e4dd9c4a11386c1c06fc7f9e9ab78611caf06e60839247f2fa

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a8bc971ec572e2d9dc3d8dbf25dcf1b1

SHA1
4b836d802361d79e953534b337dbda991bf1fbdc

SHA256
f0933676856fdea16b0aa5b80751f32e6fab7ad7da5b591590e0006529616cc4

SHA512
c3d235a926254fcadcee29512084f6d6cdb69f8cff157997767ae282233365d9a3455a2b01bb721b61420ad11603859ab6a3d8e5becec26fbd22cc7e88f1ffd5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f93fcf8d91f6199d758b97aa7ddf3be9

SHA1
556077f085a23455f3ac95bddeec677db64a027c

SHA256
f86aafcbc0fc8cd2b431446c9d0d44b9582aef1334f021aec36d0ff36895643e

SHA512
435a534e982edbf5f1684c79c38aa40261297b9171fb873ee11551d946bb8867f3082b5d3c73700cdabfe0f6bf55811a23b20db12253c2dc9e0b1e5b37e34e2f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
bc62437c081c13851944fd3b48e12387

SHA1
254e556730939614df495ab31581951724ec7d55

SHA256
97b67d3b8aa94d462eb96ae5193cd0d122e32f40bdc3f2ad1e989bae17714675

SHA512
84827d0b635d10bfc6fb0c442e699f70e395a53ed570b596f24adf9d439ecfedfd026497196a6999f45e2ef459243f1d529cc8ddf3c753bc9c1c5b9d9d02fb6d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b74019f201ca29bd4cb6e80b5d3c7eef

SHA1
41451b25df49077107feb0522b4a6e4a9b5278f8

SHA256
4ffa3c804a9722f64fa259f26789232709d0a100b6c73c780b63d3b8ee6e1955

SHA512
00bec8d6621606d05f09381b47374a03440d600a92c09b914461f3af45158fa5f88f8b3f25a39435500fc57661401fe48eb500b51b8497fcb59714b89e608640

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8b25e375050d6603ed0856a34aff7737

SHA1
a31d34b840ac68514c1449b134b4168d523f5262

SHA256
27974a5384aff2e0e2c7791b55f66aa403c628321ff970df522affa11df64288

SHA512
9209f3d25dd309e3db564296c9d5910d459d6de7546605ff3b2451e75c1a1ef89b2a3505714bd0d5e79b151bb9f2e0fd75977fdbf67d38f038965ca4f080e211

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6c423f876dbcb44fd82d10515a0d8c51

SHA1
fe575a81155a18a224b618b61f1239c4ae0ef080

SHA256
b7440fa4c1e503b94c61b564ccb4ff418af9f7cb85430afd7d23ad6208589448

SHA512
b1736206824a33081ab197d660d5125cad0da32efa3a73cea9fadba091dd107413097eab94df118dc3b9a68448a9446e4d5df85eb0bc6d0cfed75ab927a6e067

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6c100ef902981e8fdc9bb997abf49ed6

SHA1
a30394e0451fe1dfacb731fd3180ca1781de3ccf

SHA256
25c6454c3fa78d6783d8902d683add9d3f2e0e5edf4ff5f6c87fc11fa04b2eee

SHA512
78d3fd9cb93a408980987eae16e89ed412296bc9a3bfb2e7a5d07b449ef38085b91a57d1739917d5e6b88d55f69d9125e5779a7113487b8124846b6598c5c2a9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e50ac1738a4115012d9d0f6129ae9245

SHA1
86c29837d123b2ed98f2e7804aaa9e066bb3c07d

SHA256
fcbc0d8e7b1ab889a76d130cb3e9efdbd211a9e2726a905631ce67de90823cf3

SHA512
55d198d0bec3a3f63509dbe7a7ba6b0c5f422fdcc003e2ec163e50a786bac02c6b8c9f81afcdf89cde69326b76930a2f1ffeb55ee525eae732e41decd4c3c945

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
272ed8970a533490d8b5a7e9c0755f33

