4d0b9d64e5e65330c1e77182aa8d30e4c34a5ae8c88ea3463512d12380559fa5

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
Size

891KB
MD5

48e7a3c83c677e5fd10ba20cc91e5d95
SHA1

763297ab50127b0f208abc953979cfa40759b300
SHA256

4d0b9d64e5e65330c1e77182aa8d30e4c34a5ae8c88ea3463512d12380559fa5
SHA512

b07802748d761ac1ca0095df8a7821c8313c8866a00930fcdad9d5eb2b01a5f0d785fd5deb28abfbebcbf81549f093c651b1581072ce95844d46063a9032a674
SSDEEP

24576:0xQbgbGwzCRTrXusqjnhMgeiCl7G0nehbGZpbD:0xEAGwGRTGDmg27RnWGj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3592	alg.exe
2340	DiagnosticsHub.StandardCollector.Service.exe
216	fxssvc.exe
3848	elevation_service.exe
3616	elevation_service.exe
2848	maintenanceservice.exe
1804	msdtc.exe
4856	OSE.EXE
2104	PerceptionSimulationService.exe
2556	perfhost.exe
2396	locator.exe
724	SensorDataService.exe
3604	snmptrap.exe
2628	spectrum.exe
1444	ssh-agent.exe
4644	TieringEngineService.exe
4888	AgentService.exe
2904	vds.exe
5076	vssvc.exe
624	wbengine.exe
5012	WmiApSrv.exe
1596	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6c9ffea4c8648821.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cbd92fc30ca2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b0c04c40ca2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030e618c20ca2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000837d38c40ca2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000026d06c40ca2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be3d9ac40ca2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bad205c20ca2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000879f9cc40ca2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000963df4c20ca2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
2340	DiagnosticsHub.StandardCollector.Service.exe
2340	DiagnosticsHub.StandardCollector.Service.exe
2340	DiagnosticsHub.StandardCollector.Service.exe
2340	DiagnosticsHub.StandardCollector.Service.exe
2340	DiagnosticsHub.StandardCollector.Service.exe
2340	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
Token: SeAuditPrivilege	216	fxssvc.exe
Token: SeRestorePrivilege	4644	TieringEngineService.exe
Token: SeManageVolumePrivilege	4644	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4888	AgentService.exe
Token: SeBackupPrivilege	5076	vssvc.exe
Token: SeRestorePrivilege	5076	vssvc.exe
Token: SeAuditPrivilege	5076	vssvc.exe
Token: SeBackupPrivilege	624	wbengine.exe
Token: SeRestorePrivilege	624	wbengine.exe
Token: SeSecurityPrivilege	624	wbengine.exe
Token: 33	1596	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1596	SearchIndexer.exe
Token: SeDebugPrivilege	1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
Token: SeDebugPrivilege	1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
Token: SeDebugPrivilege	1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
Token: SeDebugPrivilege	1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
Token: SeDebugPrivilege	1916	2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
Token: SeDebugPrivilege	2340	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 4388	1596	SearchIndexer.exe	110
PID 1596 wrote to memory of 4388	1596	SearchIndexer.exe	110
PID 1596 wrote to memory of 4592	1596	SearchIndexer.exe	111
PID 1596 wrote to memory of 4592	1596	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-09_48e7a3c83c677e5fd10ba20cc91e5d95_mafia.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3960

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3616

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1804

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:724

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3604

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2628

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5012

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4388
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
54e85cb2f947f206d2007c07ea099e3d

SHA1
46dee2115f969cdf4fdc436f85d80aec74f04187

SHA256
61f7ce52f3ef0ae459f48197f6fbbe85a75d92358f1aa51c0a655cbd8c183198

SHA512
b43ec648c13fe1ffd1c4b21bc627e349ffc09d3f04367e227da6a05a8bf1dceedad0735eca3a194abdbf1fd855bc87d93718d7fc2b096bc9ee18b536c34e67de

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
877db1ce04e5c6a314a10db63fdb1e83

