55e9bb21b8850c9af13474d87ba2213ab56c0d561a80443b3575bac35c09ec49

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Size

1.4MB
MD5

8462dc1f4c6c5ad87ec61c5c22b86988
SHA1

1e0e2819c16068e4e353069b5b88f1d0eaffea21
SHA256

55e9bb21b8850c9af13474d87ba2213ab56c0d561a80443b3575bac35c09ec49
SHA512

f00e08c3b0306f38d6a28bcded909990f0fd469d9c4e6ad48071611ec2a3de1e8dcdaa1122af57f5ac05f825a38f11b9f42fc1a8d693ceb0a93b6faf073ed5f9
SSDEEP

24576:gbFjZNH3hYOsqjnhMgeiCl7G0nehbGZpbD:mFrHRYiDmg27RnWGj

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4308	alg.exe
32	elevation_service.exe
1036	elevation_service.exe
3080	maintenanceservice.exe
2744	OSE.EXE
3592	DiagnosticsHub.StandardCollector.Service.exe
4424	fxssvc.exe
2012	msdtc.exe
3580	PerceptionSimulationService.exe
1172	perfhost.exe
3596	locator.exe
4980	SensorDataService.exe
2676	snmptrap.exe
4028	spectrum.exe
4132	ssh-agent.exe
4676	TieringEngineService.exe
2760	AgentService.exe
4588	vds.exe
1104	vssvc.exe
4332	wbengine.exe
3996	WmiApSrv.exe
4776	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d16f62cd696f5a03.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86171\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031e6d591b0f2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031d68491b0f2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f756391b0f2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d9c6a91b0f2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009dd3c291b0f2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2ba2b92b0f2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b9b8991b0f2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002daaf991b0f2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008daf7d91b0f2da01	SearchProtocolHost.exe

Modifies registry class 52 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\ = "CphsSession Class"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win32	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\ = "CphsSession Class"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe\""	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\ = "IntelCpHeciSvc"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\ = "IntelCpHeciSvcLib"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID\ = "IntelCpHeciSvc.CphsSession.1"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer\ = "IntelCpHeciSvc.CphsSession.1"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ = "CphsSession Class"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\Programmable	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS\ = "0"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LocalService = "cphs"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID\ = "IntelCpHeciSvc.CphsSession"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
32	elevation_service.exe
32	elevation_service.exe
32	elevation_service.exe
32	elevation_service.exe
32	elevation_service.exe
32	elevation_service.exe
32	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2448	2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
Token: SeDebugPrivilege	4308	alg.exe
Token: SeDebugPrivilege	4308	alg.exe
Token: SeDebugPrivilege	4308	alg.exe
Token: SeTakeOwnershipPrivilege	32	elevation_service.exe
Token: SeAuditPrivilege	4424	fxssvc.exe
Token: SeRestorePrivilege	4676	TieringEngineService.exe
Token: SeManageVolumePrivilege	4676	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2760	AgentService.exe
Token: SeBackupPrivilege	1104	vssvc.exe
Token: SeRestorePrivilege	1104	vssvc.exe
Token: SeAuditPrivilege	1104	vssvc.exe
Token: SeBackupPrivilege	4332	wbengine.exe
Token: SeRestorePrivilege	4332	wbengine.exe
Token: SeSecurityPrivilege	4332	wbengine.exe
Token: 33	4776	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4776	SearchIndexer.exe
Token: SeDebugPrivilege	32	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 4328	4776	SearchIndexer.exe	125
PID 4776 wrote to memory of 4328	4776	SearchIndexer.exe	125
PID 4776 wrote to memory of 2268	4776	SearchIndexer.exe	126
PID 4776 wrote to memory of 2268	4776	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-20_8462dc1f4c6c5ad87ec61c5c22b86988_mafia.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1036

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3080

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5020

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2012

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3580

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3596

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4980

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2676

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4028

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3480

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3996

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4328
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
85cbde05f4315ed5ba1828f3501558ee

SHA1
762022c41e2cc535bb1ff93c98b6d7af1f73198d

SHA256
ece027c40260d317e9952f8e00553610d1b239f14455f7c5d86309605afc3e8c

SHA512
3e08edcde3a40f82b5a8f91f1ee22615124442d3201035bc5cb2ede57c71485e4c34bdc3f491bc7910c0240b76ffd899e3cd3f4ce018e0846bf8b5226caa6044

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9a96e1be94c605e7fb7e68dd77add169