SHA1
805c16873cec240acf9c495d9b846c9801899278

SHA256
9ce1ef6ff845bc149759e00911da5a835797011d75bacd8822e8f522a78f5384

SHA512
261b9db116c9d9aa4c88720497026468e1a5f1ad9e2d2163d5b025af331ea4dca4284a143145f85f8d3fe24ed47be51fe98037c784830068c1560023b7ef9f5c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
97561a48baca86445071a6590971cdef

SHA1
a20b93882dbcd69f9a743a1c0b8e4095338fe492

SHA256
8af29d1a08b58c95d125eb9ea1595d67be52fb95b8a8f495fa0ea40020d3048b

SHA512
d4a471352fd7a9caf22779e20e396470dd86c32d7281bf812dc0f4d68a364b7c0647b69346040dd9d85e372a35c108195a9fa297ae13e8c3fe39d8fe078288dd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
aa8ccc8c0349724e4f0124ff3c8ba1ad

SHA1
04d651982107fccb92a8c7c072aca16eba0b05c2

SHA256
9054d849451f7bc6940cc6fa362bc3df33f30dc4570df1825e1c0f35798b488e

SHA512
3ec4022e4ca979bd83b8f6f9d0336b2449b1501114a949519035526b6bf9e539e3e8af4ec975a42fec90469559cc04ab25815825e80c9e0faa715c64e500c29d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
04f7c95499841dde7b0c7962f5f177f8

SHA1
5544898e125de889caf07371f6e4d9c2f7309238

SHA256
609712507cc07e554ac0e1ab2ed9ea43f7b24cded9a76886b2772dea8a74fc81

SHA512
6e98e91c3abf504afa0ce2c00863b5a3360afc974dbf77251109bc482c79850ffbda36257b546c5f57c9a1c24345ed19ea9abfb9f573ab3e9a4b2bede72fe4f4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4d283e5fddf09670662f1a4e3cfad214

SHA1
558c6bb7eaac54b4bd7c240d2fd2bccc3748631f

SHA256
65384943f7e1ea8b42ff8c02ddf7226e40cc52d4daeb95696cf07c70ef1e615c

SHA512
db5892c3fcb0278a116c000a02afab07bc86816e0ce4feec42ca49020625e0ab7b2699b6e91dee713a17c1aaa1155256de5a643a8957585e8da586fdd0f34dcb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
cc6831d8f2f0991afc107354e8a26d8c

SHA1
51dd5e2128a4f5ca155b8350d2f6ee96e2ceebe4

SHA256
1d1a2380191e69ffd2043c0feddca66267b28ac5324080905c8eca511792c2e1

SHA512
3e6940a15f4dd1235cb8b5a4f4b3b6be196153e60ab0edcd9c9e2dad2f47488f2969db6e17df50f12191c681f1e47c3ffa39a214566f57508d2a66fee2d324df

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
a99406ab174c52e947399ecfda9df1cd

SHA1
e2654635cdf15f2dda4b4ddf7849859c7cc83b77

SHA256
45303b9a7975da6dd7099a2ce6a0d421a4b331182797326f7918d8c5412b31d9

SHA512
2c73cbcec38e208afb9e0e5b3abde3ad18ffbb194078902338675674e34ac98e2e12b4adce1b740adb830e25df722ed9934fda65e810f132b4dcd5dd7a25c4e3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c1bb366192117404558066fb7a05cdc3

SHA1
1df531f222c90c6871a251e4232010d6181ceaca

SHA256
f8d9397c3fa90c0349804884b7daa86eb060c44d4d24fd2180a3b6dcf3fe294b

SHA512
6a1e8cb71716b4f1c8cfa7bd1cea485164eb642df2c0d3a2317aa0c7e6d9b2e51392d8be1f00e9d98955d8c241ad976d320e668f16ccce9c3bbb11c83cc16802

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e5ce409ee626d0a2cfdc0fcd87b4a00b