SHA1
dfc4d2dd93bc0193175feb23becdee9b6070f766

SHA256
1fb1c22b1a14af88c9d49133c29432a61312c784a935798c7e99a3cdc174fdd7

SHA512
08b682d8de37f23786db9b05e1b76705104405dff83926dd6c1d564ffe7ccb493f21a3f74d60ee73a2c77ce48ef935db061fabf8a2bb3f00328a1ccf64c98194

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
529bd86c59a1dc81692e3eb68ce3aeef

SHA1
c979e37e84fdba4e68a6830c9c8daca09cd03067

SHA256
620d587fcbd2d02eb5f2f1d9c0282cf9aadc7fd3f09752ac2396e354f0651124

SHA512
246b6b188784032eec925746a0661a585b10bae16f94ea8ba2ca75eda5e1dab2dcf281c8cd3295f487bf75b3dd1fbe6501b2fa5e28d9a5c0bd24d05e47771bf3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
231282c984a2a146706bfd61183c55e6

SHA1
938d7aa11b80a4c0872570146c8d74c6665dbc2f

SHA256
a49b3ad9729821004066e18aa88758da2eb7fc92ee50beb9b0398d36f24c0417

SHA512
af5ea2fc995676fed8e36988b936044951603e12ad68d631413a1eb48faf6ca2520919c6cc0a67e9309cc8f6bb2bd47c394bc06a51182af8b8be741991e48f57

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
43fe0c5d051b4eaf6e25efb4b2d486b8

SHA1
1ba61fe7709a7767f5ac15e11f9af9ae1e565f5c

SHA256
009d8fadc0baa2efcf9dc10ec2e3619ab6a0c37e49ab93342f1d0f60d6e3f0cf

SHA512
2c10a3033c3a10ca6c0409d51f64add626e48e6d6522cdbf2194bcc7ef758d1b98ed54689072ae5d1405865f495ff8a15c8672cfcb105020001129ce004bc14c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
e55e68bb6c19f82fe9ee8b2aa7320f21

SHA1
32b95907e1cdee73d88936eca64bc9d7e20ced51

SHA256
db1aa3b9c5a5d3eae5fd5c394a707a881bafd3024799bb2bd93af7f59c93a7be

SHA512
d3fe52a5030717ef30a2049e71e19c1371fb60a94936f8e42a5cbf0fd5b7dbf4fde0f3bcfaed1c8410fd4890b2166e9c8e6f02281ab5c94869938b623cb09e5a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
1396f8d38c84c0329222558276713eca

SHA1
5e709e9d41ff4c025a066bc33792fc0f50d5ef37

SHA256
8a4b5a34e944ddb42ff2d6dac23f0f52576faac0fde58272d04dfd487383680a

SHA512
c12681858455027934d653430a553afea55d5a6d2758bba714fa1d5daa176923467b3e07d8c659a44b3617b17f3a619008c9c915cb09daba5b73387aa605af64

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b19a1edf0784a428c1709713f2936a88

SHA1
3c51ebe64f32ced9f0df6c4bfa4963bdfd7156c1

SHA256
03f4c47154739f7fa3b1c21f409184cb4cd72640cc335579a89bc4f1ee4530a1

SHA512
1b6a94eb6ce571475a3870419e825832a44797b685231d9a4a5ee2f95f2ac058184597a8bfb2d45d84dfdca5d08d2dfa3e641c6c68bc8290316f1249b5e40572

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
0688974ca366f621a023f130906625b3

SHA1
52e4fdd8f2d1a11406f1793cd20b60a28f850f7d

SHA256
427ebdec683b8a2b4d247725a3cbd497e04abddbb16695f405827cb803a252ff

SHA512
1ba377c8e5ff7bdc6471fe65bb85051da590492a38e7b5aa5e15957d0c66c70d3bdf541c59096f6278515aaaf8c1edb208e51d57e77fae82b3fc1789632f292c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e2b90cf5a27c4296a381552dce9e2cbc

SHA1
6b79cda00895bc481a53e5284cc8ad44d81a9746

SHA256
77d43b950f16422e735e25113177d06218eddabb24be192d8f7a75f8da724ce8

SHA512
16854f829a2f99b546d0493ece6331379ffecebb9f630775b4c953a97bb0fc0e1cdde93166914427eb742adc6453f4fb5994fcfcf3d4511621a76c049c220bda

