trickbot | accd4d1500b90bf5f771d7843461d766dabf4b06a1591b041b00aa397e36b947

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2025, 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
Size

1.6MB
MD5

70c7e104869e9a0effe28d01ed53b9b7
SHA1

e058cc01a41abc8b4a82f5d2ed2925477ab5dc03
SHA256

accd4d1500b90bf5f771d7843461d766dabf4b06a1591b041b00aa397e36b947
SHA512

7fdfc12a96b1091eff1d37985c181977840490b91b37bec3a716dd8584000f983836ffbf59ff6435e4581d0464408a5650493fef7d8241ab35cce1b50656f252
SSDEEP

24576:8CuGlQxDni9rVOsqjnhMgeiCl7G0nehbGZpbD:wGlQx7ilYDmg27RnWGj

Score

10^/10

trickbot banker discovery spyware stealer trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Executes dropped EXE 22 IoCs

pid	Process
1104	alg.exe
3584	DiagnosticsHub.StandardCollector.Service.exe
4816	fxssvc.exe
2456	elevation_service.exe
2496	elevation_service.exe
1880	maintenanceservice.exe
4356	msdtc.exe
1464	OSE.EXE
3444	PerceptionSimulationService.exe
3980	perfhost.exe
2868	locator.exe
1752	SensorDataService.exe
3268	snmptrap.exe
2012	spectrum.exe
4952	ssh-agent.exe
3020	TieringEngineService.exe
2528	AgentService.exe
848	vds.exe
1168	vssvc.exe
532	wbengine.exe
3568	WmiApSrv.exe
2032	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\191c333adb05c3ba.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\System32\vds.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b75aacbec96adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b71cefbec96adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c86ddebec96adb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002433a5bec96adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfbaecbec96adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000962a7ebfc96adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039d6ebbfc96adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041f6e7bec96adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3584	DiagnosticsHub.StandardCollector.Service.exe
3584	DiagnosticsHub.StandardCollector.Service.exe
3584	DiagnosticsHub.StandardCollector.Service.exe
3584	DiagnosticsHub.StandardCollector.Service.exe
3584	DiagnosticsHub.StandardCollector.Service.exe
3584	DiagnosticsHub.StandardCollector.Service.exe
3584	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2296	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
Token: SeAuditPrivilege	4816	fxssvc.exe
Token: SeRestorePrivilege	3020	TieringEngineService.exe
Token: SeManageVolumePrivilege	3020	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2528	AgentService.exe
Token: SeBackupPrivilege	1168	vssvc.exe
Token: SeRestorePrivilege	1168	vssvc.exe
Token: SeAuditPrivilege	1168	vssvc.exe
Token: SeBackupPrivilege	532	wbengine.exe
Token: SeRestorePrivilege	532	wbengine.exe
Token: SeSecurityPrivilege	532	wbengine.exe
Token: 33	2032	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeDebugPrivilege	3140	wermgr.exe
Token: SeDebugPrivilege	1104	alg.exe
Token: SeDebugPrivilege	1104	alg.exe
Token: SeDebugPrivilege	1104	alg.exe
Token: SeDebugPrivilege	3584	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2440	2032	SearchIndexer.exe	109
PID 2032 wrote to memory of 2440	2032	SearchIndexer.exe	109
PID 2032 wrote to memory of 4724	2032	SearchIndexer.exe	110
PID 2032 wrote to memory of 4724	2032	SearchIndexer.exe	110
PID 2296 wrote to memory of 3140	2296	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe	111
PID 2296 wrote to memory of 3140	2296	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe	111
PID 2296 wrote to memory of 2932	2296	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe	112
PID 2296 wrote to memory of 2932	2296	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe	112
PID 2296 wrote to memory of 3140	2296	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe	111
PID 2296 wrote to memory of 3140	2296	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  PID:2932

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1976

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2496

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4356

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1464

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3444

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1752

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3268

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2012

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1324

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3568

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2440
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e6b9cdfffaa29fc84ddefb7bca11d4e8

SHA1
0ffcf0be868f808865db9794f9a34b5e4dbd1faa

SHA256
363bc6cb5c04547185461792b35131a853f3b8956b99fbf06370f8264af9c12f

SHA512
5df7dba32f1668f0f4d52bcef9e8c0c755f7a56dd12f7088a2c41bd87a94f2a40f35dd385a026ac6a0fdffad2f06a2840f27aefa7153e63a2d6d8b0cef2a9d30

