b2af384f8992c7e0ff217fc659c75845e72a6685e2e274dd077756ffbcb49706

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
Size

1.9MB
MD5

b00b2a8dcb9294492bbdbb27ff85c1eb
SHA1

347ba6ab63cac431a2a7795788988cb0f329bcc6
SHA256

b2af384f8992c7e0ff217fc659c75845e72a6685e2e274dd077756ffbcb49706
SHA512

a201e6e191000670cd9f11ae1301d5b81c1e3af9f483107a3b6dab1c871b50f4b895aca0d279e64f6719fd03a16d855d430428be44e3180340dbfa9de5beb001
SSDEEP

24576:yH8g9uHhqby6D4IdPooXRAu1x2DIO5HMoPhgzH2U4o7s6hc:S8RIdRRAu70xhgyfo7s6hc

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5020	alg.exe
4552	DiagnosticsHub.StandardCollector.Service.exe
3304	fxssvc.exe
3652	elevation_service.exe
4828	elevation_service.exe
4416	maintenanceservice.exe
2868	msdtc.exe
1356	OSE.EXE
1296	PerceptionSimulationService.exe
1456	perfhost.exe
1412	locator.exe
684	SensorDataService.exe
1268	snmptrap.exe
2364	spectrum.exe
3528	ssh-agent.exe
1940	TieringEngineService.exe
1416	AgentService.exe
2236	vds.exe
2924	vssvc.exe
4420	wbengine.exe
2676	WmiApSrv.exe
4252	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\38c397c56c5b9070.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b36f23b57d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001697133c57d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098833e3c57d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb007b3b57d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
4552	DiagnosticsHub.StandardCollector.Service.exe
4552	DiagnosticsHub.StandardCollector.Service.exe
4552	DiagnosticsHub.StandardCollector.Service.exe
4552	DiagnosticsHub.StandardCollector.Service.exe
4552	DiagnosticsHub.StandardCollector.Service.exe
4552	DiagnosticsHub.StandardCollector.Service.exe
4552	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
Token: SeAuditPrivilege	3304	fxssvc.exe
Token: SeRestorePrivilege	1940	TieringEngineService.exe
Token: SeManageVolumePrivilege	1940	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1416	AgentService.exe
Token: SeBackupPrivilege	2924	vssvc.exe
Token: SeRestorePrivilege	2924	vssvc.exe
Token: SeAuditPrivilege	2924	vssvc.exe
Token: SeBackupPrivilege	4420	wbengine.exe
Token: SeRestorePrivilege	4420	wbengine.exe
Token: SeSecurityPrivilege	4420	wbengine.exe
Token: 33	4252	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4252	SearchIndexer.exe
Token: SeDebugPrivilege	4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
Token: SeDebugPrivilege	4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
Token: SeDebugPrivilege	4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
Token: SeDebugPrivilege	4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
Token: SeDebugPrivilege	4028	2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
Token: SeDebugPrivilege	4552	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 4260	4252	SearchIndexer.exe	110
PID 4252 wrote to memory of 4260	4252	SearchIndexer.exe	110
PID 4252 wrote to memory of 1076	4252	SearchIndexer.exe	111
PID 4252 wrote to memory of 1076	4252	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-09_b00b2a8dcb9294492bbdbb27ff85c1eb_mafia.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:464

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3652

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4828

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2868

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1356

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1296

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1456

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1412

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:684

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1268

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2364

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5040

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2676

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4260
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f914c4950cb1d408a1291cb658b64e33

SHA1
940ebcdcd64c0d237d56989ce53d3c471c2d07ac

SHA256
059c67fdd1f88ce5a3a01b83abbee62c8ea7e9c48087d99eeb6144bfc0ff3893

SHA512
caf704a35a988820833e5d7b6bfba3954de7f2cdd1df95e474233a15c4f1172ddbaaaf4933e48856455f02781a66737ad5af2191d89118233b1521fef37b5de6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
1ec0e4da156605b684c8766f5608ecfb