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
16d0c610ceaa4facc0a347e7d6c3c10e

SHA1
df8f037128e5ebaabebfd2e6ef0619fa4ac29a0d

SHA256
e9479f3b2d92c6e78f8db401baaa8f3432554293559c2ee62284b508a12f1e82

SHA512
64801cced8c6ea0060c0525df99abdbd029ec0443d1c55bebc6870ba9d8da58313c108a1066067c3f783b8d85d8e065137d87bf5e3558e49b3d76e577425a1dd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a50001223d5188d08a68f0f1d299d4e8

SHA1
0c27c8aa5d7546ce6c8dbd8d14c528fb9c0d57bb

SHA256
168197c3b708c9461f02f4bfb243fd2914780cd50f4f901868175e54b6648e49

SHA512
29466588b8814cb98c0096fae88fd9f08f3a1d65240f87c2fe1b9b860af1f3a570f86d1b7165710c478b7e17d6c9649fabf4c92c70db5b9a5922a9ae2922e628

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8ec152b04c4011f34b8cf33c23ffc0f4

SHA1
3972c31be5520a28634e261c9f7853b2b4691641

SHA256
ce4c8d4a3110e3d07bd8abb4ca3d5293da4ba5304cb5e4b0abb2014e9520c6ff

SHA512
142e0d9c2e322867caf6752f2335ae0c530bc75a80bd9f7a76978e3c7add2b4bf560f036317ee6629faee43fc93e94732a3e34912ecdf5e13d0066b07ed3d8e7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8398ede5572e4e0a04c9c35f0b1d93fd

SHA1
5cce1270a743665fb227fea9084679a53ff6a7b9

SHA256
fab0f6abb3e9c1682ce6fed53374162004c955b72c35efed72f4e41533940e9a

SHA512
fab9f812be7afb3c71f2cbd82357721f91ddcad86baed3361d681bde53a2a2b120bff348f3c9d4e45b372941a1e6e058c5a9ffa75c37330d59805be36412442c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
da92f171b803420706f3c5608d25b571

SHA1
a6330a898511520bb1fb353c613fe9eb40c07b8c

SHA256
866d719dcd20a79bcf854abe1ef8db007c502f66d8a98982e44708bbdc9852b9

SHA512
9aa3b6cf7656012c1772e2c827ab5a15d94176c172ca5741060e1bb57965c020932c36f65f4b7227ebca92627654841dd6187643a1d68b90d9da0f1373d0367b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
953e03534ea2153677f5c31d037a8ead

SHA1
bde78b5f380fe8fe114fd69ed68e648fc6b747d5

SHA256
de5588ca71ce663036e3cdfb502a47ee1d837cfbe145c6426c6da376dc42d298

SHA512
4009776c60ca88dcad323182c2785ff3a0178b64f9b38054f5cf98fac4b44199b9113e2b127723eabc97490af34050fef275c115ee63e758c21d4fcf4bcbf4bd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2b93b3d243af82bee443ca1e2038c477

SHA1
863a9c6237fd42d2c1fe6cb435851e6446ce9c15

SHA256
1dbcdf6483c4fa0411108c0dd1159446003732648c030018dcecfac8c83767b2

SHA512
e555e8c4392e75b051644a5b5a7e00f6afda13f43455b347f33db524d3947deee4db1b3d402a35c0b56ca8cd66f6a81bbe81349a2af6ac8580daaaba260e1b82

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
dac2e666d64d0cde0978953df67d44ed

SHA1
163e3e5af5825d022ff11b1f014683d19aa5b0ef

SHA256
68c7767c7db3a6d87eeead7c9856df5486057dd81ced4f41362f9220e633d0bd

SHA512
a52dc841e170120ac39df013ecfd8cf81c880a1670b700e0ea5b9adc630617b6831c00bbc5725401bb7680e0e7a17237409ac095b1b6469661fd7946a410c85c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
1213de9ecfb766ef922c32f75abb772b

SHA1
bee8d042cf15a4299ace706de323243ad1f5e721

SHA256
2fd0fbb645c2045753e514d11daac7246c47b9c942a6025916954824ef09e796

SHA512
f350d1f7bb0a103e67df4927cf01494c2894f56af25278d7cbcac22f02d10ed1ba9d9539bdebb57824dab99bae3014ec4876d0af81cbf71a1efaa9914428db7a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
77e00fb8dbc05ec52b55d93bfc486352