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
852a01ee07ab9d9140bc5f28f671e992

SHA1
c141e0755443472b5b079f2cfbd36e7065bde89f

SHA256
6e4342b75e4ec6310da5ab01e1fe766deb196d350b30554b18fa93664c7f13f3

SHA512
f2c36b8fa9657b9626c722650f78597493ea73faf98ef4528bb3282b3177f50ee6343215a6bc600d266db73c92124a7e8b57e4f1020eddc566d3086903ac3c7c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
556fa200bed06d9cae550d95699ea557

SHA1
95298a02cd9bc23b29cc74a4139c11ae06bc6737

SHA256
9e5db55de10c76efb65b731e70744934b7d2131eaba4e79abe1f85d651e1f885

SHA512
3d4798fe5e64c02f9f2300a4e06ae7515b360a3698ac0237d591433eb8168e9087ee982d682659604b19097da72d4bc72f9f115ec0f2430aa9a40ee33177c83a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b45490f3bb428a153922aa5b77e51f1c

SHA1
661670eaca81f8be5f2e9c93b5c364980be009bb

SHA256
8d33a8d546dabfdbcef2a99100e720a3cfa2195bb7e2af3c758b74f57aa0a151

SHA512
503c09be17533a1e1938d7a1e296d96f764d7991e1d12e197044fea18b3f55e6addc9c8cc1ebdb490fe3207758bef83b6178f23512269e3e1bd7b8fe14fbea42

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
be81ffa9589a5df4bcdc29a0aa06007c

SHA1
7ebfa840ea52d32506f8535ccd99d4290a1f6594

SHA256
1a44e4a82ff09ceb782de2876c02e918e79f7df03c95ea1fa8529a71c21e4dab

SHA512
a14525e979d1f8e88b34ac65ff691869d0a85a4568e26c3444c71e106b8cef953dfe3724049f0d4615a86c6f1c3420c091e24fb5fd1abbb395f1779e2dd44edf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
1245c36dd5f437e50c6a2c0ad03469c3

SHA1
4c9c404be3dad7542c77ee94a8a201663329de0e

SHA256
3ae458faca9067ba7129a565b49daffaeef6be4d434b860e634e2e435120c2b0

SHA512
44b96c03529d7a5b07fdd65606c6b39237f42ebd810238f859b97b1caa65bee16d0d06466475cf93f52c07c5119899b234ec0cc1eb7c0f1b1273d904f1794bc7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
730d06cfc2af200a4d9352b7383d7fdb

SHA1
308404a919ff09b4e7197cf23c38938ec3b43aa2

SHA256
8204a2ff53d55f02bd8daad97d36b59458ddf867fa0ee53ef82bc625ea5a0159

SHA512
f37c82048ca2f25b660af2697cc47261107119f81bb45d417c7671d59b6c16d9298ae004cab762627cdec28d976b2eac986ed912471f42a4da03023da8bed772

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fe6f3e656f782aa8d88a6f8fdd011f57

SHA1
0190defda2361437a767f40602d26007f0ad89cc

SHA256
44f62fae79e9d2921e9e925b3ed318df51743471f79b3f138951a5bfcf684647

SHA512
81bf283ff0d4ca79e49c40b0c3680d8aebd16a9fd3da6a0711c20e09f0bb2cc2d3117f3ed5991c0d3d5b46a4243559f5679c34ad0bc758badc2204ea56fc85b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
c1a1dce085a3ac6424e5d4831f7416ad

SHA1
e7f74110dd63a1dc9664f69d78dcd27257efcddc

SHA256
f76a8df6a353c2f995734f1c5999ad3e607182dac87cf0221b13caabcef1c3fb

SHA512
eccc1ff16db8409e1d445ca168692d35881897b8bf33367961ea1f52ae342fb1822956b1ab9d306c7adfda4761d443c904c6814183e1b4f4f6719e9027cb1690

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bcd73f4b83baf4d1e334c6f345276ea7

