ac192f71406b17e5fb846e679f49eb1ba57562fac29c4ae598cf2c5421dc27f1

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
Size

2.3MB
MD5

e545f02ea7ca780a48c3315e8ef59c24
SHA1

af772e67cbcd4084886efb32f8b0dd5e3fde9e2c
SHA256

ac192f71406b17e5fb846e679f49eb1ba57562fac29c4ae598cf2c5421dc27f1
SHA512

f643d2751f318b590fc5967ac92c9b296fa8800db0a25906bdf9faca103d12bd14e7df31d431c4337f1877999f30b54ff360e2e221bdf29fe6c59b89e7d43b5d
SSDEEP

49152:tDD0FZs/Yl7dYUMQ+fCi6p6O8IFeII8uxV1XL4HDmg27RnWGj:VD0FZs/U73MQ+fCi6AeeT8uxV1XeD52j

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3256	alg.exe
3968	DiagnosticsHub.StandardCollector.Service.exe
4428	fxssvc.exe
4312	elevation_service.exe
960	elevation_service.exe
4484	maintenanceservice.exe
1736	msdtc.exe
2020	OSE.EXE
4292	PerceptionSimulationService.exe
1228	perfhost.exe
5040	locator.exe
1352	SensorDataService.exe
4012	snmptrap.exe
1416	spectrum.exe
4736	ssh-agent.exe
1084	TieringEngineService.exe
2320	AgentService.exe
3036	vds.exe
408	vssvc.exe
3228	wbengine.exe
3568	WmiApSrv.exe
3552	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\aaef4c274521e136.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\java.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f39823206e9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bec4123406e9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003edfc53106e9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004834a43406e9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053777d3206e9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c18b333206e9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045c54d3206e9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007eb23a3206e9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062ee353206e9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052634b3206e9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be9c843206e9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3968	DiagnosticsHub.StandardCollector.Service.exe
3968	DiagnosticsHub.StandardCollector.Service.exe
3968	DiagnosticsHub.StandardCollector.Service.exe
3968	DiagnosticsHub.StandardCollector.Service.exe
3968	DiagnosticsHub.StandardCollector.Service.exe
3968	DiagnosticsHub.StandardCollector.Service.exe
3968	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4624	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
Token: SeAuditPrivilege	4428	fxssvc.exe
Token: SeRestorePrivilege	1084	TieringEngineService.exe
Token: SeManageVolumePrivilege	1084	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2320	AgentService.exe
Token: SeBackupPrivilege	408	vssvc.exe
Token: SeRestorePrivilege	408	vssvc.exe
Token: SeAuditPrivilege	408	vssvc.exe
Token: SeBackupPrivilege	3228	wbengine.exe
Token: SeRestorePrivilege	3228	wbengine.exe
Token: SeSecurityPrivilege	3228	wbengine.exe
Token: 33	3552	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3552	SearchIndexer.exe
Token: SeDebugPrivilege	3256	alg.exe
Token: SeDebugPrivilege	3256	alg.exe
Token: SeDebugPrivilege	3256	alg.exe
Token: SeDebugPrivilege	3968	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4624	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
4624	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4624	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
4624	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4624	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
4624	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
4624	2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 1500	3552	SearchIndexer.exe	112
PID 3552 wrote to memory of 1500	3552	SearchIndexer.exe	112
PID 3552 wrote to memory of 3068	3552	SearchIndexer.exe	113
PID 3552 wrote to memory of 3068	3552	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_e545f02ea7ca780a48c3315e8ef59c24_bkransomware_icedid.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4624

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2192

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:960

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4484

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1736

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4292

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1228

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1352

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4012

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1416

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4676

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3568

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1500
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bdeb2e4f04557dcf4bf7173c4efb9bd0

SHA1
8db5cf326b186d942f0524062729cee3dbc12e31

SHA256
8707256f61e97286e15bc6db5d1ac69b7161cd91c3b27f89d4c3af65e00360e5

SHA512
fac25e99045e335860dfc037d765a781e5a0d46e29e7429030b0b65e42353d89134d615457526287df59c18372ee8be8aa541934dce93973e1f6e781c7922b26

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
ef531dbd1c2d56053680cbecc8f469fb

