trickbot | accd4d1500b90bf5f771d7843461d766dabf4b06a1591b041b00aa397e36b947

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2025, 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
Size

1.6MB
MD5

70c7e104869e9a0effe28d01ed53b9b7
SHA1

e058cc01a41abc8b4a82f5d2ed2925477ab5dc03
SHA256

accd4d1500b90bf5f771d7843461d766dabf4b06a1591b041b00aa397e36b947
SHA512

7fdfc12a96b1091eff1d37985c181977840490b91b37bec3a716dd8584000f983836ffbf59ff6435e4581d0464408a5650493fef7d8241ab35cce1b50656f252
SSDEEP

24576:8CuGlQxDni9rVOsqjnhMgeiCl7G0nehbGZpbD:wGlQx7ilYDmg27RnWGj

Score

10^/10

trickbot banker discovery spyware stealer trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Executes dropped EXE 22 IoCs

pid	Process
4040	alg.exe
2376	DiagnosticsHub.StandardCollector.Service.exe
4752	fxssvc.exe
2316	elevation_service.exe
3688	elevation_service.exe
5048	maintenanceservice.exe
4120	msdtc.exe
2848	OSE.EXE
2660	PerceptionSimulationService.exe
5036	perfhost.exe
2784	locator.exe
4460	SensorDataService.exe
3892	snmptrap.exe
4240	spectrum.exe
1664	ssh-agent.exe
1832	TieringEngineService.exe
3588	AgentService.exe
684	vds.exe
3484	vssvc.exe
4808	wbengine.exe
1624	WmiApSrv.exe
4936	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b8e451be674cc675.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\locator.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\System32\vds.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75187\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75187\javaw.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce9deab9ca6adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000499c09baca6adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010103ebaca6adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d16673b9ca6adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5b3a0b9ca6adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2376	DiagnosticsHub.StandardCollector.Service.exe
2376	DiagnosticsHub.StandardCollector.Service.exe
2376	DiagnosticsHub.StandardCollector.Service.exe
2376	DiagnosticsHub.StandardCollector.Service.exe
2376	DiagnosticsHub.StandardCollector.Service.exe
2376	DiagnosticsHub.StandardCollector.Service.exe
2376	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3592	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
Token: SeAuditPrivilege	4752	fxssvc.exe
Token: SeRestorePrivilege	1832	TieringEngineService.exe
Token: SeManageVolumePrivilege	1832	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3588	AgentService.exe
Token: SeBackupPrivilege	3484	vssvc.exe
Token: SeRestorePrivilege	3484	vssvc.exe
Token: SeAuditPrivilege	3484	vssvc.exe
Token: SeBackupPrivilege	4808	wbengine.exe
Token: SeRestorePrivilege	4808	wbengine.exe
Token: SeSecurityPrivilege	4808	wbengine.exe
Token: 33	4936	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeDebugPrivilege	4384	wermgr.exe
Token: SeDebugPrivilege	4040	alg.exe
Token: SeDebugPrivilege	4040	alg.exe
Token: SeDebugPrivilege	4040	alg.exe
Token: SeDebugPrivilege	2376	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 4472	4936	SearchIndexer.exe	109
PID 4936 wrote to memory of 4472	4936	SearchIndexer.exe	109
PID 4936 wrote to memory of 5068	4936	SearchIndexer.exe	110
PID 4936 wrote to memory of 5068	4936	SearchIndexer.exe	110
PID 3592 wrote to memory of 4384	3592	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe	111
PID 3592 wrote to memory of 4384	3592	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe	111
PID 3592 wrote to memory of 440	3592	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe	112
PID 3592 wrote to memory of 440	3592	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe	112
PID 3592 wrote to memory of 4384	3592	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe	111
PID 3592 wrote to memory of 4384	3592	2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-19_70c7e104869e9a0effe28d01ed53b9b7_karagany_mafia.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  PID:440

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4872

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3688

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4120

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2784

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4460

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3892

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4240

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3264

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4472
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ef8fd4e25bb2aac0a53387b988c592a8

SHA1
61dbd604b6a00b6b67a763a2c24a08f2e416584b

SHA256
1409de98d77477a081b38c03c6821b6b8ec3ebe4ceb40014972b4c48518f66f8

SHA512
12838a45bc1d371d7adfbe4017f4baa24018d5136518a6886e946b9eb2e7ef168f8a801c861d284eff36e5e51689a297736c2cb4af7f65616280d021c8d07594