SHA1
90254a76f94c053b229ab0ec2874ed9ac81f87c2

SHA256
fc8ea8492fd9977ed0f5ef8be35e886cf73a33ce84ded9703c78fba06db1a419

SHA512
05b698df390bad5c6ba0679e43d9533be9e5492a3eab314c584c0ec4fffd654219ea249bfab88ea3ac83afa5bfa0cc0ff9c94c48f759cef3046705cf8e1fe6ad

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
e400937ea0f66acbce4897a20fb15203

SHA1
e28e1583dbdc17c9f9bc1caf84ad75c5bcc2cba7

SHA256
12a5b07959a7242b1da7ef2dcab3173178d389c1b5576343633c52a690e5f0f0

SHA512
c0a99725a4254b6c947ecc2c16bd36bdcf1761cfca8739105c82e62454bb9f26cacb6aef8a9f6570a38d10c6fb7c60972f92889a1c6674076aacb8b5a27bb3cd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5e77e38c0e4fc39196e98bf9e678a2a6

SHA1
11d30da0a8f26133a5db6eb4ebfbcad998829b66

SHA256
be9d8d34af712becf6997b8b8b11b325bc95997f53a7300728de575bab92d1c2

SHA512
bcfb701641d9fa3b768a673d2f30c94df3d650f10c94f53e92fc879cf2589287b4997f511877f0281a49e9a8b0ef7dd4292ec1d72d04540ccc75aa8997c64787

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4db252c7d8504a3a74e926cd1f26954c

SHA1
d639ca7d22704f5b250583dcb98836ba9d5c50c9

SHA256
5524af0196a43dfd7762c463ebee5077eb1dc1fd173809da0846ef141231a092

SHA512
b7c39e6467badd9a6199a58d715827c647640590a51e3d074a0e3a6c7e9a9d0854d3ee864979b4b9421e87af491a7cae546326c2db83470f45bebed8dc75f77b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
48b57b442b7ae8090c08d2fe25e574cb

SHA1
6c65eaca915c0466ea0d80506637f07c7872900a

SHA256
5b7d06c5dca5941e3a314ceb4a424825277925986e84ae76558505ca0f9a4ea8

SHA512
fdbe2cfe7ab542f586da7b4c2606b5d093fb4843ae895072a4d12e7c42fd7ba39b468cf4440a2dfe1b8231c09a1f8fd64cf6d41afae67749fa981c53aac5c5dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
cfff3ac682fd4c0f56006b940c830d14

SHA1
41d567dc4ecd808ee7da6ecfb0906ec861b42019

SHA256
35e258551af23eacf90aac0c18fb988de245a86941b8515793de5a5b553d0293

SHA512
e3383201bb71026848eae1df8e47f0a561520836240c8c4fda347134333f94f1398feb378fd7d71426e30326864877d7fa68887925d02b6bf620586ef92b0016

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
cb233c3afdca8f4cd9ff10fe1f5b566b

SHA1
7b69cf1e32485166caa41bfb06275fbbdba91096

SHA256
f99628a7ad26cdb98d677103d2dae260d6460dccaed818d4dd421414c6dff68e

SHA512
4e60bc7641ec93f064abcc7795d73426f5a84010df1603459e3c3a91d163fb2c6592e54ac21d1a89f1a9008896357a26201e3a74e43b7171c6a6470170918bc3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
07f7bde7c27c551c69371680db832d68

SHA1
ec2a014b0d44dbb6401ff4d3c5246c6750f79c39

SHA256
b19e9bd6a1de71b4a10290922756af00a7e09cbe095359a6b06fc9a22b65c5cc

SHA512
0f1c6f70b771c3b455533a4a8c076b28874c897cc1cf2ab512b9f3a496d8583340c74d737735330077600d98a2034c00468fd815d555acbf06012b3a587d9fc3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
05bdbf52e9f7cedab54549d942432f41

SHA1
da2e3ce1a362d1566aa200987e0d511a07a8ddad

SHA256
f71074ea4d9e2549e3b2134fdf04848474fc478bddd653a9a39ebe6deb70e42d

SHA512
db583f05bde14d719eab52ac4502320982c10c2742127133fa9eda036d32078dc6a600cc5c41addcc09deb48033b71422726a71e12319b5fd372f9b5ae99e18e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c46c197860a6641ceb6345ed11039779