SHA1
eb3caabbeea951bccf1bf6c82509a5478c76cdce

SHA256
c276c55e7966e05637461d26ea07b1c8be216b8adab5484be80ca48ccf4ae192

SHA512
0a07cb8eb348105698a48bbbcbd240b3c3b695da28f4c7206b895ae0e159caa57e088e54127de3303cb076bc7b7d1ee8b3c6932ffca5b6120e5937804d183b29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e5e40048e5dc36b27a6fae78ee5e2094

SHA1
995ad92c9ca4ee5610d82ce71a5e78fabf3b623b

SHA256
afff61a60a6cb0b5d5e9df05fcffceb355da7ea5fc6328527ea2b79d3de1c85c

SHA512
8d249540d144444d848d762c3388406000f077f5cc91d327200fa8f04b6fc768b33bdf2000573d01a65d799d8b2f9e0e2a8cc1365fd417877b9976d2562d8bcd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
48d3a572917109b192bfc58d806c61d6

SHA1
a42772e86a0f4673cb86b90a7b1eb34b712b493b

SHA256
5115fb593ba5197e1447ae752fabebcaa5bd67163df2907e885154038314ef4d

SHA512
7f40fb997b4b806d915ea03632caaffff47ac707ac7e8a722398315618e2e97eeed4021a1a1d64641491df66ac909ba1aea5d03ea35d03a30eeb12dc2145a0fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
2fff5586a0c0384bfaefec2d0db5d2bd

SHA1
5e280d4fa4e8595a89b5684ea1ac50ba79685627

SHA256
556c1eab70b2dd1fe96a59ef133168a2476130b0a50c91008e5a94efb8da49dd

SHA512
ab0e1f3078243adeea531879ff0a59341306e6bc14e3ae1f2822fa1874798aeb67e1efdb23185baffe0f43d958bf54bcd46d731cd8c370132c405d2a287278be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
a3212c9520271853cbbb603b256d6016

SHA1
01e55db4116244b68f7a37334a53ec5c88abc11b

SHA256
f30db72387fbce36059b830e75fe3377cc1567ba634ef7ff82e1e0dfdbcfa90e

SHA512
1b0d911995b4dac6cae56a7de9eb00119c0b9a194e0eba0bc9d400f4179764483f1f34e66c0028b98bdbe3cb2fd25fb2f5baa470d3cb53c299dbc4f3ffa8e639

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
83b0c0eba1638fc9f846e31c964381d9

SHA1
180194e8d3492fd767565fa05fbc0223d5a1223c

SHA256
2aa15db41b1b126c23daa76b1eaf150dc87cd79694648a892b02aa54dbdcce26

SHA512
c0a0ab173119a21a6cdb35b51858b18c3d968552711a2d417f14128761e6f13bea46880238c082ec459bdce721e5203e75ff230f19e73cbf662b2a95c70b3baa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
329a3058818cb8b5333c4a17bb2eac3c

SHA1
7dea9899a8c5460749decb5905a08ca76f79177c

SHA256
85c49eb8456bb0708d1a73c8579cfcb111bcc433770c730c52e166e539da219a

SHA512
06b86db70c03a730b2d4fcdabe42f0969df1be61fcb40be971e85f9d74da00aa8f70018fe3abf5f56f925324bba60cb90078e02992afed27d145c7e48b59de54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
9bed6625e5503b2f587d9bf3d7f6ff19

SHA1
39806b7921d973e60a4e399bdecd37a73b1ce01c

SHA256
833468e7bab81a15f4f997584d4d1f75cba734a5958f89ee33277491f5c76e08

SHA512
43112a0e33caeba0a190a3195b311aa1b057920a78cd9c6ecf78d5414a377d7c407513a12e452551aef0ce32b5d00e34e910088e53baad498261c61ce156075b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f78026253abfed3ac022b8620fba1bfa