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
adbfe97da45efd2ee258d34ccb77ec69

SHA1
ce025a0308f6cdc44d04f2fe26fe757730ed6cfa

SHA256
c629e7e1bd401564e1e4b7fbae5d786c0aa1d4a7affced27281d2840ac4913ed

SHA512
803f91d8cbb5d9e5910bd72157895336355ee9cb7feef15dea653c562243315c85e077f1c8be61b4db56ef100dc9b1db817cc5ba5a317d4647004ac4f2e57e3d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
2bf4b89c82a80fb94eb6790072b69adf

SHA1
f8874f6b50f8cfc1ed98fc8110e28b7e656790b7

SHA256
35d093d556372798ac8b9828f807ac1fee8072335c15ba75f96349e45f5419fa

SHA512
ddc6387e8a331720a237415a887dec0db7746d9d1af617c4f64926dd362a5bd3ebffaefa55137279a04c06f8688c660f07463e1a8480cad3509d310d129506cd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dd6cb023139c76ef55d5cb1422c4bda2

SHA1
4ffcffc2b2c8cf958124e17ef35dc7c402d3e985

SHA256
df6778a7742b55ef04b12f8e4cd7654d3f6f7e0ca44fab7ba423c817f144f377

SHA512
9eb037c91c2bd7377cea5694574845d6b1b97879d9237d838a3fb70c9da8559b493272ed2f38027ccc2570f495ce9258c19d6d07a825dd50065a71dafa0d7f1a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b52af360cd29e8178b8a84bc660cae50

SHA1
4699b190d7e64859881fb418a22704f1a4da78e3

SHA256
7f958b2ea204c11f670fce955bbe1536acff505476de620bf41682d2fb8912f2

SHA512
e7c36809feb2ba98ef9b086715baed993ba0781e597337ff043f3c992f9758fabbfb67e83fcbdcbf57717d877881378b1a45005226833b484ae0aad8baeff1c5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
ba4476e28e1bc04d288c8e9fd44e6d06

SHA1
b7a081f72daf11950b7c4a8ffd3ddaab1cf6727d

SHA256
5c6707817120f6e7c1686e440e4340697fecad72222e48c48e3b0f84dc90031b

SHA512
58a9c3c35ef47f58f450ff8640da71917b1e9640aa21fbdafa3cf51b4fe29c176efc56f991f330e20b8c5f3a82ed01ea2217769edf499385d084e973b7307efd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
c8ebe34867a284ab5b38b7dae27fed3a

SHA1
61b71745f8fd7a0284c294d9f3d804c8d30d5716

SHA256
19a95e7dfd279a5484163800c2c8be95e86ed62c8edae84b6c00a44340d3a4d7

SHA512
cf23a3b32f9038095afde29ee6f8a377eb7a9910dcb29f3c04b36a16e10c836adcd869de6f9d10ad775232f62e37043c87145876b4842a7417857085ca571812

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
015b5c3af51ab41a72455cdc892984ee

SHA1
50eaab3bf173d2b3509241e9b9b62691a3c95ae0

SHA256
dc317dd04805001fdcd0c10416ec997840ac2b7ab60034b97da0f5c83b890843

SHA512
66d106a1f3553135a9695dc5711ad3db65cc7d28645772dde1ae778db635af64fed81b896aeba7910cb8a77c9d7bdb4bbf621c8536626ff1d96735681dff3581

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
20032f05e81d3125070a9cc8da463ad0

SHA1
fe5050b66c0ce5e92f0c1a552815673b8700b04c

SHA256
dd87308dd1e51e27b50824f63d6acbaee8542e24c9e4b92fb50b392a08993e83

SHA512
6bcba2d7aa8fabce9bba295fe68627701c590c787fdcd8d4f7c88d3677926d8e740760cdf3d45a7878e4297cfcea9a46df13b3f99ea2f92761fd43de40e414b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
73530e2a95e6eed221f9284140b88bfb