SHA1
1cf6559ad4e7d98fcad0d954be1aae97b9187657

SHA256
19de1a5893ec64847b825beef22d652a95e6598fe7d0e323571ad5f8bb8cbb72

SHA512
98b458e9056d3d4d467c76f8553984d6bfe84c1a6a09a213914d9f4a6c4319238eb2b23189acd87c79af5dfb35350d0b94a2372ae7603191d7e7f702dc605405

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
67a6c73a5b5fac27ad96b43f5b29fd13

SHA1
df54aacf17c0404204c5b5acca1e4fea3e4fb5b8

SHA256
65407c76d60304bcd6c38079c99897cb97eed0641f5b96eec562b20ed978414e

SHA512
1d54da9049c484999173f06e7fc6a8205438d7a3adf68a261e07ca3fb7d480629e22b7003ad69342e5da810ed44a6964dbdb83229bc918b846e2071a5e2617a5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
84c229d88842c738f880a1749a4e0b4f

SHA1
cef3ddae0e575be806e7057e9244541bdb6bfdb4

SHA256
7baa93a1684eaebb1bb1a0f0ca58bcc2158e57fc0c659a3c3d151e61db593499

SHA512
70dfc7255aa65a8e59c6d953e11b1f8da5713aefae5bc7cbd6212e4f9cea6d53bbead880f14e9cf1e9ad9acb80a455bc4aa66e559070d555f96a7e9419f10e77

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b2c1cb3f8224c88d54e1fbd6a918cdaf

SHA1
7b439d2da89502345694c5f76e67a360603295fb

SHA256
bf47005df7716e19c395f209887748bbcded5d2cc09674cacd191ea4313e8eeb

SHA512
cb141070e7924fc2833c2c20408d726cf7abc3b38101c5c7bbca471285050a75facb976c81cd46d3d0f2122b4d6e26a2fb36dcd796a72b73e07dbb2a42f3aeca

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
c038d80728ebeff363662f3e614f4b7f

SHA1
9d5fbb420e7e86d1b63830099579615c2c3fd86b

SHA256
f9309a91b794bf8ff8168c391f2cd970569d698c889ebb84d02322cafd1f4db2

SHA512
107b6ddf0c11df51820ecf6f668e810dd603d9a86c2b547a27572b1a5427017a930c7a58e731bd1413fd130913258ab6b38eac603c434ff94a1bfc529003008c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
18ac4efce41cc11a791c8857f3eee9c3

SHA1
ec698e621d00530bd4c38ba27bee345d99d0dae7

SHA256
e992e02b0e0e9d8b4c05aa145d22e69d3e41175998730514f42c79c3f6976b0b

SHA512
41e2234a777335640b75767741bc36ffe1665ec476a192cbfce4c7960648e815304267e0748eb09ecbae52e2027657b620fe90b91ffb6e6c486c71077f229e3b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
efdab68a3264e6b2c5395f19e39fca3a

SHA1
e4e0f16ed6460cda6a9762a550f038a917ff7ec5

SHA256
fae3864504d05bd56c778c148181015e4fe80d99ee11a81a9103a53a6a53f6e0

SHA512
e440397cdf3551c37b3b67e5cd174156c95f9da7708c6a77b1fc20faf2446f6f179abf1d37a9fe2d0dc077b090c786e49efe090db4351cda40ca2aaba55323ad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
fef480d8a3f6d6e4f3a8d2b0a3399a00

SHA1
9ed12104b7eef44ccd3d96ba097aaffb0da129c0

SHA256
0c5b3b82b9b313a4a1ab3fa6c84d001bbf2a0a2a395642adabcca93e1fea8f78

SHA512
b074d9c3a29c852e3f482378758ec3739e4948d9183f8e4691081f574e6bf9a450d1fe577436a2b43a329a66f8129aac5e9f331fb1357d22b0916cf311531798

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0c09cdce392da646ec50875e7f3e1962

SHA1
e9a0bdfee441995701cd90f2aab89f5cec3353f5

SHA256
1cc1e0c9b29a0c74bc33dd6f397c6b0cbcb010cd8bb45b095945abcdb4f0aee7

SHA512
60abbd4bfff069371797d7191cb3be298201e3b26d3ee395c3f15a397749f90582891a31c1dac4248b181dc8727607593e72c68dc50e1a6c25cbe8f9f5ff7180