SHA1
dba607bc3526b449008f58c71fbaca6a7087264a

SHA256
d34e167a37ce886898742d2e220fb62c2bea41dedef9c6dc6f7cec8f656f5188

SHA512
20c7c8c2b10919328b2ce0e37bafbe0d87fd631b27c742fa7ab1f98a13c7d38fb48eb1b087c644787a0c6081d010d8606d5392e9a7be0ea060423232b3a35e48

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e73661fd743354403345a1833ff3a359

SHA1
794b38c57d5eef4f0770ddcb75c46b2205fdb225

SHA256
41cf32073d3c64fb97cd6bb179496e1f329253e1dfab5e31a82c082479808095

SHA512
eb4391b0267240d1bca17917727bf9243cfeb72e483642098fb59c5cf6b32cb7a31e91aa008924a60f2ac05826b456d3da3cfec80566693a9cb614af84edfd64

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
709ea87225b36a87c9a5a5bda2572d48

SHA1
77b795e1b1734ef679afb40ba5d0d28faacdb3c2

SHA256
4c59f859aa7ab5e652c4bd8873d50f0d3146f4aad9802e6207c706f3fbc1b238

SHA512
6253f2f7cbcd6a82461c75ffdeb79c13dc89304f69d91980e18cff9eb914bbc02a9714e6b023d1d16b7aab2399f8aa818267e62f88d60ed55ed2f812e5bd3691

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
12da5288d668a609f04bd6b59c94b133

SHA1
1d55c4741a13ff9dedab81357709e90c0b34f2fd

SHA256
503d5fcebd93dd3047a3305638300209c4fb948a7b9a6450427a0fed91c26eb1

SHA512
3e2f19b052cadc4d7a48524ca3d165b67e5379d39ba9d5a40654c9f478364a37bd551d99a412d74049c9260e209fafbacc2b22158319c2fbc1aac7531cd7972d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
d92726e19f51266138874817fc2668ec

SHA1
217679ce71e1c08cb3c636ad03b99e1915d45b17

SHA256
324140fee0b6060f3695d8c0672e70e63da6efd54199878749d32bb0c99849de

SHA512
fba2b0787782ea424d1417285e42ca83991a17ac5bdb74afd43497c9bb09fa407b21e1b22016e9118ee96c2a1971f2a1bc66b7b258a62702c227ef23de448f8e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
3de1274f97d0de848774835779bf49e1

SHA1
336aa7f548c45cfd32d30740d41bb45f230b834b

SHA256
c509b3b7fd8c841c922f3dcc0fd3db72a3ab5827a5a223cedd6579384eeb4dac

SHA512
af94be5d4e71172cf32ae4e2d76282d633938fa0d5d6b045c40b4328c8aa623662abdaa90bda10bbcbcd41c3164ab415299d4558fd43de4aa3a5b197fae28cba

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
94dd2451330996ffdda5ce47b2ddc8be

SHA1
61196545ff5b787031ba99c6ece8fbf4a98cdf4b

SHA256
ea46c75ef8190071a4338a6994d2f295d1394b996c84d0876a564b2b77fe8263

SHA512
e7d4c00589e2ad310e6d743758557dd695177e30dd72ab4f55692cdc0869d742a6b848a8eab58e1f5fb4e379a3d98100b14da5b0e5ecad22164dd9eb864fb402

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
536641602b801b48ff5e51be49eaed0a

SHA1
bb3b69ab6e7cfd97ce272d8401df803256b6c782

SHA256
54d30d491f1b2e17d5ab7655181592701480e1c60a54f64db578e4a0279b66ba

SHA512
4bd00296660185fbb677acc46e6ac9a2085608f33d6b5f6726251741502fa29948e64fd0ea048e41d9f91aeda2c47e86f8db7b2af3dfc528de1d90998c2619ec

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
ea64e8a8661cadb085a47c8975dd26d7

SHA1
0e17c5a1a502fb127fb2211b8a36ce574a60a901

SHA256
c7854f246ecd39588b2e149c9594d40b195e43f9fc31c92df192a2c1b61a1917

SHA512
a45c56dc3c1d4b102850f65dd8579a06cb50e93e9b8cdc3f1d7d1d0f981702e713c1823327d2eb2aebe143ae517ad7a7c06c8bd705f67a2e650f840a9d309474