SHA1
86c6fc06d22145adb2d74ef7da1acf5222d1c4a2

SHA256
e5deaeaeab617598908890a2e4ad6b48edcf0bf704d5b7c62ebd96bd738f64bd

SHA512
b1fefab8c1d05c08291a1a9a4ae8e2c2eae1221243926f7a4b32bc587cc63bed531e70e5f0a1636e711ce72e27b989eecae0414fce3ca07e17359a32d2453d0e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c1929d6ac7482e112fa142b4bf7b5103

SHA1
ff897bd4c440d867a93dcada3c24f11f25782b18

SHA256
f9bf8def5ad6c6339526dfcf9a2717d4e2f837de18a33e1aa7ecc4aa98741dff

SHA512
de37d1f8474cf1d9bfab4e5cd79630d43d73c1c7d7bd29597e7715c307003d1fb82be50225b56730198be57466c4545ca986a4c0f9e2c8e33611df4969344b06

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a07231dd76ec709b6ebef91c90aa765a

SHA1
72a038a3840ea64002cc4ca15156b3b7e56ec373

SHA256
1279e13b3b5743d4b5e82802b0c27ee766b89a33da7094d7564f8cce0288ef17

SHA512
16d2e624516d16cf0d7b9162d825821c1a350f3c90f9f358dc33a7acd6abb7bcf0f68986dcc4158f2042af26423840e8f3027c79622cf46b4f9140c145be4bc6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
187e0f7403285486f2bfe83a2711dba1

SHA1
50beda2800bdf7d7e94b3d19d7c4363b4342f35b

SHA256
0dfe39c4d8d22f8229fe590bd9ab265c5252819b83845139f40dd609dd70bd9a

SHA512
6ae7a126a4593e5d280046352df02ddc55389802239875a631ece632098943c00872a3b5bb4fc3f4f5599456c693581329e7d3d4ab1323ed2d8766f584b84ddf

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
8f8e80134924bf7eb5c3448cb1444da1

SHA1
77a84632789109231697b5188b7842d77a407010

SHA256
7dc7d5aa06f808a98d4a3703c3eb6fdda13bb2e6e01ad9feb7853f73f283a3c9

SHA512
51e2290e7309a48a69163cd237c0227414668813c86446bfe277213f4345c358f9c3e5cfc7a26c30567bb91c647bebed0aadde70b5ee46d7c5febbf9552e25f3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
45315d90ddc4c09b40449718d9f74401

SHA1
0d44983d44f90f0c669d83e6208c1113a18066bd

SHA256
774425a1fe390ed7a78328e13dc875607ad14f56c1146089cfaccae7b786e3d5

SHA512
a91d43df1024a9c7660475287dbbe1d777eea11068f8badce77aee701dee5291e8f4cd8ff1213ee230924325cf7df58cdc6d334b471abd0d228e45dfd7c48d76

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
a7fbc4c8630b147c4c3217043dc689d8

SHA1
acbd90592969343324a3dd86d6092dc7acd5a852

SHA256
6d6060c172614c7f1eedf359f8b4808eed149b3332ce1f5d79faaf695e4688c4

SHA512
e1b2b57557ca7cecd46e32439395d36f3b94be0dc83cee2edb6430e800c9d060318518ce9b2fdf3fefe8187b2135ec4974159a92e57deb7a6b7f60402eacf3a1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
b7cd270257875beb1c1611477991d7df

SHA1
0f6111381e3cb3b07522d768a836310a2e4c3581

SHA256
1e7baff1f8cbe7e544a964eb2af2bb529406005c1fca8e082d80f7438336ab21

SHA512
7fa0db94f345c33e19e39814aa9c6aa7d522fd8b06729b569b004141438d9ccb9d7f6434a7ffd475d0bd3aa7ad540157e7f0fcba0a769cac471782f972dcd547

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
eef4b77ac37ce21bc168d42f57cd18c5

SHA1
cd5012f5627744bb0d50116a45fbf9d73b7b7384

SHA256
f4ba38a7ba7df0eec8f6eaf2c1a5c4e9e922d048d82708afcbbbda07681c2086

SHA512
1531aae6b95e5caf401c76abc0bbcf81f314ba169331bcfac0855b38979715de48f9ab09df62a42e2924cc2b4f375d4f751ea379cdf9ef0490bdfb5972e388cc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
9a547e3d18a54a93aa2144888f59844c