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a65a9add46bdbb9da5a955063d953b36

SHA1
fd94f9c48c99aa7c7c0f21eac17ca49f990cc1dc

SHA256
a75f704a2e7f821fd70bad7826c90608d90830fe4c846e27aa8cbe3e8d82694f

SHA512
07efb7ce9fd2206fcb07e05ba5e986736b815331c6b18be369319f15422f64331a3d82875dd8b87fa1f8221c4504132a8897fd2708471b7b0cd3cd8c04e7acb4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d42871c6090833bcc2d1ada167ac0efb

SHA1
da19d5375ed57dec6bcd2b5eb0f7d946395975fa

SHA256
57bcf4810273831fa68a1afa298f7506a8d3c7e7d76b085b2f371944bdc32451

SHA512
d25ba288784e722994e8d5f5061836de4d9aa8acfd3fd86daaff0521e1e7ea37db61203e7742b3f817fd2dbff43e149c19faabd76ebd7b8b258eab36207235c7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
ebb3ad6cf1bdd6b1d1e05eb9e680f039

SHA1
b380c2c7d0dba293e9bca7c6f83e578290d9d4e7

SHA256
356aa12b2ac43b42dc263dcf9e70b35535f0655e2d02417a05c36e6f0ebbe219

SHA512
2a9fb9682c1e807df25c31c638c9f2ccd194f8932a1c2e892ca19e893d76853f4db228fd0a0e107fec29b8cc5c23ae4445b53edfdadd7b5a1628612a3bd81b9b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
b82baec4ebb041cf21ba1a5eb408fd9a

SHA1
a4aa68b2be0261ad221bc82ecc36340b849dfece

SHA256
c308e40e8f571218249140246f57dab6bd1347abffcb3c2a68823e8ae983237f

SHA512
9ae35556785d281c38fd620af8928056ffc57349e9c75cc0e616b7c78a9518c5d98b35a6d892041c4c3fd633b46bd9091ea5310f174dfaf2016d64d74840d682

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
8ab8b5c83fd0a455466dd8577bd162fa

SHA1
d14bdd5874be105457dace9c6f67020c93c9a477

SHA256
7908c8aede0f16ff728741eacd558aba305a1eb026e3cad28c7eb25207e8a000

SHA512
c8a437c12d283abcd5f2da59207ff0c48771fe081542e07f825813dc1bc9de032353cdb09ee5bea04b0089ecc6b2abf34805b2f86b4379865563ade5506eccf0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
fd3af87adf5018834549f5592550c751

SHA1
f165831428bb56e0bffc8ee6195a0b692ffe7d04

SHA256
dc27f0785d4a3a8d88dd36adf3b86fb2a2ebfde9d8e991ac5ed6503c887c1e66

SHA512
5c375f2c33c52e03cfab3a0bf5d818dd2d96d403547a941c92db5251e41c6c4ba831612a57f2e6fecda69623604acc90645166807ea6997c378edea9e8236ae1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
f59d9048e38ec7a19976d18c5b50fdfa

SHA1
0f018e8d7378edcdef81d11cda7b33b41fe8339c

SHA256
365db115efda63fa3280dde729c774075fb4dae522055ee8567e3bb3bc69c813

SHA512
49b1144d5731c4dae9eb81a668ddc770b87eef0d623a3643dd8a1b1a5bc7ccb4c8e872cb35730aec8da3fe02fb65b72fc08e8e657dec2c86ffe5294f21bf53d3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
1b02e2be5236c6abdacb5f8f5c1e9df4

SHA1
88eace12cbe031047d6e5134425d71cb20d29a6b

SHA256
d17f8bff9feb2bbe2025456f82a03c7bf605e92bfb31993ec9ab90c7d9e56464

SHA512
bed3d730e8d0046cbc3820da727e225e1ef58984114e2c904ef3824060afd9b590e75d605c7268b2b8b966039dc5f59b2c825f4a35d4449c8bb465e63bbd8d3f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
00817ab3f52b4e5b61996c83ae494beb