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
679fd118a535ecf9c4960c9644923e76

SHA1
38da19a031c458d5f3811eb6f15a24e8ff7b9c1a

SHA256
2202dae32601956d6c507ed83bd6ceee18c707fad6a51354b32bf1818ab1eadb

SHA512
64630626fdb49d77e7a8d7fd1868b460e1120e5012e6db6b6b312b38409be7b0870241523c25dac56e94f7c7fb68d905a0f8feeefc6440abc1d1af8e8a0ec16d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
f7f352b2a62203cf038c6647ce5424a5

SHA1
9e85adfe0d5cfbb6f73883e89ad3882587342774

SHA256
0f2438c234f51d7dc9669d37ffc4e0a83440e53e397241cd0c0040143a870cf3

SHA512
0ca10c592ab780b50aafbbf8dc0ec8c4ae1b1f322b9f069b6f731ddef767584b4af1f7aff2d11dee77d339de397a9cff1b06a040e4994b7e2f8255f143469446

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
778f7889d01cd205ef144156e7e24f2f

SHA1
4a146ce31778229c759180fee613967511713a54

SHA256
6c4cb7d69053f700789ee94be98c871b0312de280251b5d5c6b7073851c73bf8

SHA512
ed366311d411105d2f770c76e950e461fdfebcee3d24f69103c6910fd6bc8e20aeff9d384a8c355fe60878a7d29d6df06dfe50f6472ae66b290872083518ab64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
bb803d25892394d4f7a9b9f0c1c6b9ab

SHA1
f28bb52f48f4d353470147f59f053a9773ebd18f

SHA256
252d3181f06f7a690640b1a77e77b6a850cb5a599f107fd6b3901fe9367a4060

SHA512
0b2ce48b0842998fb12f5a1b5565338b160a332c223f72af040f38197ff7b08b20a71de5ea455fe9b32c73bad2f573357a03e274d1ab4af8e1a5c801db34622c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
a8160182ec57e752ab99b262fbe9bdcb

SHA1
4da36809fc1c0916962325e2e86daacd9228a875

SHA256
0e1f44f11fa5597225883dfe9f9c37a97b47fb74ee0165334606e58e39b052bc

SHA512
8e052443d5b91540233fa65731c245d069672e9a1c387f893084bddd5aaf9af0b486a2ca97458384c62c06d2cab25c6ea0b9a8d1c352138c75d20f24f622a0ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
a550a8f6fb2e96c2094487495e419a0b

SHA1
6f6fdb6d210673cb023715da7fde9a5799c44714

SHA256
f3fc595bc6b59affb19f78c7e7f00a5b3f8e67f08a60c8bb5d41648755d445d1

SHA512
c1c78e4146f36a856efe1b2dd554c13089b7187f8ec4ebdbeda44a92f6caadb0b389b05c2f18b5870a3043ba7582731af44e0eb6c4be09f3951dcc1eb46c017d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
a2c84417d1f22974bc2c8f2e0959c08c

SHA1
f75b4831278aca280e662c9ef18c27e4f0474110

SHA256
cb2a58363fd337164d93300cdb03889b5a60c18fb89862828e19e5df3cd4ca6d

SHA512
43206aaddd8f25b61af3e79311681b8caec8e866891513d195dc4e5b15934707258aa72346f64f68af3c6be8c023a603747dc8990ff4cfbe4fb1a7cb42ecdde7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
ea0e4f6197c2048aeeab6c7505e1b799

SHA1
0885c5728f1a5614e9f7461336f43d1845b45fdd

SHA256
8f8f10bc2e32fd3c211c6985542fe0f7550d9f5ff1a20d4be6e9a8462a57ac1b

SHA512
d167bf828c9700c618053bc825ce6ecc6097bbb9873f2906f49edde42b2b39704602cdfbacfebcc2a356fdde9c2ccaae4910a8b3aca49b3402b5750883022a7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
c7a3fadbb083424ed959e0b3d7d63930