SHA1
a94b968f93eea4686c3be549818feda5b68f0703

SHA256
d08160cfa4369622c33eb92a30f13e7a1eae1fa480df2adb072f168b6d98b0d1

SHA512
1f93edffede9faf1032cf64593b2b4c47ff2660a18ed1989ef57959e4403430d04f487ed29a0b48939fc3a743d9fe03550aea8be235d2b03f2563bc35f61134b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
b92317cf1867da5432e2875293ad4dd8

SHA1
8cc796e78d330fb5b02372127241acbd1f9bd03c

SHA256
259f95b549bd949557ff598b4c797eb8b7fdc41fbcec25fcc06a22667fd30b49

SHA512
e575022cd993368ee37b983451beeab83c527fa64c294d274a08bc8b94aeb1c3f88cfc45dad42a2e7df7f867d385f7c53d7df0a939bf7e721bd52fdaa882efb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
d914320c36e5c7d180f5ff5211197316

SHA1
b9750230338f15eb10254643fb639cb6d0bbb5f8

SHA256
85a3160a34f4b214a8264b9dac3a815adb437545663190bbb048b2e6bec3a7dd

SHA512
12fc87c6f13b0f8d58ee983f92ac8327252fae79a3e3a2512fb22e2d74663711b580892282f1eb0d302af5a8cbc88231d82841e2f7dd5fc3554e11fb57884423

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
eafee8cb1adbc7161e17b626356afbd3

SHA1
75ef38649d3eba46f8f03a502be869c5c827419f

SHA256
73eb7154288ce297dd2294ba7e13ffc05039ff6c2441be600979dfcf4d4a093e

SHA512
7fb7e98d33463960ce8f1463e6a319d234d8fcc08af3ffceebe24e97b6ad2bf2e758685aec6829e8d1654ba2f6ca951ed85e74567e3809c8876fc389182fd0b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
82b72ecf3dd302d7a969811ec091efdf

SHA1
ffcb5a102fd0755ce19955b2637dbbfb4755998c

SHA256
fe3d543c7e30475409135d12b5d26830fe67c95a0d1f021d50c45dd3d576b173

SHA512
6549a3a8ea59f17294e3164b415e383491564256298a35aeff066724b6c3db981fa9075c548636dcc036b9c43e75984ce1867e2897c95396d69f3aff3a087fa2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
0514de3a2f08af13afa8490db4be337d

SHA1
dafc50d2dc73c5b04043764843b6fe1d64214568

SHA256
0a5e443fb61fb18a8987c2fa892e807e15d8966590e046611094a0bad71cc77e

SHA512
9e278718d162622a29334b346bd381ec098048bc3661f2aab61120d3b463532615f29ec9004b0b8808a140c14288540a3f5528e4c942123c9337def36c18ac24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
2a8b273a2728c1c061f58a178f143ef9

SHA1
071680f29743f5021580bf7dd82130aaf696463f

SHA256
4a74dc444f83c8ae82cb8f1d7a574bb4d0e61a3864044d5fd7fea3fc64a0afeb

SHA512
ddfe821bc65c209e7f988b46b318cb6b92ec1299629a72f4963f07d70857bea4ecaf49388a55879930aab5e29a7e03b9a5bd24f53a7f97a051dad8d448bae610

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
82d11e58fcc64bd006ba1735825796b4

SHA1
17618ecdcb029c3f37c07160fe099023664a1a06

SHA256
5dfa10173e0f032e310a2a4fb83adf4140857fd51132c3401cf3a17c47f7a04e

SHA512
f570b5fc48ec4db5afa1397d287aee44896f61e017491c1ba17df64bbc353dbeeab36d85eceb294b433763fa6750f016204c86476d5511ee4b8c0fc96f4aab92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
e1d926ce1f638ec6e7356c26fa31e3bf

SHA1
f3e2bfc6e06d3b177f8c8d095e75da4f9b254c20

SHA256
7bfd005aea26af4e05a9a89039e36f55e3a4de9b33840615242054e734a471b4

SHA512
261f190948a2f1d27c195feb468ad3701c16db906681847607fb393ad53c73cf7842615478a3b127279a1906b04cbeeeeec3092ca46bef79cfa0332d7806aee5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
776d39a6ab0dcf15d5ac7267195351a8