SHA1
f387e77608ad2f642fe047f42c635560db7a60af

SHA256
d7bdac46a0f3f26365df975977dba12fbc8148bdff9c0915c2a9e166a2b2c5df

SHA512
ea5cf19ddc68e58dc85b8f4d1a17a2ba8b1b775adaaa937e6f933a2cd76cfebfe53a35f7cddd1c2d3f7b4b08464aa94bd49252a98d06bc6375e3dee0b1be7a2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
47e760d4f148ba4954de9d3fc78a4c16

SHA1
315a733ff37bc9319bb09e1e734a5d1259b6a5cb

SHA256
dde975dba8ffcaac6aa990bc587f5358e0eb68defac2158b9a4ad53e8ab09450

SHA512
195f1fac3c180f0b888c27a0ec50f634229c54ea8287191c0ff5b2afb9ceb7fd373066cbf55121c9ac038269accd9c15f6cb93deaf7179b816c9a8aa48256b4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
a9b6e565a327bc7b0363c3b2f6243a59

SHA1
2212deba06bd5e50b16e9fa7c70e2203dfcdf6e6

SHA256
cc14db69171f29674550d739d426cc580b8a7826bdc96c1f947b51852d6d3e51

SHA512
ceb52b65ed344b248d6ddf7f94adf33bcc822714dd21e96d5386d6d3ed4a3b10d78b587f0ff460d856b459bd471984de6d3924b7b345e69361a756595c9e4057

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
df2ac0232e3f46e5fe1fc7af5fc44ea4

SHA1
01baf7dd7d07320eee4006c4f4f7da7dae82bc17

SHA256
c142edd679fa6abecb6e8491dc3af340f81bec22b9ed2cadd701c9cd5df9e788

SHA512
005c18145f08f932668201d28266e23900c045af674f2c76c5fd28de74192cfa6c9cc5bea130cd66832b104f5358d1932329312115e5315c9887ccb521285023

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
d21308612c3e01e2978c516a45e969b6

SHA1
b62da18388de1b7941e48a2d85337801c66f8b08

SHA256
c5eebd2ea921f80491f4e8813c5e85ae12d24753b368d61660308fa293ded061

SHA512
7cebc24798a96886e659adb72cb72572fd60d9805f7e66ed1b568c68ef29e559f07a21b25f16e0f70fec801e8ac47672e719fe72dc732153360e655e4b15dbc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
7c4d29bedd1575f65ee82fb829754a2d

SHA1
9c1a962f19b8cfc6440b61ae28cbea71185e8321

SHA256
0f9d21268313d201ab9b8bdde32cbe5d7ede51857433e69812da4fa473e984e1

SHA512
9682eaeffcdc8758fb96d6cd343980900e9a532e3828e27a7764fd7c0ed97854b362abd3f0f3209b84ffb8fbc30f2e51ee09120abcbc2d65d0c88cff21a8e8da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
e5875758948c47ba33cb7cedfa7a9e20

SHA1
d8ea6246906c86058c649ee6bd51621a73eaaf06

SHA256
1fc7d87ffb8cbd8289b838c0bc5656440fc7437362331d93eda38046541fd330

SHA512
c39a4cfa64af3a9301958ee402e6992e32364934123620ec0f5da73916814ac5afd626a51704b28942b08cc17a8a329869486e858e524218f2cceb121515c820

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0b4e6fa8ec3be391a5db16259f61168d

SHA1
432d03397c6d386a77bf3f7b92863d2b84951d65

SHA256
1a4e2d080955ec64eab2d6ff35a81bde6cf93a25332ba2d0184eb9d5e7a78737

SHA512
bd4c2a7cd5a6807709d21fd23aeccf26a874495f8245fea7899b7ae96014d170c11b8bcf5b72807c1a703861603729c2730feb28676b4dbea072d7441bf72ef5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
84031990074946207c3ba1c16f8b5478

SHA1
8cb6beff3c9ad2bd15b6a05b10e1f50dfd8a23fe

SHA256
b93200f920645751debf163afa8187d1de10785e8389c665b5813914a2cebfc2

SHA512
861c196fcf4f959b5ecd3aa26afab84185a3b73f88f3a94c038ef17be0762e955b8c50a1743fd0c7f6e4d585346d28ac1f8a54e0e11b948838d0372d0cecc1ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
624520416dbca1b23d12a0e0ffac65d3