SHA1
a95fdf53b041ec0a10ee9509f5fe98e769c34231

SHA256
f44a973b5778b08c8100b1188d2c40da89fe4ba7636b65af53ee00c43d825fc0

SHA512
1ccc236012b77c05e5772baf8c60551821fa83552a9c7d02575ff0764c80cc75fc118d260517d613169d922fbcbf293313d2f21b7a6ba43e0266a8a6efb2c081

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8fbd6538114aeb12c84a24121ef426e0

SHA1
0f84332b8297f36819c34f928af7dccce2655a77

SHA256
df16d8da642726dae2cbceaa86465e13c6981b205479ccb21f1e95a4abf39c8c

SHA512
c94ed5d977222c6e03eeccfd99612754f7fe1dd541f449db7fc57d51c893eaf8d210758cfdd84c52d2d8945667019ddb7ec9ecddc6f0b5ccc1bde6add28314ac

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bdcaaa1aa016511beaed2075ab8e8b9e

SHA1
c814bc7814e67b00b1701b8f84f0a8a05a4299c0

SHA256
dacb42f69aaa7c47e863effb893f1021d64cc8f540286597438a0fde3cfea704

SHA512
c8e3f89b77acd788a8e605a2bb16945bd5761cdd89f05845302425595fcf9d31229746a446bb30ca6188a034ee82bf980e9e6d9c5ace9b618a06f7be62c7d0a2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
aac9a96af0b32b72a0b8d3b376806bad

SHA1
42c46bb87c1385cbf892ea32c1a831bfa552dd80

SHA256
bef074505c255c4e5653b9a58ad764492625156b07a965ad7c9102fcfa732996

SHA512
e1a5b4ec5d951b83b838e6099dd195b28a2f157b4451f1a16d4a54e55947879bccbfd9fdbf591ea85632044af4a2124953a47d5260097fae7d03434385b89fd2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
31b328e8a48efe44d010d0c63f99989c

SHA1
d5d00d26fb46b53c3456cc22b4d03e7df0482c6c

SHA256
58bf51f56fd7d9305edbab6fe92c768ea7d763aaff350b89a7fb0e104b0074e9

SHA512
c585beda658b910aa913088fa17b35572c6b9c4511e5aa826829eac06139a6ca12bf19d52986afb000fab4028e0db861d0eb2285d3ac0122804b1fdb6ca2f393

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
7cb7ad9c45f4adb6a95f02df1bbb2253

SHA1
408f16e27e90e977aabe1ee953a20f98e0baabd9

SHA256
86bd0d995cda4a4164a35412a936ece066d88f431078277da0a30f99d7f61aa5

SHA512
606a1f37f08526a8b6a4fbcb941daa99141615f5c1da7936aeafceff5076d2f4ac5837d3d3f0f88eb4b96e0ea2c426e1fc002a7e8c837dfa5d20ecd09eff539c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
da721a038068d1b90a8aeb9dd160206e

SHA1
68bc2a1a261da340aa60e72dbe770f97539a618b

SHA256
4d1dd0f9302565a733d0c23886dfa756550871f42117bd62abee1e07e60fa359

SHA512
b60f06882d6c2d16f24c016b3a04b338133a34c11bef22956aff8720c0a9817da7e47d4909a17aafa4d9e433c66f54e448cf72b477e976920ffbcb2cdd90e8f7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
8bbdac3baa392b9cb0dd0adbbe9ee92f

SHA1
3a0d50d60764904464ee294aa6c9425bb644bbc6

SHA256
f9c30fcd47dade34c1c6b0f4a4296d573cbe13fd49e68df4ec159e212a21d563

SHA512
175e6145c28de735c82b054dcd008bca02bfc00088827232f5810b847e9f45e41e292d4f60af97194fdb8f603e989120b95737cd38695d25904aa3b7cb2838cb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
cc2a0e0bac4aa33f67c3e6c3dd737b14

SHA1
f714667971c91376800ff6e4a27e9bc3ea14338c

SHA256
13587c060570066cd4332c13adade45a668be8b815ce532dfcdf7fa2adcd03f2

SHA512
231ed7f69289b2c719603e2abd1480607f84585a3f3e35dd52c317e496016752aa7f2371c9bb5e68fc8fafb9dc68164d235fd99d32331f9601c69986b2b03f73

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
dcfdde1868e34205fedf966ff2addb5b