SHA1
7c9454bd88d378bf8222b9f0285c8c3687ec7e38

SHA256
1a7bc39e4ab4047cd11f55c09447196dc2e33b1e1c01441ab58d2e859615d4ee

SHA512
3357df7648e2ca1be92a79639bef899012e76a5026d9ae5541100a8881a70e125e0d014ac38b6baf3bbccf8b456c6d711439f305fc106935f605ac3fbcf85204

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
7b9ff4337ad3c4fd5d06a5c3e9071352

SHA1
e2623fd01cf9ce1d8543820af5fd6dfc097d7ba8

SHA256
a9acf9fc874b0742845d92fe3918cc6866755a0bf25b4184d1aa15928d0f698a

SHA512
52693370fe10053327c36ecfabf723b39108930ea2c800555bdf12f4133f05ca1512f9d17ed7c3d27dc161fff63601fec26da246060314e82959cfcdea2f9192

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
8de08034378d8eb2972886245188abf7

SHA1
5a3d16d231317443894ba3d6b897189e5bcea9c0

SHA256
a68dd92592cb02d0c5c4ba20c0544332bcecc032b39b143ee1d229877d29792d

SHA512
04aedee84df77a70f061c85d115bfb1b2ad2ada9841ce73ffd968a1b5d88d7ea4cc79ef5bf4c2f3b3ef9a3d03c65bf3802ada22e9f0e6f94147336d7a1e05e3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
3025b31ad24669f9fd55d47a884142d3

SHA1
144ecc8ccc14ab7bc9dbae7d4888d54ad26e4c11

SHA256
832ea9c9bd5af63dd1b661de584242fb81e93c5f7a9261c6bed4360be1d47676

SHA512
783e5111e8a4887fea6ed4fde07c475cba786048edf7e564745497ab56be419627c90b1109a4c2e8302449373819cce520940db2fc40930fce615ec80717adb5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
6b104f240a8c43efda6a38002445e780

SHA1
7792d3b9067f22758eab07782f71d4dace2f3fcb

SHA256
84c2158f2c0a9de7ecf9a674e9e3bf04472db7728303b8e5394b6b53fd0d6fb7

SHA512
043cbb94b0e779ca1fb38dfcd0ca25403a3612d0c5bc51a7c4df49003ce972cfb4a836ee7b8ced749241031a3afc59fc0ae8600e56d799ddf280de9d6135997b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
18ff883213e8cafe13db53b34eb79d25

SHA1
53c327f59964f06095e757b58fbbf25d21fe8485

SHA256
26e777261c585654a1ce9667e9b305d1fca1465391a70d014d63660345f0ca4d

SHA512
4038d5c66aa850320b2ea3cdf9e403a247fb9f9b2720e2ae055e7e7389333574bb8fb3ba838c50685a2732f6d097457abcc90d83fb69ab5d8dfdc84e8b773874

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
2cf085b0a0e7f71efc7226f848f69e86

SHA1
2a273fc385f5863d2033a4a1168f522dafbdc101

SHA256
d57ba747daf0e7276291e7e1eb52540bc7de28c1fcc449d0404fd2eaf1c840a3

SHA512
0d75eefe95a2976e4f71ee426c9b76ab21885bd7711ca1261e5656cb5c85ca09c73253a2c5a777a6d423784c9d5bcec07d3f1d3c18ee81d521a107ef595f38b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
d6251503c924434ee6be9379243d93c8

SHA1
fec62f2bd42ead79304407e59badcb811c0b4281

SHA256
0f9572f097c8561153e9f166080b40fae63bb96ff4c319bd23ea929d24aa13a3

SHA512
2ec619c6548a1496c8e94b35577d1a3e400ce2f97a7e2f85d009bb5adb858f636a08324d51269f1a511e7c1ca9cdc1279cc40361f681f87d41ce67166c5b68f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
70fa9813bdb24f86ef5d72c872d333b2

SHA1
0a3f07efcaa5ffefddd1ba54cdd64fa136111762

SHA256
a05ec2f0547e020114f953e6fdeefdee8a1bd3289048a868d83cf85e8983ef5b

SHA512
a331fae10e19c2cec4f0d087a8bff74736a34dd796b53a4beff7995f184500bbe0a74947dafae4510106aa088bdfd14311c0ba72422ee50134ac87d7566e1abe