SHA1
23df4e90361f8d727894b5ef5d8438175c5495e2

SHA256
33d1068bdb854f04ac8ebc9c422e90da3d96b7d1163872152df50ecb3ae0f854

SHA512
a040af77f9093d3a0606ec7173131e4ad317fd56e4deedbcef4d3bc6589ab9572af3b83a1b34af0a5f84fad5efbfef4bf08db6abe0d1e1e32674d9722ea72f6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
374e26df83bb0a97bf2d525c22fa5665

SHA1
49de56cc1ff91207b7742b82163474f1815b62b4

SHA256
b08b35941515706d2583a0a29318d5af56bf8c99733bb38e3e8b13706fa033c3

SHA512
095cad2c18303dc22c79c43471be31c21714bc27a10624ed88ca319bf89c1eac780a18a15262d5208215d47b3a53cb9a8cd433923e93bcd5e4ab40e7032069b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
1e6b0e6bc4abe2765aa123fde7aea9c5

SHA1
f7f811972f942a52b709fdb6db798bc1d8b6c3c7

SHA256
1fc2fa51e9100719cc253fc4f324a30af5a113db3b94d38dc1a07924ca94c329

SHA512
96b03c6f22242169f742fd85f97a8965c43660e8c5181fdbddb07242481d3eba176fa42cc240cb18daa3ea688ad844ccc7d417f780648aecea6e101df38d4e82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
043d467d817276b2d0b87e9d1d24d61f

SHA1
24a2ce689123f92625be3ab429e85d89645ac191

SHA256
de81a9437fa55d9d9d6e0ccd8f99e1ba78ea02e764e8816fa0fa107f2821a443

SHA512
d9856b7b889134a5f8e9ffe2cc98b683720ee2199a65d8917cab2bc29ee452868e4088bafc185551a5dd21dae89cd4c251ca2304f932c3e1212b88e98cfd3eb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
ac490b1ccff1c36877fa0a04ae651f08

SHA1
185c4984426ef067f04ee3106c8d7907f1686451

SHA256
0817e1ea12d9535253da7b12abeda88eb73e4ad8c858c82073ea062dc6e20329

SHA512
e72343f4739201733f2fcac980a6c547b9b8dc1389d05fb14cb4d16de9a9b54465bb24cb9f14183eb92a2ff0c0b5487010b31762363630ded2083e578c3612d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
fc07b694462e694df02e5484b6cab546

SHA1
9fc1f67c4e1f2939daa7d99055aa6194bda003f9

SHA256
a06c65745e722181944f9a0da8d7388782dd795518edc764746bfc4cf6dcf28d

SHA512
99440a82dbb046b60dbfe8713e243bdb480c61a38bb17b5f8c1a6dfb9f7f548689e037dbadb2560f9c22bb8005af6729e0b525f3e98be441e0f697981039f77f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
6e703edf58838dd835ab98efa0029161

SHA1
69a330bd94b3cfe4241de070594179ce08773fc4

SHA256
cc336f98076664998ca3f7516262c52cbb1a8e19354a4e549f88ecd4b3f0bd9f

SHA512
9279d3b4cd73e4e5882b2363b56e521871059514e0fadffd475299f5beb61caea6bbce5ebd5ae80e7c10dd91beb52f23708135aacff89c9b0611c70b8a05a239

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
eb163025c4028e4afb03d0c17dd746e3

SHA1
4aa3afffd4c43cbe598ed1e52812b514c9045661

SHA256
2b9d2e9e8207036d5e9aa8820e1121a1ba32377d38f231b5c09866124d2931a0

SHA512
11c188025433908fc992922c9f78d7c3dba95d7c0299bc7d40975e449d1b081eb356aa560552820b5c81d67765f8a9b2968a5ac6b6f92d6499e31d6d219d794d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
42a6560703acdd8a1918dbaf3225668e