SHA1
5fef902858a7912aa683e3614631d726ea879e83

SHA256
eaaaeb28fbf2b3ce997e421eafb5a9401743fa5e069b86dcf90d89b1f7705b04

SHA512
f00192554d60ae5972e895eea9ea616d38ace30b6dbdcfd9c293bb2cfab5c81f161eead93cfe50ffa10cfa7b84730e1304f5de7b8d7cb5b4a5e929607c7933e2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
25bda86cb80cb0512c3def3b4e790c22

SHA1
a1c00a78e1971ab74a80ff0efe005a259369af18

SHA256
d68098ffc9fdb27357e8010ea70e0374fcd5e0ef303758c788fb74b609755486

SHA512
cd87b265e85f14ec3f65a68a8be3bdf9cff6b0204b1ca89ae3881b63544ff35a81be9091699d56019f6f48300606dcfb1f01eda57f387c5a4c69569feba6b0fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
8e4532482c0bf2e5de7a014b37b42e17

SHA1
17479a38859cf09b49b0ea68284365971e3de9ba

SHA256
11c7820adedcdbc35b41200b25cd0ecfcc4f56482bc2c94dfc143fe20dbcdd20

SHA512
526efb990152a8eef7b4ba958647156040ede01f659fbd18565ddf6062e33023e60d0305248c9b18173cad764ec130843e3a9e8c9c6f8d034ebff3d65d8f0d66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
4eceb3015ff9c5f9aae0808fe317d865

SHA1
431944004b0f4fe5abffac4aac325fcc931648ec

SHA256
9c276f0859c5234d8c755152863ad008caf0f53f11dc2fc67421a247874efde3

SHA512
33747ea6e6a813bc11fde73571fe4d5fb5f61bf463d9132a5e0c7ee24fb4e11157a6fc40920533e8e8a8a755ab293ecc3a5078a230524cd43a3175ef2878c0d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
bd6750323a877d85bb862d256fb2105c

SHA1
20cf4bdba9de4aeaee3308d78bcdedd5a040bc7b

SHA256
8e8c4c6bcbf6004e1f64cc65506f5d413c24bfa6a3f423a24788243c2f2cecc9

SHA512
70b8ae8fd217e226e99f72050bfa1452cef9b7be8f7cca813b6bba8fbd5d21854453e6a8293a084ef4a9097be471108577cf370d27aa9baabc1a4f9107c615ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
0bee50d4f0de86591de2f93f1f1f0243

SHA1
63000624d9fe66089270e551700f7ab969a0884c

SHA256
edd605e3095df45580ea5921a51e1e6584a28c26030a448ef48b66a85ff26f14

SHA512
a48f202e2d85be1041619dafbe5ae986aa1310770bbcdcf996df5499ecde56f873ff1c38e598dd4dae13dfcd2922877bc2ec91030bf4aa6baf62d898841d103b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
628ddf20cecc1a4cd941ffe0c60cac33

SHA1
6cc10d7ba12038bd0e685cdac6ff03e571c403bd

SHA256
79dfd3063a63c5840e2920134e839e035e9fa0264a2bc183a44366f4630dad02

SHA512
0761b87d6f06ef4d6ed2af0568392062d796195d91ca0c86b1c08a804f0f654f89b6abe60abe5ce801e960711a9377010859a9908b0951bb2113ee93a5910904

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
4af90c629fcedf034732318d9951ac21

SHA1
693f07aedf74c3aa4dfe3cb3a79456b5c158adcd

SHA256
fcc7dd2a99eca412d6e8969315bcffd547e1716792d3570aba58f5e4743d4d8e

SHA512
c660dc5182ef0d186249da72fdf15ad46a8e281142393dfec3a4a1a3ce61ac9aa2d377514338f25e3dfbc382e5a51d882be6154030a4d81e8ef2822fe90cb75a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
3f82fb1651dec7adc78608f5691c0871

SHA1
1027d722bdf887a6c79b4b738cf139757d392d9b

SHA256
3921e575e9641936a9c9a8a6066506198230be7a9bdc9c8c6ace096b427617b7

SHA512
0d5fd79da449680c9a46f4a7f6e3b55782593fd2aaeba15c376a3366c802fd84ba71cd9f0443b0f3e59d9f0c6df39e01f08265bbbe7cb7bbf3685873938770da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
40ded426ff03bf79ebdfc1a9f4a8a917