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e306651826c45a75a05d20aafb6afbcd

SHA1
83ab95f51dd1630b23e8277f07c133e8cad31fbb

SHA256
2e65948e662c409d5c3ad1814e9095932559ed64901b6ec5521ecb646d94be35

SHA512
b50d4611d625160f16192dde93cda7a8fa8c92b0412b2c426c5e5066811575dec342dbf8c5c7faf1a4f5626f6afeacf33d24ee9d4dd39b31de2ec520fb434202

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
d13a7282175001f0f2b377cb75d9e82f

SHA1
cdedc11fecb23d372cd002a4d3a72203a5e6062d

SHA256
8f0268ffa6455cbe23177e425ca7a28d917a1e01194639cac8b557bd34b46634

SHA512
2e9900eb5730f1e8a69e6171186c6740b0a6661bdd3ce87b1c2cb8733490a63464cf3385b4ee988ad4f6c5081a763fce4a27e7266e0e25cf6bd44ec43123e0ea

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
637d76c90e660bcc898a4a9e9be345b2

SHA1
36ec7640401dc47c63029e9b3fd78d5dd35f810d

SHA256
1cac85bf8c654d191cac1dcb5b11941feba44af8f88026240104f59ce7b79cf5

SHA512
4bcce71360c21a81e5c550dbd39ba6216699ca12c9bb84382c35a76088d8dd8fea27f1ee518e6e06b259423b96bae6619b606a85d2a0efb04b3344ae5095b72c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5ba1328e52d8d99794efbd22347cce5e

SHA1
ea47e6a1bb2e024b459999bf65862fd76cfdd637

SHA256
d322b43f2b26e54c685da707f807e10949eb44487dca123a265a9d9c0bf6bc0c

SHA512
ae37335256d4aa7ead7a38f184f3172d026e1c474b0676eb82f114c6a053e53242b000cdd6cc3ca41fa741d77b53c347a991ace6c4e34ee45c5acdfcdbd4003d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
0da5a035761f04e375f6d0a4aecc14e2

SHA1
68b63c878efaadf1905d1230b218f01fd47dc3e0

SHA256
599323a47a76bd10775939bcf5fd914b4a90d71f36d59b647d798c5922cdbe56

SHA512
afaff7c171b9c8fbe7bc371e0b3356153f702c4143d1504ddb9c5ef97213016ed54c3ef618f3e1d717a4e12019e7b6ebffd6c60b9215b78b59b3943ec6f71175

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
60161af8cd763cb0b0bf602177167536

SHA1
e02c0beb949cbee882b761c5a7fc3668e221192b

SHA256
2ae1fecfbc8f91a09cfb144f1e5f6449da612cc10ad32324e829ae17c7d989d3

SHA512
586b09d189085f50b4dd209f0c27fb9e7cc1dc2aa645f4a26e669467a014e482d10d422e42318d3d56f56460b0bba944c6a4a7d030966297673dd69d3a27b084

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2f6769a77be8f1b3172cc2ec5269060f

SHA1
2cdaec1609a9aefa274a195060e99fe063d24eb3

SHA256
b4ab21ef20917de99dcf202480858041ccb2c9d2e9f7a4cdfb05a62c7b1b6d93

SHA512
892669d26beed0fcb9b2b4e744bdcc90f00731c52027ae90aff45746cca25e775cd1d80bd53e3c5f38cfb665ae38003a3f3b367cde51c3fddfceb84b20c77b7c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
c2cfe3238b108568d73df22eb9a08959

SHA1
8b65ffbf2ecc61fa43a99f72c00bee26b3c82dfd

SHA256
7d79b3226cd1911c70963a4bbaa4e4c054005b95d5d4c87a4fcda157fb805e84

SHA512
17f1f87eb44418d55ebef3697b0bf24c93197c4519386c4d18dd438ce49b1942172968af4c11f20c858abec1d74634f5a6e2274a6b4d4746fc6ad01c543a743b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
d98206193e59460cc99f8071a07dad41