SHA1
fc092fad5fa96c565ef151b6cdb4938687432e2a

SHA256
3736f794b82a5e980f0ab8ca7ecf322fd8ea586159c08935d24d31e56eec1ea2

SHA512
5e8e930681e589e89700795d6e39698b117866d9d60607b3b81a8d67463fc3c701591697fa9faa3e1dcc10377b71313cd0743c24ca1b70c774e3188b6cba44c0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
91f4b1e1559766e74f0a35d303e751d3

SHA1
686db0f730ca79b0cd5e2fcd21e7c3df4619880c

SHA256
1df2826650da6ba717d51a20edcb2770e57ce1da719e3b1772c360fe30ba7de4

SHA512
7c73303681abc7057c1337dfcf996fcf735fe09e77c3e658360bd9b510545425c3d0c402f96fb2ea278b2a7e961c757078a2c0375ddc4b90c33eed408d936830

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
28edf5698ce857cb20c533ca57f484c7

SHA1
2d5e96da0d4403db314abe7d6bfe001a6dc669e3

SHA256
7db22e3051f90d43cef5431a73b0d3217f1eded07242827a049e0ce8c11d7df9

SHA512
6774858f3bad7fde3c4f219608d25e8ceb47cae866e29208b46e0b3af3640361b16df66f6f2d12162758c856db3708790899a65da4937f2939ac6e1ec701a43c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
e5fd87cb73d6ded6d3605bd5ed467911

SHA1
509df81d9af9e47b666d04333813b31c7bbffeac

SHA256
c7c7b2f696663b15c5fb8d08de85c8d26c1c1d51d3bc9953e33e498bc1ee4be8

SHA512
723a135f60bb2d831b682f8f3e5438fe4f224175be26b2e530c8e9508492c26aa02c40330eaa5020d88907c27bddcc56339037923bb08f18325b12fcac062ef7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
04ac87277e7837a07667c5cebc58abbb

SHA1
effd26c5eef27ad923657fa883fa683c692bf6ca

SHA256
b16e791ffd23742d8fa4c8850037c9e2ff11ecf2d7ab4476e61eae4730e6186f

SHA512
c186463cd4173218b434bd07b7b2941ae4f9b611647f906620a7daf972a4cf7c9cc67992fe5ab17d584a66278a3b0de04bd38cf7bce23f2ac6cedd99e60e7342

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
4a3c8916fd7a766f070e9940806ea7be

SHA1
4dd0515d92959a568cc696f4e7d1ada7db0031a7

SHA256
66f3b79775c7f97c0d9274b61eb86df39acd38d4d0c1d4b53c2cc34f14e70581

SHA512
6eadfdd24175a714248ff2422fc9a7fa69ddc1fbfdaf77fcb9f0195bf1262acd38a7be1be4a1b1f7d0ff6b3cb1051cbbe2fece886a3b38ada92751141443c1ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
3690584ef13ff8b0d9cf41da739de299

SHA1
8035736ffc32917c8f002dd5cc944db10194974d

SHA256
cbe2e4f0f264b462653883f069511faa9f2f2d76358dd8bf3a2d3f86b7c0445c

SHA512
a72e4fec65fbd2d5d9c326c305477c29e161c596015df00f199267d30b8ba70b64d184f16f1506ea4c45c4f990608d7a4af9330e34e4386454a55b1ed1aa7ef9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
b2d44710bd07dfdcd2fbced9073977ee

SHA1
5c6218bb3e8de1d56598536cfe0ff332e4aac5e0

SHA256
aecf8c6321160cd155338aca0d1220c8e0c246f93e83cc97f77cc344370d6a6c

SHA512
e6c6e925f4a29cd5a3e37d06ba596b403c8d8aa6d23616150d154ba3b05eb316b574231808f709a92d2b7c823c6be8d144d6fcfcd727b732d78930fb1c77b36d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
52bace644f806537c2080853fbce3626

SHA1
62a6ab5d58f3f38255c21df775310b529ceb34a7

SHA256
94ab9b877ae5fdfc221d65183b09b735ce9f8ee8f99edff570e9d0168b8e99dd

SHA512
1afee3e453f1935a48c1f41a9103dae42237e9caf845cf97d0b1b30bae1f768405da19822ba089be8ad6e920dbd9037ee7a1141f9e1ba7989b556a9058d17f53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
a97cb58049191acf38c5353572402214