SHA1
d403a1e35250cf1f7942acd0870e04bfa40764cf

SHA256
cd907e85d88774ebc063db1de9dc16be973251b4dd33e7f0ae2936d18fa004a7

SHA512
83c6d498ad40e415dd41230880ece10e6f967730104a283b1b773d2b74d4dfa7af0598141061dadc55cb62b34281f05b96693a2c77b1fecf7171988e459a8e49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
6777dcca2bdc7eb01c7635995f69f8f6

SHA1
10eade0b4f57db9b1d3e150929bd5f72480e0a0c

SHA256
f0c1d7636fb2bcdb518d86b5f2e474cad4b6202af06791f658727f2560704d8e

SHA512
34798ddc6a20cc316b9a72f031c81e72f45bbdeb90153aeb8b2417776df1a053c2e14c2e8fa7074c24a3d3203f19557cfc6a439a5627f9aa15a56ba967db165e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
6917e7ddfbd241d8d6ed8eb99ee3fd32

SHA1
c244d5871abde3ba47a5cb881e2ef632ac8e42be

SHA256
3b3f5d40cd82924bf8597311ca3b038e210e0edc657bae9249110056db99bcac

SHA512
bd21c9044f2c42fbb853862a94ac32b879abbdab1871bbf4b28098c928d33fad00378be37646452bedbf08d4b78e6bcd4d6ee0e86faecc86b487fd15478830da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
16f4ad196780fb9f5b68b948d854ced7

SHA1
34a45c249a7d00c7c454e3b1e6c463552f5f7343

SHA256
3b50009b361ea8fd536c7fa751dcbdbdf8f69b1176abf56ab03fb0d217625713

SHA512
58d8c874a5c53a6ebe362dddd30fb46087817623bbe84422db8b661caf67c9d42ae2267e77a8f03ff78fb387e608ab06b34e0cbbb3dce64b26759d2bf484984d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
44ced3da74d3cc15bdd018be80e299cf

SHA1
48ddd4475c02d1dc7b8aba0a71f220e30a1fe4c6

SHA256
8e510da5c3349b3e181eaebf5cb121a37dc6d67ea03907cc59dfbe79876244c8

SHA512
713a749afd57f75269235ae1a062ec6b2fe33a0ca067dfc30dce9cf6f30ef179bb2f3db2527828827c8e8d425d37202d89c63deb909409c9246c3c18988501dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
d053e4071b752181a49ec6fbcf66d79e

SHA1
b987fee0b8a88f708fe8941764928a378bb64f34

SHA256
e8de22d096b0d63481845920403ff457a2e94a6f4812a13220b7d4ee2607c0a4

SHA512
f70ccad1c1bc5e1c0e6f62aae8a431e3a5053df0fcdb2ff502b2c0f1ad1aaece18ec19b80bc9ab7d10ad7308bfea9cbb93173a7ac60732781992aa275a08b6c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
66a0e43e17349ec5e211a639f99c029c

SHA1
bb389ab5dd0dbb3d8675dfba2150624f1dd15854

SHA256
19877d4f87a250e618846a77c014e406ddb5891bd86ca776b9dde6a2bf158898

SHA512
fa4b60d10a258ac0acc7faa987114cb4af4a162f6520f3d43c397d0b63d66b3ced83a658b3b9adfb6a2d8daa6c816ed89852dc56829b4a0897849f8552620305

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
3a3c8b1a6f61d25b4f054e5a01e624db

SHA1
441b9017b6237826a73ddda5d89ad8091fc90a16

SHA256
8fc965a79b3b83e66f6acb534afba7364e30d2be1e514f5e4f3cb19140539501

SHA512
78c1e4e20180925d4ade7ebf8f83dff9b5d792eafa3192e83cfba0dc195a921390e8c3a7962cd9dc418d25f05610cb2b0ef3a840c009882ba4e6f77cf325baef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
be316b573ff3597a153c5b05eb327084

SHA1
081d605c600bfe9f0de58a20edf4ce6a633e05d8

SHA256
f141084a455942bccd8bd3a5365dc4d3e944172a1269c59e4be3a08cd8f6e929

SHA512
94b3f0e8bb473ab7fb74714880f64d69f17d40e921f3b2375bedfa283699322b848e33a36b6e8610610e93734d28ebb14ab0c81f7a979e22d4ccc9c8182dfe60