SHA1
b53943a73f78cc8a52023d3c73d3a5d29798a291

SHA256
a96104a3983de00855c923a84fcbf6efaf0e8714d5080e98ed0ad8cca3fb1d4c

SHA512
c1295ef59a669231040f6edb5c78f8cc87d6ad59449f9abfa4ce825a581e05aa15a88e3a248a231a8c47e7568396249032367dd72244d23dc61814aec7d7df4a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fd2fe00fcddcc98b3eaa53bd7b738952

SHA1
f11b01c5d6bea3a3b9fe292a5117ddba9ddf63a9

SHA256
afbe624c7b1f65ec7314f7cebc3ec8ae025fe7dc10b3d8c4d3d9ae2fbe642169

SHA512
48a24f460b92b1e3f7934d2674086bdbce835ad26b6a8b78fa4919ffa02432164aa5896cddf2ea6a656c15161f84d3e27382fc20b50e040a1178c8b348fc536b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e30f7757321532039c7a85c855bbf6bd

SHA1
083b79c41c745c975c0d1d64c090c7388c8cd18d

SHA256
db8307a70a296991969df5d0868f8f0420b9ec747ad9d780d7763192ca46e9e2

SHA512
4b5cfe7c47a8c2697207428835511825bf3241398bbbfff1b4b3f5aad4edd3f1904bfd875b5fcec71e9c4f3ad2622a357ef81a28d8bef763b42ad06bf309753f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
209cdfeeb6010b9f9e906b37d0c8a574

SHA1
8cb9ba1a2e0a5d5f0fc493b5b6cdcf0b16d459b2

SHA256
2d1763ce0aa642d27aacd258816f8fed3610ac554936b90dfb4ad96265fcfcdb

SHA512
21ac2896b41d50d700f9565e0e11a329632271a5ae8f2a8876f3856622e173e2b30964e3d86c5536d9575a26fcdba912b094872b97bb26353ee4ae4392802759

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
ba86e560f8f624b1d15e2f766e40c6cf

SHA1
8354d27d8dffa1f9a1ba81a6f027ca0b9def8645

SHA256
d8fb2631b90f89bdc014487a2075ea6de6b1a422c17e703949cb69ad259c0d87

SHA512
da8379fb597ab48ea5378262093392f729f4f201d478819080dafb869ab9ce8a8e8279c3c19493a639ace874be5b64f7e5e0f7e1b1438367bc9d442e16bb4f9a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f35dc21db70a0fc6f5a31138223b6a54

SHA1
f60d84e31c2328eafe8d1ee96f5945f5c0490714

SHA256
58a039db85956cb9665361cd5249b03806ce531935b76f9fe160164d52e8b6ea

SHA512
7a137aa60efb02a3149a77b4d2f898d76723e30262fb13af8e744b496a7e5419f4e1fe959410770a448a609a000cae9b2f9524c462c65753a2da6d6ab47383c9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f722addc06306d4f8a23f8ff30d47c93

SHA1
befc8d2aa64882d95b689aadc51c9350d75e42bd

SHA256
1211de09703744a539b48a52e1b3fd777d4c7f90b429b4329e7cb7a91d1f5aa4

SHA512
471a1ddf55e893bd37a62c6d05798617d35f27f85b57b9d87dfa20d93644637cdbc90766d501869ff300d0e6925556580e5d95b97db032f2c60de6c853b87c0e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
ba1520e7a3224a91ff7772455a4ce102

SHA1
25ad371c72696cc4a4c609586733c1662c590446

SHA256
458c1b39ab4fac5629a303cd65222a4adc957bd6014065247a54c445ac184740

SHA512
00850269409eded19c7fb9ba3c2d35aec2b2f8a4ea9659cb028cd77ccecaee0e5d53e66f41f0e192d76406b77f89f7db7a34bb763e1033f96581b98b467755bf

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c1bc173144036373e1380528a790712d

SHA1
5a79d2a03c88cbb9939b294b70886d98f11204a0

SHA256
b79e5c54a32c92aa968fb75eb1cbd398b70a69cf7b3098a3fd6e2695f8039d9f

SHA512
12c210e56228d2bd3275786b1c831f95d6ec96d1b426a5749a49a68807a62a6273859c7979f7a43f7df92ce297c3e16c775a1a8841acbda969b9d5947529f9e6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
acb8f393444a2c3f7742b397c71d47db