SHA1
fdfd4e981e185da8845bb23e20a6adaa26dc905e

SHA256
6b2e83e98b10b645111eb497c2d6f67609ea12376960b4601f944f1e99c39b74

SHA512
4bfb46792fdc4b5433d33bd4ae93044298cb4ade4ee3c334cb9e80973c5bc9c21296df5a0b482682cb76a33204fa731ecd43205e9a23d0d1086261388b39b2dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
56c821e3f68e9967d1d40c3568da9d1f

SHA1
7d7942a6c603aa350a094a1ded5f3d101affc811

SHA256
a57f05a0310f84bef670ae917f8b7f6119bfae7ddd3fbca48c33e628db2648d3

SHA512
3ab680840c92a5ad937b20a95c4971767c6ff3306ed2648a3a1871b198a1140f1f74fcff4005729f62337a58d1604b55a8b5a16a5cedb001e86f295b3fb0e106

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
5310fed34ff0abb7d5c475badcc41fe4

SHA1
9553b9b85903711210e002f2ef41153924db15f5

SHA256
00b4b8ec37a281fcf52af5f8ee169dbc8261064ab05b52cbe458131aedac5d28

SHA512
2d4be6dec4238281e09d9f34fa96ab2284f5da8e9df3da431e74f42a355ce37dfeb960e7c45a95b7c28d3d80b9075f4e60e0f13715097f8d1f023e859f80f37a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
b2cd9f6b23319e68342d3860f92adcfa

SHA1
77495ba7079aff4cf27a30b3ffdd311cc5453c91

SHA256
50113b99bebe696a000b29742436f69ce475cc0ac8ea00cf4688b5f9c01b7a40

SHA512
0820e54cd2515a6ed3167458210ddba38a4d9a7f01f5d83f5ebf778822b5810cbe080dea26672966e07ed56a2789741b80c7a5612a7d5f241a1b52e3fbd72fbf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
5ccac1d192842c94f01f932b6e513ee1

SHA1
84a6c8fd9f64f10b49d93dbf603d3421ca569e13

SHA256
835b569d848afdc71104176a964db74eeaca7d81f3d2fed8ccc276a041706308

SHA512
64bea0fc16813427ee97c39dfbcb6baaa3e7a7dabe1790c2ef358781e5b5ecb1489825088ae0fd9c8b22a76eba9cddbc38fa41d60f8e55b219f7f53fccb89fc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
5861546f1f2a974d3ca7292202db0ca6

SHA1
a5123f7ff0052724136d0439374679846a40f1c9

SHA256
759157c6a34165a5f134e33a7479da8e817d54099467ce3634abb8cdc68b9632

SHA512
7454e4ce014d338329660452e41afeaabec0b0f47550fea663d2c723caeed2c46d9020298ace6a732bc0c70d65e213b93a4ddbeb3257bd15bc98fc857c402fd4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
a710d2d2e3a38bf22ea5a824afe44924

SHA1
4d774ae94a4ca5c0e65507339e22152324b6fd13

SHA256
61b6d5ef58f5bc0b662898c71f694a1be3eb065a2ec87f4d1aa6658a2d770495

SHA512
9c27514c9d16aeb6bf5dd364794f8a3a7f3ea85f3d3a75ce4809772b8eb8f59346e45ebcffb6ecb1a5c4917cd023567835c10fae4ad0d3fbc20f53b753fb8faa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
a1e057ffe5df7bf41d8e2f076ffab979

SHA1
53ddaae2aa41e1fef3fdbd44e6bbd853c30a6f27

SHA256
2170734b8cbd339e136584c0f323a2d4c224195cb2a3dc48380f58d96b2cdd70

SHA512
cffc337c0fbbb11b7bede67bae93b411fcbc899ea0c0a05cb2180540e8691e30946e2191ee9b34b7730820cf8bb288e67578b0d3f130c46cae14899b39f583d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
a5c20d397323a1d099817488db77f439

SHA1
1f6eca7e9710470921da0507f81d1ea72c999236

SHA256
7c8f503adf95ebbccfe8e5d3db29f127d477eef53eca272c19bd9ffa181c471f

SHA512
ba804e6b4a45965c2f66a2c4b6a8561f794d0734be684d323800ca6ae379511275aad0a25ef28e5ab04de812e6aa2c6ddbf08c7e07201453813e40eabe763420

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1552611e17dec1f67d4f9571560466e0