SHA1
276be314ed0f6501b9c5515ed761993b9c4577da

SHA256
107475f8ed2ebcc45c88f062860bbb0c2de85b4b3e3e3d9525c61101ca480673

SHA512
bffa6c5f87d56a2519bd629b0a55134be3bf924943e729861ab78e97ba188e4b70adeac49c23ed38aeac6a5f90718dee5a95c6af2dfde735f0c44f78c3e89c83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
100f58bc78383227032fa04ad30a31f7

SHA1
45607fe79e6708eee5e1cc1186ccda4d762260a9

SHA256
3d3959ccfe476981974cffef20a322f600055109df748281efedfd551d65e5c4

SHA512
e1fb034e6cbcf60077659cfc99dd4f18745280a77b8f3fcb7229096b509d765b6dc9fd96f1fe6f597000f602a4e50f5fe6f51acf0373ce119c763cfedc66317d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
4a8c94cc8f4bf386235b3d1d6fed8a02

SHA1
92a92929f2080b878a1c7894d0be8a2b28b2dd83

SHA256
b1dd9a8c17c5e4779e6f7595ac6162dc0e551ec243a436cd21f24094fb0229e7

SHA512
d7ab5bd8b9a91b5ede59d8c0d02b52f683b25de2c579b90c7682add3b14956e1c1010f826bc8519807cbb2cc0b0d3543913f34bbdd11c4004bbaf799c2c6b1f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
fe95f71e33e0300a779cd65066f7add4

SHA1
4af350c16ffc223869142b4e19f19cdbcb73c64d

SHA256
5d9ad5be1b961c15fbc8bf4d8e3617ed3f91b70a34bf5e56cc38723fcae70e9e

SHA512
7d40e20aa8168b4ad9c2b58b1de003f0b9343a7295ba27524ef2540a9d739c81d7c2384b93782cf3de12a333bc09ba1558d3fc4a6dacbf20abe1b6b129462dee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b4224a33d93d3131b062c046c67b0eda

SHA1
ff20a53e5a7c9e12b44011e245f38ac24add0d90

SHA256
9f2310fd315046a091d9467b25b648ee489bf2891fc811141e94ef53568aaacb

SHA512
ab737d2cdb039ea806032b0e3f3394a97e1ea7369a617294d276fb68c29a8ffc92fa7f2a1ff166b25251ed25d96482734407daedafcbb5a881c944091c4f6a23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
0044c16193feb6df45c9f5ef4edc23b3

SHA1
b08a450aa9ecc5da99c257bed7e0a6ac589dc5a4

SHA256
7c51eb41f27f70c9cee0cd16d2f67008168368117cc8d73a391ddf49a0d4aaec

SHA512
9072495349b6868adb5e9c04fac303f02dee8ae5623cc6225c4557fa78486e8445f57a9e78e176f69ca3024909ad0e87c4ebfa71a07c433807ce97dd38469549

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
c6f48b859afeefab2946503f5c8eeb72

SHA1
9bdb7a4686fe7e0d3d604e8c7a870d6507619f14

SHA256
fac0fe74765ccf866027d9cbeda8253da154b721e51dfe27684a1572154d0cdd

SHA512
53136a5db004e7ccb6d4376180a691fa01ebb99805f32e496fd1373c737d3c0e1ee5de667b46bba01938396209657120ca0ef1454bd6ff2a711c147c187503b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
a987153d4be4aa5ccc3a873c8a8d2ec5

SHA1
59b4a224c121ef6cfd4caeebb7d6e979d4877bbd

SHA256
04ec7accdcd5ed6c30a8df7aeb67fc15784ae67cdbe6be7a34447ba9ecbb1b71

SHA512
954cf6963c70ac78da5c5b1340a22aadc3782b90c8c08d07de9d3584fae0d19c27aeb9ec945502b875d9ae8cce93ee1baafa4221a7650bfcf530590ee7f1b079

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
70932e1139a27487104eec1cf7e0dcdb

SHA1
884896d56d2ee9d1e349e0eb1e38698d7b79f664

SHA256
f9fdcc243747c3e0c41193626f7f977595fcbbef494e08cf25908fcc4e5214d1

SHA512
1d7457099dc16cb890706ace07346e6bcc53ce3919eb9c74ee98959eb99e786c36b12bdb5bb1e7d535dfdd243fe9efbcc616792b24dd9bc7441bc99456bfc0e7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
45b947ed883a2d131b958c62a1f67095