SHA1
1980bf9d0761b63ff5691ecee1d47ba2ba3b06dd

SHA256
601a6ae8ac3fbb4b2b205451320214fb88312fc6f5b0cf49f94da9d131f1e37d

SHA512
dc309cf87f139f5900a0a47758c9d7c66f62aad53bf1ae7c44066cc76913f615c705b085725de65b13792e8e36fd38861b3eb19f42c1c7d3eba3d87a2837e33e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
27a3e9119f8d9deb8cc07c0aaf39c9eb

SHA1
3266eb43f5d9852b56738e780be1b9bd33d0e593

SHA256
aaff5a967efb57ece06e91c8dc92deea895c9c32da2672d3c51ff5803e59bea1

SHA512
f3f41377315abbe61a321f62daa6796dcf3dc534ac3e46d97f06f010d7a9a6b8942d61affb8f219892c4d1ad22d196dd7bb67763b39196f306a006860f067208

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
1f2cd0d823abc99d929d829bab181181

SHA1
1c92010c16e9aa96be9c515dd447ae73dcd47bd8

SHA256
148c0966f25fdfdd9e78c038b24ad0695cd0c3a4c04deb7dcdea2bfab548cf49

SHA512
3b829d22f0db1692b31c943e07b6fb2b2d020b63115371deef6fd064c58af12f787d5fe8828d5ebde704ff1d4d2bb757cb342a0009d184b743b63870e5425bca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
b8f78355c32d5b85aa58fa473e49ae1c

SHA1
1c0fce7b72625308224d1eea1c5b1e569fe56b56

SHA256
07068764310698826dcfb01b16f0e683f77f78c98276da305e42759d06722fbd

SHA512
27c78e70c185c80bf7bf6a42f6706207a5d900732d0466bcb8a01cce90076bcf3a546007b37cb63310e30306ca8faf3679eec6666e67bcd7f34dc1f2a37509c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
36f2f6ec9d87bbc37f4b5d2277be3770

SHA1
83272765353356976f139c5760347f7642132ad0

SHA256
845fd26bf285194e379447a4372a15ada42d37bc96b42e0378c866bb5b1a09c9

SHA512
9236691b02c8b6c6d90092557fbf9c27cebdf576ad8e2f33d782b45b3e61a14ba940582aa1ae764b3c808e56c491c0fd4819e6e4013cef3d4620982080e448f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
e92f8c2b410a08805a64aeddfa52ee48

SHA1
b71b62980513dfe392a43e614fda7c6478695d0b

SHA256
8f3bae01730e26e86af5d2d1d5733b46667a480adc3d373d40ae355024849c3e

SHA512
852d937f459dd925e34b09cc45198086685c1c55cc1b84d4696327b7a755d44c2aff60c23cb4b905ecb6e09e0687a85caa2f6ff95dd8d68d579c0d7bc02f39cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.2MB

MD5
22d7d3f7dff61c8f6c495f9cb8daf30a

SHA1
5cdcc846b602413776b8fa6a3da21efa2747a692

SHA256
233ef9c6649629e26607cfec246aac12682f22654fa61316bcf90b5ca7a57f1e

SHA512
dd060315c1526d4318751661394eb0d21786f238696e8ecfad94f00c2b6e915cc55a9db1ae40645d93f9568682eb3e8bf3fa1a55a7acbb98c5c58ddae92e5474

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.3MB

MD5
8a14e82b6cdece2ae974936f1c453285

SHA1
318f5dbc76db65d3ce1d1fc9a7797257fffefbab

SHA256
99f82e4bcd59f96af48e80d64806a698d54e7817f67e80feee296a831c016a27

SHA512
371cd49b0926ec6bfdba43246dec530a4875878f6bc405ea878f96435546149d75947a567dff4c1b220a0f5317e64fa9cb13dc4796bd5528102a197591305328

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.5MB

MD5
f215a2648fb5a6e0cf0cd98dcb572a6d

SHA1
a6cac733d685aba7de8d2c14792b2f9785bfa624

SHA256
a40e03695b2a659f3b97194487dd8fdf89739ec4705338418f52c08df586c691

SHA512
cce490aa71fd3409bfcddfd53f7af3a6bf9af55026b5cc091ae9aab7c83768a2daa4f1c36fbd298716d3d96cf2c2a3b5bbd718d71e9bc912277791b0ba0f13f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.1MB