SHA1
87648f39403fb1027935e14ba3a5b948ac889784

SHA256
fee52c7786c70f0a2654a2e862e55d9e36837490d0dc3000e41eb28cd756b017

SHA512
f3430af00f8cfde35b30cafaecbc7247f191831705d1a21a9e15c2a24a62870decba7cf6069682ed0b0eefd85f2bd640eaf26ad6c5e39f577840924de19605a3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
897f4642c9e3204ffb1d3ce8da44e6a5

SHA1
a1479e7d2f756ef3ee00aa5611513606bfab6eb9

SHA256
3d4573c40b013ff39d8e61cc7a7ede20a50f51b4ec00edb854a36a7e128fc6d0

SHA512
a2ba2e8408d037e577fed13fa7f3bb4b5e77ed35fddbac8b23f467573ca5dc6a1021199219478502997a339943210db4196066dac692f1428527e9423cff99d7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
77630b2dfb58b16859d20f7d3fb11e05

SHA1
1e953f9aecefc61d8e1deb8d0a1d99f16a313319

SHA256
4471e432d5e15922d021d3998f72bd11b9661f68167da6feb01695507ccd1108

SHA512
3fb1f0678694f238f5cfbbd1371d51af63ebcc630a6073b1b0f4b5765d77bdf09d89cd7265724ab3cb13e306b251c8d69b7f22905cff6eca7e51c6f96702d302

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
012dd8fd7b90d0030e0cd9f7022fa616

SHA1
33c6a2c01be68e144cc67d315fa1f53def58c816

SHA256
42dc812192e7bd0e773aca9295aeac6ff635dbbd55a498a79489f8cc07518b2e

SHA512
c410f792d5ff047b37bcef0ee9fabb8b3fd97160a0239b875a7edba9a2072b4fbe64d6f84b7c3d20e342d258333cd866a3c581d341019d308e45c3aec0598fcc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e30f4d41d1518c153153673f8f27d7f1

SHA1
7364e289445689ba3892bc361a384f6e573af58a

SHA256
558d50f6a53f0f542d8d47a54c7ef77e78a5bc31d0a7626b94f6aab3405f6028

SHA512
eafbd9b5beb0f8801b15208bb4eb580d9e6e1d27a8de70d7ef7448b54c5a6cb48ebda8e209906f9e89168db32f41593f3479a3c9d867c8d84b6ab602b5915321

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a57cba10e6f7125d2303fc6713ee2014

SHA1
98f868b721f1f1ee6e42c768fcf01cc5c5ef2d69

SHA256
9987ef73648f1a7fa756866e8324ce9c9adc25c797a5fd89c4960697d2b7c53e

SHA512
88bffbaeeaca5f21333092afb7317fd2d1c79ba9918c660a3fa28e2766e47dbd45c5cf45b334920290ac426a8a6f45799a9890af7789bef7772c411c62d8a9d0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
61f3b0e63789f4f50fab5d96d5cb6517

SHA1
24c5a06998c886e53b4d544119d3e1935a803f48

SHA256
bd3d35ef3dc2b589c121cab51b1455c0eb087699b368ca19f068e54d8ba86afe

SHA512
b6de557be68bc56724de25915d5adc3f60587989ef0acadba8b4209577e412766dd024d108b07dd29643d51f7879a06377244a32e336516521e9fed77868c43f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0e94188eed721ac0020338e58fcdfad0

SHA1
06cab8a54b37a61dfb6c8c23d8ee1f60defbbb60

SHA256
816dd017be531f0b85cb371c547fbe2c4dce4042e2d55cb191d99b21c513c3a9

SHA512
31af9746f5cfa3eec243ee5f59e39ee554e148d78a5c15b302640c5ac20cdcbda7e85649ead3dcbb8902427081c7c89b29ad61e780ec766c0ad007e8a609c72b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
52ba187e7679d8a213ec415c6c9def16

SHA1
b659fab88a3f3e21698cbcddeefb585fa91bfe78

SHA256
85303a63e97941950b55f6850650ce86c5c96802442d7dd8d6f78ee68a9dffe1

SHA512
602aca6b547c09cb89801cfd5482a0271405279ff972caef0c012534bc540f63df95e85ace4a963e5dc58f9b5f0a8d427aa24a86667f2f2a3b6686984c7da1de