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
25680aed56411f9358acf680fa52ce01

SHA1
a5c61f38a13e52e90dd85ab6270d01918965de29

SHA256
faeb10bfa3bfd2a5d07a18b36530a267c4b82cbb92f65a352cf8321fc389e6b9

SHA512
1f69694acf2e9e7391a57364c739340d380dc1a8592e4111d9f14ac9a6add2db0c708522ca35dbb2403010b5c6f733f66bc0af61eda03845daa5797e5ea85436

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
a12d8d562d83f31e9d9ddc1282152f32

SHA1
e08625fe6021e94ad397590fc05a22536b53aac7

SHA256
279ba9d22e359553ee925f3fb9dc99391437d4989dd56975e7ec4daa252e8324

SHA512
e304b2e39133519649ab2b120e9660519e33edc9975cd580749e205c65c9cbb2676bae340cf2cf544233859f4865ccc552fe78f352e6079441ea30a9b40cf1b2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c0f9b36b2f05fb0764ea9593292b3c4a

SHA1
57794b16f68f4d20211d9fe48ba26fac950c4cad

SHA256
2f9f275732f8cbec5e70e08544dae85601f8921ec29a9271596c38ba3b71a10e

SHA512
d807c33e2aeb8d518a0e07d5edfafe2d7f594a26405d76928259939a0d01990ade13a2df612bb6b5dd4fa3071bf1585dc34bf11b26db74a3fcc450d84ca4e162

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
aad1c4a6c21e893ec0935c96e5a8b2e7

SHA1
5e53d04b2491fcaa343b8f89508ce3062b5a1b06

SHA256
565a1679daa0b6b038170301a82f4cf1af0e15da2ba5d6e835081f909b410073

SHA512
7a3b58c171c9e62fd292014855ff85dbda4a617abfdad9923c3c8b06127a2b120e2da3294b99b1d43f8ff79189ceca9f516dc3d56fba6f85703b73ba37a87a4d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
76f290b842c99f2897730bfcebcd3f9c

SHA1
506f2b89fb46903265f752e817702ea478815b07

SHA256
1588c3cb606a0309f3e2558d8e3f54ce500bce1e1ea5a7a0351a0da28d13399a

SHA512
0d0bf4e6aa524362651d35b3ab050685f08a8c1849996ff520d9b04cd81cb795400232f752ccb4f5e4011eccdf7afce1ce1dce2b00608122b47401f27eae01b6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e74eab4e4768563757a7fc60ad4292fc

SHA1
eec30e53c853a0ff2b77d66b896b6a2b56d14ac3

SHA256
cf4118b4723b039ce7acb2989db8841ad453d11e4f3fcef0b6fb41ed84106c6d

SHA512
234e2c3cc1247806c6611771fe9ab271b6b847ece122904cbe3f2b4036396f9a8f77601976cba4507f91fee100e5e9220e2f0b70fc3a592be038e721e1b0b670

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
12bfba33ef933ebfb8aca0f91cdb6017

SHA1
1d70d1e186fdf20740e9fb2a16f10e228a1d8a9f

SHA256
689f17716f009a33853dc332f7d5f9884bb100ab9d0583e0c55e32526e4908fb

SHA512
d2f5c799fddfaa1339d22b53a410690c952b9b5faba8300323a1e083dc11d2fae5eee0e815bc33ac7f425b281a316ffdeafcfcfc5748e9d3b00cb6a55e8a67c4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
90756a0ca6ba3166b148e426d65acfc5

SHA1
60a44913633e7c2c3b055c734eb66c1e99a3a97d

SHA256
c719ed90fb47966f75c8c45b74fe13a5d620ec0ee844803472eb95144f6569ce

SHA512
fdf73d504ab3217b9cba60911fd0b78fa496e304b86bb5c1ec575d3de443be87de13763dfe98b07a10ff1c9ab6c37f2be38456c166cf9fe1c494c0ea2aa7d3eb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
39d464924dc20cc59c5adb4b2f195776