SHA1
c6a1ee25566560791f4f54a8c52aaf6d8ee7d33f

SHA256
aecbfd8052baa22bea91141c03082d7e719a2fe942274c86a53243cf9dd259b5

SHA512
c60140ecbdc5cb01d8fb1d2b0e18d877c46ecc521973628dec71781b575d3cc2ae763607687c13aef4e119a15206fc0b9f509f0772f0ccac93cbe1aba13f4367

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
87fe90ad7c9f10957bb1ca1c23fcfc42

SHA1
da417da16645f7d8f56e970cd9ffc20485ff06b6

SHA256
9afc53ccac78a1d5dee6154255dff10282e136deb72a9019653fdcbca4d7e165

SHA512
a51b39b4260136be528e69a167e355eca821cef44095721267b04ffd0717a8bb943e441653f037353c647d88a8a7bb23128d06c9185c991ebed5e20051c3dcd1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9aeddaa3b5275bdfef49d4c765393305

SHA1
8fecd183760ca1faeecf12086a23b89496b0abaa

SHA256
6e1cdb7599751a57f38fdb9a95401590b60f3bd32934b009ac6f9772c265983f

SHA512
355cfee1081294edc6b4d13ad6b8767675cf1aa898ef7d787a25573212d3f7ba17302950a5f2a5d9d14f7a12b2f4999d5b8eca5cbf50f4c09ad34f57894faf31

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d26421d7c9988ff7ab1d32f0283c03b8

SHA1
262078e2d7589a471fc234d89fd3b5b6cf32e258

SHA256
0b5593c6fcf466423954fd9d226883540cdae9d5ef0bbd6f54d5ddd75639e732

SHA512
9d6257d11aef31c94538cd705e85e28bdb0e9903ce19d2088fafb59d6ab4e7b56b3192c4531429ffb9b678b68e8fa3f0ad27907624c3f1e7d8a44792026187ef

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d1a2e29144421a9de4b6f9bc5a6500c3

SHA1
2e8ce82e615c77bfa743b3d69fcaf565e6a07cb0

SHA256
b7a132ac4afbac16f6c1038a612d2048c8b8ca6915eef36640fc09a541c145fa

SHA512
ce9345c6b73e1a8434b21e02920f4baac44642a8a5b89a1b169398bcb690d516b7c0c6a9504a3cd805247e817ee25e8a140883101cb0fc49f30f9e5009caad42

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
508b7e7371510753aeb6ac81d29626fe

SHA1
de2a83e9540ccca3c0f1877ae70ac422c9be1eea

SHA256
0405fed9d1870a49e7fc0a2fdcd12d35bc1e9c05de609a0118285d1c10ff51d6

SHA512
f2d12ba6610f3db8284a36f5ba05857e6a27832ccce699d0cb24daf8ebcd3f797b16346ea80d8feef74387ccb1faa1fbf508eada110204f59ec844536e463be1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fecfb0534b1b0d754703e4a406686fcb

SHA1
f521cae123653c7933ce28390bc37d768de56f24

SHA256
4ea5dc21b8198625a4e632607f2335ea2f1b370c6de47131dc0355ab0d3a2b9f

SHA512
b25fd361318c7f150b74e4c4aa0675fceb826ba4d0876b6e99223dc851b0cab0413397d388a06973a062e29addb80713641fa08df3fd41cf0c5ca148e5b5e8d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
532a497e18473a486fcc801fc70618e5

SHA1
cc1bb934e2722bf39d013568ed66dfcaeb33e380

SHA256
722f2d037e51bd36b8f95283c8acfd3d2624bcd9d09cdf89e079a55d12850c0a

SHA512
3b4335570906287d4f2acba4aa0ff2d7570754d906aef5fa7fad9df22939cdc6a63ab822133c0b4c5d15d67ada65f92a6d883f43f5a6ca58f1b9d15f10f93429

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9e03c055069a411bc304cd361455aa12

SHA1
19ab2198b23896bd9a9b1559c65be2d275c33f3c

SHA256
e70a78a4ca7df56b3ec07f4d836903ee999f25abe6016dbcea8357c341920c0f

SHA512
362863cd92fca4d86096e37dace4f6cc4e39af6e55f58f83f9a27704739c04ad4f2a13939aa52e6362459f4ca456c109f47744ec8dfafc2a7eed42e5aff49b34

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2764c776f2c05a75a6679495738ae16b