MD5
014ca005e5e00166664f5db3bdf7dcd8

SHA1
e2d1cba9ba839d3fb82a9f0aa3e9ea3afeda878e

SHA256
94579453ba4422eb6c91ed4d8c00105bf80bef4e6dd9fdfa9bd11bb609377bf0

SHA512
d3d4650e549480835512419211c17e22b6359350380b4cf557586ea5fc1861f50c00ad6b94bcc071e1f4b7404a6f95d2938dcc34114d1decf0abb38620526d8c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e8929460b450bd3e574d9f60a0eaf62f

SHA1
f3f1a1b3b9f30ae5f1439a61ff5d54b69bb04fbc

SHA256
8a97883911c37bdc934710325906713f49e6087084f0d59c9d9910792119e5fe

SHA512
2809b9b0d468be42f7438160d13fe122c6214aa29a9293aa7330102b2502c8a21829aeefc29b392266a56ee2bc3802f3ba8f92166d698cf61e9b14e2df199179

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
166c0824aee0d7f5cbfc34475623818a

SHA1
b2cd42b7421e99b93adf028bb5f01c874c19401e

SHA256
c6cb35790a5af34edc71dcdc0d1029fe60a68f02464cc3949b338dd9dd0ab5fe

SHA512
8c66f215b23f81056eca092a92ce129e12305551d553632209a57712839886aeaebb217492c30625620522c40f04d10b0ac10b80c3d1d15fa507e04eef89c373

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
9cdbe207a6662afa6c602b1d0524a5d3

SHA1
0474ab7492de9bcc0e0e11b085aa8947398982e7

SHA256
d1ada21ca61f6d1e55148ccafcbb00ca7b0e0451ddebb59cdc746d2c975c5490

SHA512
5bc03ce76ec0bfbdfd1ec98b15b6f214328f5612487af1e566526f9f54610c9fcde530ae7f9ab653c4ba6575243a31576a800314bd643cb891046810c217542c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
07f3d22421473793eb72928a4571c5f0

SHA1
d4c3dbdfadb545aaf6c4247b585c7c09c5c0dfe0

SHA256
c9655a102451462bdbb6841a77edce7834901e22685b024c6d386258eae31edf

SHA512
1680224b5de9432edbe738c156bfa753c7fc0b0afd499e9cc78a7d8353ebd9a55f4be5017870deb284e22b66d16c55ba38c13d6815b3eb5146aecb39d1f71667

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
0f91421bc288622a03243e4bdbc4b8e8

SHA1
6dfac9b7f69cd023faa9ee0d116b76fbc46d6f94

SHA256
c5db9848c4fa534c1608f5a507c0d39aa626b4c1655b32eda69e6ad7fe86d697

SHA512
6a38baba5edd60973adacd9d9df64c28d1f504a6337edb2fd357cad55d9e454fd3a61ac439a36320261f33c867030de1a39e2c062e9bc35765eb665c9010683f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cf1f22de5aea6b58b7a69523e765b600

SHA1
54018c4c6667ffc34aba836b690f46e659f741cb

SHA256
fe1a8e30e20e0da8408cb50e8f6057a1d06a898b236b17670aeff8ba6157ec96

SHA512
afbd34f8e0420261bd4ff70b75943efdf34c1b1158b3f6f0909a6dee9ebe5d70ec46a209fe83e740ea1ab703dc8e4048eeefc77c8c04f51cd5d2529507178dd7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
c253f210ab7720b76ce5190f5dd801cd

SHA1
d24de944856852f70d0a22818d62f0b31c32c37b

SHA256
54367a6952e99b3d19acfca912d9eadadd1aba727730533a10409d4d269af57d

SHA512
b8892befb93da22d2f5e168f40e8e96e8244b7e3e9815a5530969e7972f8805304693791ad1b1d48b13bca2dc2cf02ac3f57e29cbc553a969cdf99b3bb7383d7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
f4475b6555c1591cef35939c8ca10d65

SHA1
3137e112fffc6c524e57de586be0c8a5692da9b6

SHA256
054bb8fe97bea0a69f2a78e73628ce601c343b9ff9ce05fd139d448d50c1e72f

SHA512
289adf22a763267ced495ec8d5b5b44daf901e5ed601e639ac2c751e82bd80bbf1088f1fa25f66c1777e6b1a4c21516f46e72b288b8c28596a9a4f06d28b2a83