SHA1
0ea2c18e6622da3c05487ccb086dcb37acda9bf1

SHA256
035d95d13459809a281af77c7043f0931133a27ba16b9ec68245090d38da5daf

SHA512
40bf7410123e0a645f7bd2b85fc765f11086193b4e055580c56d10367ee3d394f21502e135802ae068eb18e434fb374024e29802bcb5000f1abe50587812df64

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
307a0786c1bba4bb8cabd3c87604c1a0

SHA1
41ee53cd792a6836b3db68c03adcafa5c78a412b

SHA256
ee5e0cb524d208d614254afe569b7e76f25e287ba321c0e74471cdeb6ccb12db

SHA512
cb57ea225410c8bb4f1ef65d8da9343c7826f5552a28bbfd5292ccd4780b61053c703fc3f508b8f8aa5bf6d988f75d9446b55241ebb7e6f26434f02e7f3f94e4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
4d6f44018d5f7ee0b6e85957c80a5d3f

SHA1
afb2ab776c779c8a90d81d4204dcae7868a840f2

SHA256
363077a7eec319b32f13592d1fb63b606c64cc7124773a9ffab7df516a93b5c3

SHA512
3fb2f7cec36169f3f8f1caf8e2794c1eb48efd5d59962c679f6dcb622b9542711364427059410522fb2c309867657255dc8c3b313336dbc91ab479dfd117337f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
30d6a756910a9d34a5eea2f5629bd7e4

SHA1
d7ca2328d9c934020a7b6bccf02419ed9a4e6d31

SHA256
8f25d98be5d1ee9fcbb9260d4067d0eb3ed51452772d06bfcf57b24eccce8740

SHA512
5b73de6aed0623f5fb64d7afe95383bdc123d798867ef4ce5acf4002d61571b4eeebfe6a618dedded4e89e11a13d18c14048f32f18237079038a18189944ab89

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
628f9da90b3e26337411e1cf526d9292

SHA1
983e9b5e13aca6ad27a9f167012f2b10639eef06

SHA256
554935ab724fafbaf75026fc585636cb1dc07fea06872ed60836987066df24f8

SHA512
4690dcd679eea48bd36233debb9a8b91470e5d3ca72f811bfec98e2186dc3d72fe736a9c2ce757990961b873df14ed8098d336cccaea5a3b392bbdcea44f357a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5ac413a641d4e40059f0bd692e61bfda

SHA1
648634468b8742a1555dd49b2d2ce8d1aee276aa

SHA256
93fbfce3d3e492a2df9dda936d236cc977a59df99c6098cb1bf41290c1e35f4a

SHA512
414892a25baa9caae1211ead98fe613cc73dddac04aeb59fd100327de2faf5cedadb62b5ddd86d992495cca31c375c3eaeb7cb5f94637f1c437163bd87acd75e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
ac35611083f2a6422c10188852aef0b0

SHA1
4164ede8739b2cfc985ce90de20394460d8801d0

SHA256
e4611e88c837161646dea2a162918dcb62146610cf74304180a13f3f66603205

SHA512
2eddf71eb08fdf3e86f250c4c704d4f494cad29264ed5d7323e68337230a8dafdebce218126e8ab635af5ced5e7c381be07df1966c60996fae51074d9b9a7645

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
acdca69632b85535b10cad6b6e7d7948

SHA1
f487e5f8fb3008a11dec15ad320cafe636ab77df

SHA256
ceccfe601ec0e1978b58c99adbe19bca2aa19fa33bbb4ec0562afe0ac388c669

SHA512
6db7135556f160e7c6f670e5486cee0c73c2c0b8d6e558ca62a6c03b59a9759a67cb714dee7fbce54a52c6b85b46e0e0120809c72e2b217ef42eca452bf4f881

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
9a68cc3305f489b7331654c301f5e422

SHA1
43c07158b77a2c0d5f90ef59757d553d6356fc13

SHA256
8104df0ca84515a60966a87d6b653615e848a74f6030791080ca55f71fd8d50e

SHA512
267ff4eaad9d5b2c1214b237505c0ac6657c6f2b7279b598eca275250cd1f78a0c199e9b9b3b262ef2eefcb30a304a570bc764f7bbd9fc3edeb6033ec42311bf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
af4de7d8462e9b038092cfc5482cf019