SHA1
8c33dc50f7825c0f46998bc4d8d68b8e2f97deee

SHA256
bbeefb21f1180f92b19ddb1412a894fb09da8008920382b5998e8c03e9561c35

SHA512
1e919a6194bb0fe1e3297a89a0a2aa4f2f2e5ab931262f53a6bb42a5bc4211c4feacaffb0287005712a549bb20e83ad1aeafda89b1b6b6a536121a73bacb51f0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
97a207a241341af52d3397edde946e70

SHA1
d0265a2444905c99dcd5ab5f39749ff4b1e81a24

SHA256
ab71d9641ecfbbf78555e2057c466b27f7dfbcc47b7e46d61caf113450ea01aa

SHA512
446293d0701d2c559dc2b0ee2f728c6fee7ba1bf9f389ce63bf07ee89e3fcdcb0f96a65c32ab081cad9418c9d66ef7ed250a525c86b21a4785cfcbd6e8d264ac

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fc20d2f8706b755788bcdc9c754fa2e4

SHA1
b088102764a260e0b620d7f9f2d8158f0e629a30

SHA256
2bc418ff02b259251ddad6a937656c371d1e6f1ce90d08ebcc7286e33762c5c8

SHA512
5827af784e863235cc78db97a35b1053523e353ffb4d5ac8a08a59c9b6061d36df0c3cb569fe7b614d29a26c0c5087bd5fc344d688e44486dcf6f62f28c7a080

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8e91412c1270c6536b3d335800375ed7

SHA1
ae25a4d0193b32244db38f19cd362173f72efcbb

SHA256
a0d4a3a46d5c7207ff693dff780eccdaffd8e029de6c42910f3a3f14d0f8259f

SHA512
986596cc331cbffb76ae526083dba1c083a82acd48e78c60c19c8865e8d281ccf0c78b5f932d48054f0ecfe0a20e62d5b6b8462a716f9bd60907cff7dea06185

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
aa622ea1cb7de9910a91b59f8d17cccc

SHA1
961d91353ec6705920fa96c4d39b9efcad11e10c

SHA256
285c02322511d080bf09b31eebe06b68a7aa9ef0b409b9ecb4a617928f40afb6

SHA512
e70c56c14b804391d3838c28d5bd34d205c39f15f32484209c2e839d213a8524867bdb18ef431b4fef3f4e38e916da0bbe58d60ba2aa14b0e15788dad0cd8bbe

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e7f07faa5c94da0ec89265aa71072ba1

SHA1
f62a8819b7f89b5b4783dc0d7d92085c97653f14

SHA256
179984d6100fd2dda905af1b3ba3a7c9af7d5280d2c1bd827f8356192097a5ee

SHA512
122e5bd4e827fd752f45996e480541f3deac26aa2a9e034d63ae04344c5af41f5676410580e83330146bbb73dbb7e7b634ec2ec178c5d22e9024cf9c4e8f1410

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
d3c1d5b578357f835bb13f57a34856b3

SHA1
45a0b7b85cc6d7bf9c13ee8ee157bfef7233e251

SHA256
908b0c1cc29cff012a45e652bd822c7021c71afc540cb671c57ca045947aacfb

SHA512
7aa1369db66af3ad5e1bbe01e0a8346d550bcf779ebb921cfd3cf2a54797c25425d8113c851bd710d23ee9e38b32fc3e210f33f0920635442ac06788146c80f9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
2cbd9932d92be7dd40604f9d94608d48

SHA1
596170372c0c2fcf76b485d89df96a51bde13bfe

SHA256
38cf93f4f73eebb6841a148cd900c33be887328609bcd8325379bf359d73d2dd

SHA512
e5a016e820175be87c6b8504af34485b1848ad3d5079bc613247bcb81ee42e4ca171c6ec4c76d2a6e9a92785dcf669d8838ded2659cd52721e0b20bea9736036

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ea29142fb75dbcb12d291e2193e22dcd

SHA1
fd644d50e16832ca1eaa3262723ee4e40a3ffaa1

SHA256
b84827a973b393930b2e36537369ad0710d0e0b94b9e2fb01aadeb0e670ad860

SHA512
7984dc4d32ffaf70d50d6f84b1f2893e65272464e9a0362a9eff9bc9332f4c0a27c27e7083b91d99a392d9a6028c5c4c7450182794b2c8003bc80ff8245eaee9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a2c544f159464a5bc822b3a19ffc2432