SHA1
b54069ff64092c0d776bbae6faf3c554ba1a13f9

SHA256
ef3795a5596501f710c386c1027928d24d99a23b74a16dd7d03cc9107dd2116a

SHA512
f0cc6276a50e9b6da2ff71e210e1896ee670aae9b6b4a1ea46a96cd18775b5db553513c6b0441a8643c03b7dfff65d8e578a9fd9e1a62995092dc44f83be2d75

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
5feb032f82941652f461b6a016e2c797

SHA1
1a6fabe488b33b7388234a702dcd8a641549e2ce

SHA256
bdf8518cf7562f576da5618a75300d56e91269aaf07b7e4f9d09c33134098da7

SHA512
99f8599942b2b6f37f8734b78e8073f6319bb41c2491eb37ee1b51a7ba97ab437ddc0151410dbc36e2dccb31e627fcc480ecd7e150dff56e21a01972b6ea3814

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fca789374ce93998c7e2af83bacaa9b6

SHA1
484a281193c7310ca67be3e36ddec2eee58c5c52

SHA256
f99c46a7556c217d7e7f353893aed5d6640a344fdbd1e1232a837db82756c72e

SHA512
59899628840aeff67e8c86c4c296811fc87e9ea1427b38becf01f599cf434ea014b7e3cde89ff5126348115de3e1c614a700fb142b80c2e28a2897327acf2a49

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
212cd0a2128e609b7e47bef738d4009e

SHA1
eb027f7bd40ba527ff7b042e2c1d7b6a0aed6261

SHA256
a4f28f73ff8debb6759b02375d4b3614fa4743c47ec1d564d771ae055d09063f

SHA512
4cf0b53816bb08a35a312074dba810d4f07964ad63a3a66b097ee5e0b17fe9673712decb01dce6d06695979cafae54dbfcc59a9fb12cfb4c1f2dbacc5928bdda

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
98913896ad0bfd02e1e31099f43489ac

SHA1
188dc42a9010caf3a29eeb5fb8cce939611c74c3

SHA256
475a8744da5c5f490ae5b7412312259ac56e23a8c2f0c27f271ef9abef976173

SHA512
9698de706a530d29ae535e468f8098de02a0ffc001d7b1f72356da664806b3290adfcfed3660fc77e3ba31effacbe6e969f4e344e23a0f21e9673b201c283d6c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
aeb59a055da2640aae523253a5fdc980

SHA1
849c3722dbf18371e4b1b13f8f4cdf37cf331179

SHA256
9e4c6683c5209343b967f15247690c6d6b660918197fcb9a3b027f60674589f7

SHA512
cc22c3660a79168aa3def6efd82b354f9aaadca7e63c70758d1150e378814f73c449e4f64da0477844f98c27c939bb4b5d5718b8af0e632b678edcf626b4549d

Download Submit
memory/684-219-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/684-468-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1624-263-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1624-497-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1664-180-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1664-399-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1832-200-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1832-433-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2316-56-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2316-175-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2316-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2316-50-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2376-35-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2376-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2376-34-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2660-230-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2660-116-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2784-262-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2784-133-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2848-113-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2848-218-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3484-471-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3484-231-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3588-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3588-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3592-0-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/3592-8-0x0000000000C00000-0x0000000000C67000-memory.dmp

Filesize
412KB

Download
memory/3592-73-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/3592-556-0x0000000002A70000-0x0000000002AD2000-memory.dmp

Filesize
392KB

Download
memory/3592-1-0x0000000000C00000-0x0000000000C67000-memory.dmp

Filesize
412KB

Download
memory/3592-6-0x0000000000C00000-0x0000000000C67000-memory.dmp

Filesize
412KB

Download
memory/3592-469-0x0000000002A70000-0x0000000002AD2000-memory.dmp

Filesize
392KB

Download
memory/3592-555-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/3688-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3688-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3688-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3688-74-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3892-164-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3892-321-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4040-112-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4040-21-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4040-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4040-12-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4120-211-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4120-92-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4120-93-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4240-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4240-363-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4460-267-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4460-477-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4460-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4752-63-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4752-47-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4752-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4752-38-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4752-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4808-251-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4808-478-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4936-547-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4936-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5036-250-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/5036-130-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/5048-77-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5048-90-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5048-88-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/5048-84-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/5048-78-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download