SHA1
5692bc1533e1b78f464434bd453786cf2e194671

SHA256
db6bb98d5296da18b0bbc9851d84d63e7e3f16b46cf7472f2d830282b2f9b805

SHA512
d4fa13577d3022cb4a1040b2974c84f004edbbc9d9f77c1da6835b06df04855b0a6e1a0cae18e17b9e6a9dedfec8d2354beed64f7eb6a3710d54db32db904d9e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5e54490bbf07a5b90ed19af6c50d04e2

SHA1
af557977c4f7dda73652cf181f4b1843a84ebaa5

SHA256
caa07dbca7f0386726e98384b766ee1c442f5e1154480452abfdd812502c84d7

SHA512
4aba90ef4d5874f7eeca54fe30e2ee1d56afa9cab282309c2c7e8443f034d0cdb6a0183fb55117f65fa5b05247290b0592459838845c26234edbc0d87c6a3192

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6b6e732174a9e6a5f2dba008d39b24a0

SHA1
deda9c33d1a39e4ae938d78cabb8ecc65ab51609

SHA256
b4680c1acd2cc7ffb543e7befa89d853b9d34265b3101d1f11ccf98778e3048b

SHA512
b47507c7be60138bcd2e9bffa57eacd2a78d4f1d6c06cf4df6ca7a8aca7a80caf1293365fe86dbb674b62e8b55382ff1fdec909d6be0954c279881ca09021c9e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
48b85e769d0e0c686c57a188baa306cd

SHA1
68e29bed01bf42d61d05759bb503efdd8787ed50

SHA256
3ef7337cd16a85aa4d5f555d8583082588ea80cd92d08afe38ce45ec5f0f85bb

SHA512
b1225efeadd3fa44f0e6bea419fbce30484514badee9d6f8375e16167e2272e4fc307114da88f173631f4bc75dfac80ddd12a4192fede993eaab81aaca66a2a1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f5ea001dab7db05bb4c004da5677a169

SHA1
7d6ebf08dff5a81f5e27e1fab59a69f499a85fc7

SHA256
da19790cd9b966d0077a873eb9839aa64e2cfe87931ef38164eab03424f5791c

SHA512
b84601d987051946eb5afed86f4f87793707f0ac149dfb99b34576a632900cdd36bab4238c1ff187be9210a2733fda652bc6afbec385cbb766ead7e7d85b39ce

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
8a737665cbdf35eea5d8906133397080

SHA1
e99e14b44852fc5195e4c781d530da9d7e03602c

SHA256
7fc804ee5a056c8d2c9de7276eb7c9d43f2ec29829ea0fd7eaf66eff2ab58c3e

SHA512
9538c20d14b55830d86f99da86971ca9dd4f775ff4ff16185fe990767112bd7fd0d831d7f2c40342a1c248c1ac2cd8a5528fd53c2e663a01815be15a884aaa1b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
c6dbe1a51f5f6942865017954f339a6c

SHA1
b969ce7a3a7a7549b1bf17c67623d88d6318c5ec

SHA256
c4f8a89e77870e22b5bd99781e0e667c0f4ee5c551460cde0796a7d5373fde6c

SHA512
96ab78996971d2f6251bf6ecaffd160c81e460db2ab0ec39e8c31850359a286785045635cdb69bff49919d6e13cb9f8da9f492fc9c446265cc9668190dc0d19f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
c5a21d226d1ebf8b65c8ffabad2c66d1

SHA1
abeda62170c763899f92b76dabdd94d745c4e614

SHA256
8c6edefe30982dfdf177b25544bd8607437ce75f78c9dc932a2d94457f59fc4c

SHA512
e26a15847e668c18cd7d9672d44588f7b03c8cdb57592ff57db6bd15ef1ba4e59a70a00ff085ff4adc178795e41f8eb57a75cff6ceb80a007848c8d3e8ebf3e0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
89690c7832a993bc091fb55c6590b79c