SHA1
c655c91b3f2bb6022f1f7ac6f8ae9ead1d78831d

SHA256
2ba89e10a22f1831fb9b2f0cafbbae8040f9d292f1ed670a50e2d92b10b23808

SHA512
fc371bd279c530f3123cdc545008000ae1e4db5a3f7dc448952e07e1e3883d554f7ef991758a3fa6b2ea9fdaecdc821c40d102890748f9ee48d71ac8c224ff0a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
037d61f0a6b36a6b7f812e4106c35f91

SHA1
f6658dcfbf0bd62daeab464543dbbd82103d28c6

SHA256
8c60806fb16c0aab6862aee3d13f4336412a65391539e6bab607ae75d37fc818

SHA512
b4389a028e65d03c499cc4df36846fb4c043dde9228d47227217338faf3c8cc0c049e09ae97d55a8f449d325fb69da6bfb04761b644f7388a6c6a1ac24d245bc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0008b2a45f081bb8f592dd4fb3896da0

SHA1
153f2e442512d09b5eeec75d0a330dd09ec91e1e

SHA256
b8f44d7381d86a6fe47eb1fe0deee528a08edbd6eae26252e04e28d729bbe4d0

SHA512
b2af759a80aca5e363c8ecb119789fef66af39981a3ddd3749d413e1ac16cb7d3b93eee948a08c6059e79c2479646828f9765a3fde01e764373218b1aaff08b8

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6a596142c8d243be6ef99f14009729cb

SHA1
cb1b420a6299e3ae87b88e6aadf34fda90fe5c60

SHA256
f361cfaaf2e247528baac290c23ba8e0aa3327b6ff50214ef95c77e700af608a

SHA512
5e593fc35f10597dee3b57fe46947fc845ffd992b974db1257b626f311777f4256b6198cf4c85a819c8940bfd6fb5cf92c016bf318bd1cec52778198aaefcfdd

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
1800f2b0e4a3f30bcef2656701c4f569

SHA1
8eea40b410ca857c40c95ae31ba664c05aee82a2

SHA256
6afc04fddc9ec76cf552d1730e65b7762409412fba041f731173d1157bde6e0d

SHA512
c81888a399f881ee0dcc826f30259a644f650dd69c0af070d1e2da5453b959153bf032b42537db14c70986dd716a1cd17f7c072d1fa225a6f39edcae5ec08b36

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
36acf240a7312f39a40e3b0a2ce7491e

SHA1
c965cfd1da8b2383fa4bfbd6dca4486e69a00d4c

SHA256
531e4b5109d3456571de64774014d8ffa60a27c0e27b3348d87340c11068bfb4

SHA512
b51f98a6051766b78b9050910a1ce6aa39ec0910728daec062da78300af55d4d847ad41335ead80ca8dc7c5aae73c6eb2b1de7df8db41ee50097ecb09b2942f2

Download Submit
memory/532-478-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/532-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/848-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/848-470-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1104-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1104-110-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1104-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1104-11-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1168-476-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1168-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1464-226-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1464-111-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1752-473-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1752-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1752-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1880-86-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1880-74-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1880-80-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1880-88-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1880-83-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2012-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2012-373-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2032-497-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2032-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2296-507-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2296-0-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2296-462-0x0000000002BC0000-0x0000000002C22000-memory.dmp

Filesize
392KB

Download
memory/2296-498-0x0000000002BC0000-0x0000000002C22000-memory.dmp

Filesize
392KB

Download
memory/2296-82-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2296-6-0x0000000000CE0000-0x0000000000D47000-memory.dmp

Filesize
412KB

Download
memory/2296-1-0x0000000000CE0000-0x0000000000D47000-memory.dmp

Filesize
412KB

Download
memory/2456-56-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2456-174-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2456-49-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2456-50-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2496-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2496-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2496-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2496-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2528-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2528-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2868-140-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2868-253-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3020-199-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3020-445-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3268-327-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3268-155-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3444-237-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3444-126-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3568-485-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3568-262-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3584-125-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3584-33-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3584-34-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3584-25-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3980-241-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3980-129-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4356-98-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4356-90-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4356-210-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4816-37-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4816-46-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4816-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4816-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4816-59-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4952-188-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4952-423-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download