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
fc0d81441a9ae67f8d9d2c1004b61d17

SHA1
960de38484a50eeec7140494df6e3eac3c3ca0a3

SHA256
eef61757a1543f3c6211dcb63c68fe25b28e5aed0f5785d454d288e3091994d7

SHA512
0da96caeb62c71f0297ffa7f64edff0395333ccdb13c4a153d5d397682bc321dbb0f2b4cf1c2cf1bab8c1da1ee72ac1cd7293fae728301b00a65e2f5b11e46f4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
83fd13d07e6cb4aa8a8f4ea93d593be4

SHA1
9049f1e7ebb0711ac03d52adc09601317ec37125

SHA256
8f6a0d4a6a45f3ef12ffc8a2b775fa7886e3613bb6b3cd16e6e6e347685669f4

SHA512
26b99b13893e4f92d821d3a7b5c2f6fe13c872755d928054af520192d733b9b64f6d75588c03d427d1752e5f7d6f7e396f1b7d289ec066f13a33b68de47afe48

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9bdf3b00a318e2c5812e3c4debce1758

SHA1
8d9d599d8111270eed9a1392b2bd95225ee20e80

SHA256
907c80638ac2669793744f9bef75d9c061e8992987af885148d3478acf83a09e

SHA512
5f3bfcadb5c424676e91027d75d27e8a587fae352311d6b3a758fdbaf46b595f1db02034ea420c8c65ac2b083d1cba3ffa2065c2b5602dc8a64a63ac237c259e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0f242098842eb89bd21517985985f857

SHA1
7889def92671010d9e8db8ee710e00480648fc4a

SHA256
d07a3d4a9ff8cf1d655056cf9bda36122b68b3ecd0b2a3248d5d16e2853b6d63

SHA512
1e5bf13e923bd49c296f86a682197b7ecd1a5598a7b25f859ec29c1f674623e09a723fe9a8504e376f74f9b05014bc19adc873772db6d4bd05fd11d4a4e518c2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
974a2b26a94915daab111d4e7eafb5c4

SHA1
c6242f5114d84014fcf8708ffec1101f9b5655c1

SHA256
120dd9309db6d0ee8a23397203de80d1be167dfd316bdde40cf7b5bacc353951

SHA512
a6277024f3d19a21c39cda8df63928a16d031d03dc43b3087e9aa038ffbb477fc527dad597c7a51c1e540dc2e63695a6db56aaeecf45527449c65e6f4c7e3ada

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5f9902527012a4d0da7f76c9145a0f49

SHA1
207c1ea7d6fbf18f9602894ccdc857e42ae6a390

SHA256
4570e1deecc87166c7ca532247fe2d58fa187b9df0b460814660af113b4012ad

SHA512
0351efa4ff7ced9753f43900a393520296e684ce6d5d29b44ef69e3d4113894840b10ff47f6e3c3d1ad36f2e47fafc826b941720a04bb88f97d67bca4d45fe46

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
e4b3c3ce56d6561841995011715fe854

SHA1
c392b23a2bd19771c2d4982bf930e09d104f08db

SHA256
3ee25849ed1a365718671b80d72555f93e51946d6f618efa0286abca00b5e8c8

SHA512
be21308d90306ade24f15d7037bded1e352710ec30d4e55a1072d5020388e46a542531e68f393af70d250f669970c99632d40052eb27417b6b1c39c1e7c38dbf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
c80618db5b8dbc4a0cbb2697230f444c

SHA1
b37e30c79234252063b88a024ddeccbbdf525312

SHA256
ecf1f9810bda2c7e74ada992abdd130277072dac5c7751ac2e03d6c066f7d186

SHA512
c669f7fd00706bb24d789f3d96cefeeb4d6368baa43c2533895ee490155ca9158cf41a2ca5d448c9680c77ac8c6a5e1ed1f0d625f010aca2c337f26aba71a6f3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
56a6a693a355d123f390f1957c000c7d