SHA1
a2571d2f0bcec54ed9fc340970555909f9f105a0

SHA256
25991e43565c6adfd92c7d6911d5d939246bc85b89c428e4ea49971f1202ad39

SHA512
8a729031086bb8e05572f29211587e1a20bd352f7b1e51128ea33981da8e1b7e5cd8d655bee03119a02bf835be5b8c13e9ec13ba22bd9b3af91dec2f9f28fe14

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
3c91d669b8baa96b14ffc8a72eea863f

SHA1
9c19795a83b2f6cd352cfcca46168ac81ac2ffa3

SHA256
b050416b5f8564a07fc30d7a3cc2026b52c38e6482bfcf3f10e92d56a1b37633

SHA512
adcb4bfbedb94b67f5a0c5a0bcb3d5f1cd40c8997f6d5f102fe055acd2ed1a6cbd9a13f0ebb34f855077f55a011e68cd7f5f5fe32079c754449fd7aeabca7f40

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
7d9fb3bd760ff25f99dc9c6d551774c0

SHA1
703def3dff3bc4d6c56ce440dc3d368e4a3f8d2d

SHA256
13c69889043197cf2da7d54c3c101b4a014e6553f687f90d2ffe1c328a914ae1

SHA512
e7745a848eb1a531c0cfce632c31a6d5a3e7ec12df595b45695b8e18aa92d1a264c790bacaf5424fbac6b48f03bd189b0a337b2cc4730d26d47a1215ad1956d2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
581640d36d00e2564a92421907e5445c

SHA1
b6a70527c03bc18f23a38fcf286d1a39fdc83bdd

SHA256
6ca855240a0b1b713bb0e7c7af6d4f99e8dc43b13a2c916f5ac7e3f568203d21

SHA512
b6344bd3e933ea10a4c048afe75688e00b68ec34c427e7ce95a20d2dba9cd668db8bae37dbf33d224cbf7c94ccbe28c025420baf36a0b416249ec3a527675ffe

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
447b0f252ae8dbd5999d51f737817da2

SHA1
1365d016d78db7012c3fdf0d61afe76b3d6aaafe

SHA256
5931a2488d22c96a6fccd9e99c1ce6da56867bd5bd6a1d551f5a143765a6867c

SHA512
b4e3dea0c05862516d5d76f04d3360431c90cb8c4f424e5458335a5bfcb3a526e6104f379b3077f187919d678ad9b6d9a62309c1cd430feb73f43162fa0f32e5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bec48c24765e52a12610ff97e9d99444

SHA1
d10b5431abb31c42cea737158d97904b1646811d

SHA256
2b62b8633b3c9cd7e7a2617c8ce234b66efc9a05f0b0a5181ce8b9d1fc2a096a

SHA512
f3b1d7677cf886fbbf29fedd1565a7a257ded80eea8db1c0880f53f997be9ab41bd05891efc931cf6cdab29b890786e98cf3b36e25d23a989b68b9f3e0bfa617

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
9195b1e8a89503a5539f29df1d0351b6

SHA1
900209cf22b306b0d2c9ac3b33fdd2d85bd08d11

SHA256
33585d569396e471aa38704f880007d2166dd1f2d64e8cd34dd33f527e8504d2

SHA512
1c5bf3634fec752d8dd1e2788c646cfbb658f7df8d1407a17acbfa2d2411c5f78567d3dfd6133900e6fee026e1ed19b9a4228dec69b2f52f3248be3c4aabc833

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
01c219b5112fc00a2410a36a4aba9e25

SHA1
e299975035ba5d293a9832434a5607b89064554e

SHA256
58536d571529cc1eba6d70899dc9a5c6f340ed89a19edb5e7f03b23c31a70c19

SHA512
36877f2a75464094ca057b6981cab34f520adce968a2f9fe96f6c6529bd2b76138b4d87540e3a55218086d326563ce4dc5ff3dc8f3cbfce012c03af14cdf893a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
59cd5ad3e19782ce8ded4cb09374482d