SHA1
633729ff3a0f92f4215b0a4b1825a930c7f62475

SHA256
a2f43d7bee1e32fa6e8f3e10ada801ed10972432710da90b2c4c27076e7115b2

SHA512
2540fbae398a9c9b3758451c150fe6f20231fe34f8ab57a4bbf8a23106ed7a84d7e77a815aca0e5fc8b4f1bb1e2b8703c0852b3db041494e80cf0f32f918089a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
fcc44c725f23390f45c28f49ba0494a6

SHA1
585ec4ea664afe362dc43438d246498c7af3e136

SHA256
46dba544a0e477970f2fe4d762efa375dbd93c6bfb9989705ac42b987b212278

SHA512
c4a86adbf47b6f868ffbc65d2254e6d995b350036dcd9196002ccbc7c0bc0f61311a55a9d63cffd11ff9ff628c9d050f54b5b48488e94f9f4d4aa4432ce3e111

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8d7af10af5846bf116687ddb6ebc6d01

SHA1
84da519e46af4df93def8d71d316d59b017be916

SHA256
925d310ebcf2e34b218a5da2b514e59d335581286d029d649462fa78594c23de

SHA512
efa8be0d20b82b47d3c8d5e5f8623628ec1ce7bcb284fb906c03639892e2417701cfee9494af1ac20f4db530ed061e499dff5e8e9e95ccf0dcce807105d65838

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
68d9d6f4352ac0003111fe2a48ff6e8e

SHA1
b2a8db3bcad875ca6a21ead96ac53275a699a2a0

SHA256
7bbde3d21df4941b619c2ced49b84a0e8e90f174948aff4e1e511946af1e08ee

SHA512
ae4c96811fe608433e78e110b953c309a86bf25cf8f7984818b66465db33a869cf3dc2be9f3ef224a4884b55c5fb8de48b73586691833de959eec98f7cef78ce

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
1a8989192f9cd86d9a8518a1c4bb1c04

SHA1
70f084601d9b73cd3526a0b7ec06b6deedb89c98

SHA256
9526dcb4b04709fd31b1a8c40797dbc2d74a8ed438b8c6ee04664a5e1bd54b15

SHA512
89e0c6e0b9cbed5b9a5e25d7926eb058ba11f576d7df0af6baf143b69fdbc8f467b23c42bc6853415da950d88b1497d8a6b4042d3456a6a2b5637db23ad1f5a1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
10af299facd24c58391cd35a315a42c0

SHA1
2329ed3490ca8f43da15c416dfd6c9ea840f986e

SHA256
1eff7a925a5653462dd38c35f021983a272dafa3228a985966842363ae4a2a21

SHA512
307c7b57d82baf67d0aa27491b9d4944799609bbbc734a148566392722d6004af2b4475373e3f265c813c9da5ec916b36120b8cadb11405803fbe6763e8ea693

Download Submit
memory/684-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/684-358-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/684-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1268-120-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1296-97-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1296-96-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1296-158-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1296-89-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1356-77-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1356-155-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1356-84-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1356-78-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1412-112-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1416-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1416-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1456-106-0x00000000008F0000-0x0000000000957000-memory.dmp

Filesize
412KB

Download
memory/1456-162-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1456-105-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1456-100-0x00000000008F0000-0x0000000000957000-memory.dmp

Filesize
412KB

Download
memory/1940-398-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1940-147-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2236-399-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2236-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2364-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2364-123-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2676-167-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2676-404-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2868-70-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2924-400-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2924-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3304-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3304-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3528-144-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3528-375-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3652-33-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3652-32-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3652-122-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3652-39-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4028-90-0x00000000060A0000-0x00000000062A0000-memory.dmp

Filesize
2.0MB

Download
memory/4028-2-0x0000000002230000-0x0000000002297000-memory.dmp

Filesize
412KB

Download
memory/4028-0-0x00000000060A0000-0x00000000062A0000-memory.dmp

Filesize
2.0MB

Download
memory/4028-8-0x0000000002230000-0x0000000002297000-memory.dmp

Filesize
412KB

Download
memory/4252-407-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4252-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4416-55-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4416-61-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4416-63-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4416-66-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4416-68-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4420-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4420-401-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4552-114-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4552-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4552-24-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4552-16-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4828-53-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4828-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4828-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4828-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5020-110-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5020-13-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download