SHA1
a2f83ada0b8d4223a2d07c47ace0446c45267dd7

SHA256
5ff74d9f6b12665f488c5111edb58d53d1431f74715dd7c60fe09605cb4601d3

SHA512
b875eb688dc6ff9d21c6e7f91d70aa8fec4e4ed558188185d64092f22fae1344f1c5415b908a53dab91eb36ff43d1afd7d25cda215dab55959ddecd8db3391f6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4243975c4d8beab4082c10e121436be4

SHA1
69914e548bff505c20a6107d73d3d2784b992cc3

SHA256
c304932043952ab5cbc59d8a9602783ed1696249307a7158de0a402e659b9052

SHA512
25ea60a509b4b1f06a71eb541d3fe5ac69cb35c5fecb2ee3887d99f3f47ac82f235b80f0a390f1807a85ac040f02cfff8dd876a3aec3cf6c36ca77068f220042

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
97db3856314c7505f62145da7ed245f5

SHA1
39add02cda6b11d03f5af6ef81c108f1927b1372

SHA256
85c8b842a7742b7e3228c286c19c4a3c98a41a2f0c811c625b85644229200770

SHA512
ba877131600fe69c52d6fae69b6c0cf970bb3a2c9a21189c0d0806e740d47f984b7b12878b326329a062be322093a2436387586263e14a93cad9b5afd9d47eff

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f26aabc0ef2ff5d4bc9cd7c5918af302

SHA1
b514b7f51fc6d0df8f7e959ed043bf5d83034866

SHA256
bb852a15d3c8748fbeb1dbbe2a8453bf69a5bea03cdf7e076f963a9747abb4e3

SHA512
5a35f96293741af3a909f8f03c84b5c896984102c6c8dfc079382ef7185f578e49767cd25cf659d7ab1b6d8b4fc66a3c4b74d953d182b676e2337f5510cf58e7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8299e49ed12c335ccba1be36dc1a3e69

SHA1
a898f02cad554f3e58167591687858126861de39

SHA256
860433100ded1e00cb92395ba53609eeb10b4bdf9c4b4930730227f5b1b3960e

SHA512
a20977f5dd2ae805484b25a2909d8a19f6616056535af07f9690857edc4fa642b3790641a8bbbce0911870cc4dea2b4621ee041748ea54f4bb09686950a5c258

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
082cfea4110ec16e424b9b4b7a78c852

SHA1
22d06134ba3d9db07673b00224b919e3cd34ee55

SHA256
ba8d6e695be496d235b52a88fafc1c4c5de4fe5aa42d260473e590823c14812e

SHA512
1382243a93f3902449b0587308e7a3e62a048bc1e2b2e73a5eac98de0f0dce8eb55d66e4acbf0118cb8966a2b0c55c20b1dc04662223de8c5874461b44345477

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
7f551b7987103e42a2cb1a8b25bcbc24

SHA1
9ab877b62ba8eae521ab8910d27ec57c81f5d6a6

SHA256
7fb62034d35664c365aa9dc486969b3fbc8e640dbbd09b32fca43cb67029a4e0

SHA512
922c410f26c902c72cfdc9bb7fad1870b2cb7ba7bcc75ece4237e866b77f290d0d40e4627069b913a7669c5a284705d5fc233c1b4660c5c124b113e3dbc7f188

Download Submit
memory/408-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/408-630-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/960-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/960-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/960-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/960-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1084-628-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1084-189-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1228-239-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1228-126-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1352-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1352-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1352-626-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1416-620-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1416-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1736-95-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1736-87-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1736-201-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/2020-215-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2020-112-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2320-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2320-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3036-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3036-629-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3228-633-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3228-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3256-125-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3256-21-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3256-17-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3256-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3552-635-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3552-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3568-634-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/3568-260-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/3968-33-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3968-26-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3968-129-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3968-24-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/4012-162-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/4012-398-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/4292-227-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4292-122-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4312-164-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4312-57-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4312-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4312-47-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4428-43-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/4428-48-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/4428-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4428-37-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/4428-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4484-72-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4484-80-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4484-78-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4484-85-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4484-83-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4624-444-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4624-0-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4624-6-0x0000000002500000-0x0000000002567000-memory.dmp

Filesize
412KB

Download
memory/4624-110-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4624-1-0x0000000002500000-0x0000000002567000-memory.dmp

Filesize
412KB

Download
memory/4736-627-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/4736-186-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/5040-130-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/5040-259-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download