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4304e188afb6826ce08dcc6769675c13

SHA1
bd13decc26463310ea63897bebe1ecf93e477340

SHA256
1e8d7654cb5034c861224467a31d8f7d0de260e9ef3673b04c6dcd483097bb66

SHA512
85e0fb3d501955ad91843d034a4be997a11d90140e85ea46f9ebc5e1657c6c77dfbf51ab9ca87417df0be275b451ba7f181adca1dde93eb759c8725cf737f844

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e2e8e908a3493de34f4fedb2d4c29fb0

SHA1
184b7bbeba8c3a24af30178ee7ff09f120d9c7a9

SHA256
83186f176c366727966bbc5c73d555b5482db2961b6fa9fcebfa2eb9591c5e15

SHA512
23bc63255f2cb6215dfff62c44b10ce7dd6750484d6cb24b5c8ecb4e758c4fcbdb2fa3bb1d0934629540778b2a41064a5566a57a7b0a3808e99060c8e4bbcfe2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2d9bb23af95eec43ad4ffe8c0ff83aca

SHA1
cc106dd08f8485f9ab34c1435baa29830e7d6e5a

SHA256
614ca1d57752517515473fa6a69ad9e9012b59c6891bcc0307708ad8a4ebc8c7

SHA512
33607fd47ad423ecedbf0c0f20dc5cedf201b971f4a5ebf77bf3175cc042d7f89b4e6fce30c52bba8cb15079f5d97f129adf74ab84579c10f6f4adf1cd3e4217

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
06173053d5b794f943ada19187d81fda

SHA1
8cc7b5de6863fbd6616885ba7845000014b4261e

SHA256
6f703bc9f27881336c84e31d2942a38afb6ac52260da1e24b9ca5f04ed23ee3a

SHA512
a91bcdd81cafe774dfe11d048b096a5bfc50117a0d7938696d403155c68bc72df7d3936d1afefd5c6d5434fde4882e7c2e0517a15263cc96250edab372ca8cbb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
90c32fc8d2e27441dc877ba1bde5d595

SHA1
2276ea65fee0d2f89b0253d2167dd0cf0cb575b5

SHA256
2f8a89fa184fb78fb8c1952c6c92feaf6e0e110fa2f4b55e2333e5ccf26e8461

SHA512
029a3093a9b6e72454a6345d312451769fac53ad2032889cab1ff1218c0dcb1836642029658cfa1c63fc3bbc67b334ecdf3719d706194e62d0df0943d31d6708

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
cb9929b2e51710dd35cf3880fd6b3e5d

SHA1
e1f0265bfee45c57b8da483afe587f6a6abdbba8

SHA256
29f3121ca37717c97fb3574b87ec86927c0d4cc608a48a16606138d53f47d696

SHA512
ae278abe84fd89e8a7045b713281a7325b416f93294fc56ef9f7fde4930878141bf6f832f7c40c5f05d729527c77c63f3b488ce9780af49163806b21679838c1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b65e505e105008aeee5a4f12e46312d6

SHA1
bdb39c27e4d82d4a6385e454e50d1222597ad293

SHA256
8a2c0be4eb85ec211ff5c1b3b44b6ff30c6f1710e3147edb9efe1249ae3181af

SHA512
a34457e4e019f1aeef8baa0a0b7ba3b59e019ee658f6d075b2df14f9b83048d72ae46e6e91b6766e41aee13e64fec8914c4b5ee941599fee4d2efa8a53aa37cf

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
9e1eb62a291b59962ed7d1bdfe0dd9cf

SHA1
1fb7e769d354e7c57e79e67331167b74545cb35b

SHA256
91dcdfa41dd5d0f8ac1434a048b2a6673824716851842a777c415c75204ff034

SHA512
e26f5b0e95b80bb7694cb7630dfafce27c29fd16e75ffa6034217e98cd0f02d95e4f0b7bbfb707137943e142feb59790a95fe4291d835b03a85404331ac1f47c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ba0bca6c3ad13bb33fbd3ba37f212637