SHA1
fd68b4707d43f15337d9318fa5bc2e4872d57388

SHA256
72cb917cad299db0fd7b5fe5e8c94956d8d4e271c635123fb2f6bd82e0bb4d19

SHA512
92d3780c161ad84acdc9881569201da13b49545850104af370333f07ab82e63b01661bd2e10bfab79fec7f40737e3d74bf94d6261185e042001651a6abdc6960

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
10b417c5f900ac9e1347ea29bca9223c

SHA1
fe91a05e0164a22ccec8915170d69b9aaa830011

SHA256
bfe4d145ddb83cbef5f2aa0145b3912f8733ef31ee1bd7788fa485f9f826aaaa

SHA512
70f2446ec13bb74fe35745cb06bbe0964b4d6f10319f3d757e4cfb1c9e57b32cbf1cf2930c722526116e181b8cc1accb2ab6dc5b97e12ba285155d3814617215

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8f6cd546cf3bd53bfc78cad1fbe747ec

SHA1
19685d220f4472bef4d862b0dee0df0f373faa11

SHA256
207d7e169d5e9dcfca62108979f50120fbd77cb8800598eb10c166c2e65d40ac

SHA512
1981357b4b5c3d8076038a93563d44ef9c29ad93fa8dc39cf804a62bb2b6a271f8b864ad857837feb849e3e87fa8d9f45cdfde45bd35f9c063d41025099ebe63

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3c66b2f3328b53e43c3a10fcedb318ce

SHA1
3bac298ce257b9bb04ac73e200bf4af84b1766c0

SHA256
442316e2f6bd5865213e3cb270aa977e3a32b71cb830ad46b2e37657c1bdb761

SHA512
eb439a695fa40f81543574ecc465a8df68975d9cf12d27b4434bf1db5d17c6025714532ef6d8062dd228618c79155de3b5774fc4e3ba75d73c99c90b31d378bd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
cd222d03d5eb8a2d932f35dedea3f11b

SHA1
c3cb746bb75d0d186db55055ac4c787ada468d62

SHA256
c645d2674fa30e3834083cf0fa37571f28a88072cf2a439fe35aeb0d267a11ad

SHA512
839a9a92c142af7430164174fa2bfded90b78625f115476ab23c54453e0f3ab7f6ec8d67bdcba1db534314a0113078e14b573f4b19e6eaca855acf211ec0d403

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5dfc6903b80b777d6bb68e3e72944d60

SHA1
f37992e4cc79c48b0ace813185248af2607ad682

SHA256
e6cd478d9eb5c3fadc24181ad6090a0eb90000145771973155a735182f501cfd

SHA512
190456a341d8b63bf5fedf871ddd2264db2a6139290bae4d657ecaf95ad4748e25e36f1981d21cd18613d736be69ba596c8c7ec6c219f9110cb0c17d5e89272d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
26109669ce0d6b77e0bfc3d0f6ee0e6f

SHA1
fb41d0e2518509e14f43df0de23af7f358c08d2c

SHA256
faaed297f01b576dbfdc7272af51ff9cc13b2621b56af81a9790d0b9b0939b88

SHA512
e6294089b59ea230cb5bf15a64ce3bd808bcfade817c9ff9a152ed75dfbcbbded8dcc6c843166aeda178ed58dac6986497671e6afff4b0f9840850fe3744d46b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
1ff2ed17f046a144b5b93f699401bfd1

SHA1
c4a2e312f588c1600a23a7d5aa4c7574b0851b14

SHA256
36dbf881cb2f8bf92990c4924ededb048015bb98020bbde03fca3527da210976

SHA512
75f4cfb5e6045ce5e18b142df5c0df4aa95756d559d02b00038d6e9cfd207c499f36331a9365c0d98487a830c914c712fdde163ebe2e81aa937efd7de05bb657

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
5728839c585ce3462e41cd07b6c768e1

SHA1
e3740f17ac0f235fae04bd29262c0a1465d21c99

SHA256
6e62055a75938d33ddfc0c2ae2f482c7d8cb3ee0e8a4a89a2b28cf10362b6804

SHA512
7ef23dc73e506b6e26142d646d20bc312a41d5ecd137919bdcf2c8c42e9db6b913b05704f7211204b3a7dbcba0b4466ac03844e3bcf83eb3784f6f5cab09e3ce

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
85dd8cc84a8668ce49b4b31e8a3a339f

SHA1
b5d901684ddbf4a1a5b22f15a07335844220231b

SHA256
5c426756f7f2a881924ef5c5990901922740c47fb4f52e9cb2337a7d2f195307

SHA512
0e9d33ab3b3bd6c7abf08bf1bfa4ad2b93aba87d6d5e4c752791aa5f829ff6e88c4b629323dc1a8474726a30ec06a94a279b3da658db020386df53a1158d4a3d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
5a9a821cbcc3ef8d1b851e6e94e684ec

SHA1
7ec730176820303b3551e178fa57f91d8fd26584

SHA256
d1c166389d450358cc8a5687dc17dcc3d2dd240cfc28a3842282db32a6f15276

SHA512
84ab56708764f03673c5b9108f5bc924f00bbaacd109e48c44dc3b03409e1ee58800691be8c089a55a3bb9b97786adecd2f583f574e6acad04cff15f4e17b3ac

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9657d92fbd2722ee3514ffcf3b82d8c9

SHA1
3ab552a95e9e1dce2b2fc0a8deeea05775c1691a

SHA256
c4e47af9edb52d143ae4f4d1db51ace320b826e8fd968378d4bbc77231864635

SHA512
612a592ab7d3bebd2a6f711bc30b172df9d63cdd41adb6952182079249d1ffea2b59ec3da5a2ecc5e3c97c3cde7ef52a5b478097fa68d1b89052f5361faf9ae9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
768079d3371753ae5905a26f01882a1a

SHA1
f3f1a4747250668bdd5bce2aca7eb88a45475091

SHA256
96e8d8a45192aa6d4e7fe1ff99fb3290c0f185427a7ccbe43cfe7b8fe79dabeb

SHA512
0c1497ba0e2904e86422b1890819a532ab16e1ee4129aa8d078d56a0e36e38f1d2caf441acf25194fb6328f3a26f6b16ea7dedada40d2c232e4be153e36d048e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
802e6266a37ba15aba827b99d91e97c6

SHA1
1f6d637cd5db460bcdbd406eb2ffbb1c862d825f

SHA256
2608c86fb3b932ada2da48ff71a3fc40b15b0127d9373136bd9cb4083b36dc14

SHA512
a76732ff9c5102a8e84c279e424f978542bc0629c8ce2c91a530a3c504f96dc23b4bce0f17579a55789337bd003f2fbb4a310abd2dc9da1b061a279260b6e52c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
6f8383a6e0e9c39a92b882f25d1e4954

SHA1
e4de03ddc3a8a2216f1b06fdf9ec8bef6362c26d

SHA256
61762a0d65d4e2d3d94b74b32925e9b1aa20756c0ff1e738fca9ba10b257630c

SHA512
0bc2cbf62eaae94a72721b001c935aeffb133b54431fa0771998e5435ed7d51471aa747b92cd1a6c4e32dd3502eefd6c08b5398ed191b32270fb510efc519d3e

Download Submit
memory/216-32-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/216-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/624-168-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/724-511-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/724-119-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1444-519-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1444-143-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1596-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1596-522-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1804-71-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1804-379-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1916-1-0x0000000000AD0000-0x0000000000B37000-memory.dmp

Filesize
412KB

Download
memory/1916-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1916-8-0x0000000000AD0000-0x0000000000B37000-memory.dmp

Filesize
412KB

Download
memory/1916-84-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1916-11-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2104-99-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2104-96-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2104-90-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2104-513-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2340-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2340-27-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2340-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2396-118-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2556-101-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2556-102-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/2556-107-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/2556-514-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2628-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2628-516-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2848-63-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2848-56-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2848-57-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2848-67-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2848-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2904-165-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3592-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3592-117-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3604-515-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3604-120-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3616-45-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3616-164-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3616-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3616-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3848-146-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3848-40-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3848-42-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3848-34-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4644-520-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4644-147-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4856-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4856-512-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4856-78-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4856-85-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4888-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5012-169-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5012-521-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5076-166-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download