SHA1
a2228fef06e1b0469872d5e4cfca4cc423d45a5b

SHA256
e591e2573dd5dde99604a4e66dfe4380ee3c074acafe584f1f7a22f30b1954d5

SHA512
332ad645a2069f334bceb1b682d2a45d212a6707ee1dae8681af7a61c1396fd60e31cd105565c2c336e2c16013ffa52b3bb183af7cabb51f3f2018fe88dd792f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
96fa9c726b40c019db0160d32c921bae

SHA1
0c0d66814c8e2b10adc54461ae626cc9dc1f4431

SHA256
4b35357291a42af87975429cb3c3f7d4db268f03b90965b417e8fcd57a24bee7

SHA512
25b02efc3e7b577272568fe9535c5c954a1cb160a1c1db686e6a0b46de61d3b80c826e777a73d737813877a5157eb6d0f3c2c8b15bd71f51788bafea692d8dc4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
99badcf01e9c60da4cd0f6840e669798

SHA1
3ee7d17373c41fc6783bc253a0e129475b3b6535

SHA256
13b3dcc30567d62600900b62b79a67a4b26b3313725507f875ba47705745bdab

SHA512
a4455c46201af7ed3909c8361652fdf88586a7472ff22013f759306fc49db155e95eb934e36828e2c9940e91d20ef357021fd28fac89e64aafc4aec4f2d11d6d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7c3b32f90608c08341d188dd89fcbfb4

SHA1
fce26f17d4e5b0475de3e2a1740a2173cf9c506a

SHA256
762509827683a08b03f56cc1a7bf8417a97119f169042bcaabb60000f474cd54

SHA512
514e3ed6ab3b5904c87a13aab94238bfc02fd651ff938de5492df2c72cec0c5b7ad13e6776fd4e605ff29bef65bd4cd81e94a35fb078ff5af33005f02e9541fd

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b2834161e1e99c22c6f16d0e709812a2

SHA1
1d8abcf2c4c70654a553de3e4a6c326ae0e410f7

SHA256
7508540d176b1f6031d61230c6158945c37767873248420fc1d941ffa043b4fa

SHA512
e9a40dbec6eaefaa5aecbc0d12db76a6c15f4cb283f4830ba4e157776d9d1d47fc8c425fa11f6fad7a67475daf14eb4c842e6089af8dd77e7f0f4e02188818ab

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
1f49ba9a4b748bc49415fbe1155ff5c3

SHA1
3e002038347addbea1c8f64d7ed3bb450762da96

SHA256
aa12fbb893b3dc016ffb39d1d67d89e2304f40cda285325956ee1a8550d0ba74

SHA512
8d3f17e6da466045e6db37e4f636ec69881abe3197568d50c269824f98b1f015276b9fa2f48c719ab5a5bbec07b56131d6741ba78115bc92be153bff44484e58

Download Submit
memory/1480-159-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1480-488-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1608-186-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1608-613-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1652-165-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1652-548-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1880-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1880-185-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1880-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1880-62-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1924-200-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1924-88-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1924-89-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/1976-233-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1976-123-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2060-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2060-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2208-141-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2208-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2208-529-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2260-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2260-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2260-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2260-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2260-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2400-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2400-623-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2484-622-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2484-252-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2760-8-0x00000000008F0000-0x0000000000957000-memory.dmp

Filesize
412KB

Download
memory/2760-445-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2760-6-0x00000000008F0000-0x0000000000957000-memory.dmp

Filesize
412KB

Download
memory/2760-114-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2760-0-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2760-1-0x00000000008F0000-0x0000000000957000-memory.dmp

Filesize
412KB

Download
memory/2768-20-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2768-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2768-129-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2768-19-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2768-12-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3444-189-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3444-615-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3788-164-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3788-48-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3788-49-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3788-55-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4024-251-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4024-130-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4312-223-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4312-100-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4436-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4436-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4436-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4544-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-617-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4648-39-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4648-57-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4648-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4648-44-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4648-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4788-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4788-616-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4888-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4888-239-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4912-621-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4912-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download