SHA1
84a1beb6b9d697c3cf6eee777046c76a7d9c505e

SHA256
71b18a1714a721aa4e555bf40b6db46b1afeba1c6c1fc4ef4d897fcfb5cd748a

SHA512
8ffdd1e96282753f2d80e7baef487b1d7855d61a4f39e251bfbeefe87cca89f6c3bcb05eae04015cd637effc0e0f44da49199891089cb03a6acb061da69a1662

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2bf9a78e3517dee31c246040b73e2e77

SHA1
64cd42e95f06666682671613cce9a92e10f2ecf3

SHA256
119046a3c048009ffbfeb15fafa6c4a725305e5950faa4ad714805b9d2b0fb7d

SHA512
8b899966d47fb944c7f4632b3d044b3d7fc4d7d6682e0850d0e6706787fbac3ed90a00135c637b51cd76689cab98ef6918f8c27885b71f832e6a1afc7cd6cb10

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
0ca4920bfd49fc7c2b9283902b965587

SHA1
7eff4b683d9e76811332093630e8434f39edf816

SHA256
9bdf708b96ac6f65b219cf3a0d6eb0cb3000cdf75a41c5d7b336e85dde21d287

SHA512
abc54d11c8b1b35afb26123c90975d40b5efaf630dd6b27facb56ab5e21c40881ead7772d4d46dc2707f8ccbc433f9901c9f78f455379e3571e6ccea40795ace

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
d1b59912e69b8a77e9092fc7ffed783d

SHA1
565e6d320bcb6c32b43b021b5f6b2f27527607af

SHA256
73fb58aa2de117496941e3e6451ef5f7f21d537e0af05a47bc43816fa259c0c5

SHA512
0516e1ebc070941839706de8161d32762bdd2804cc80fb3fce90e9d34b5fb231879913f3714f2cace1a94f3ab3eead089d16ca0d2ca5f9c1a904fc6c26ed0a1f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
a6274af6008e333763609dda0a6d44cd

SHA1
05da6624bc0ce2311f10953422dc32d53a642253

SHA256
da70a07b0af1c62fe96f8d9d69cf7bc9a383b9fc2eb3b02734cf5ef9530c9d3e

SHA512
be8b781d0de5a883195671d856840447d0a6467a8acc50463a72637effe927a7a416d9998b256c7f1020fb012260f75d08213206bcaed2939e75d5af2d59e5a0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
671b977168bb5b2c47e6d5730c2d51ac

SHA1
b8aea36b4ef7de8934ae8045a775c1df17fa4686

SHA256
975608aac9f3c135481381df14d1a0ef1a5b28ade5ccf0730666df833b7eafff

SHA512
75d76c6785070000b309642e5902f2456ad71991081508ab68ae3b5e67eb14ff9820865a9ab6c01913e71bfb3fe2341ffdc5b581e8390d52fe3de62fd9381763

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
4a3fb453a8abce56f918904644cc1351

SHA1
c0c1f18964eb371b7ca233b25158ec35fc7fe08a

SHA256
e00206370486828536a6ceea52fd01fbbe7b3f980ce00a7f7ddc946e17bfbb4a

SHA512
2e59a7992f99563803058888e0360a7cee8fed8fd3aa53e7bd010e78f3d4300d9c50287319131bc87c992e7151d509dd6640f05a453c4a4d15e3c129c343f588

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
92b65698640abcda2c47706dba9a5a36

SHA1
d4881681302727e6c0cbc18d27539df0ddce9d82

SHA256
a808bc0c011f9609a52413466f7cc3aec9a302ce9587a57ef933c9a593f57316

SHA512
30ec4a6914d1f4e7c13c466b9c12cd284814937c850585474f650978f57a2bb25e698f5374ca9d04d61dba707997e67dc2e0547a2f9cb9c829e0e8e2ee0e77b1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
7a055ac8e9121d6b42d9626f18eb8ad0

SHA1
e81f2d8bb9d1299f0ae6af67c893fe4b51282d45

SHA256
b8071b7faac3a35fccf43050e00436f0324c5e3211438c738af2e8b00c85037b

SHA512
2b339710db5ded5fb1fb6f2db5754b573c89f9586e0a46de48990405f7fa3c3bacfea06cb9938f7aa831fc66038f7f7bef59ca7b330d3c34207c5c07168db613

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
cd88855df38b4aa24641323455eab1d4

SHA1
130c1fb76f9b8dc78577fc714f89c50dd5fe8d5b

SHA256
6a7bfa51c2113efaab9a27f946145ab8764519cc6cba53a382f5dd7cfd21e1cf

SHA512
eef693f037d91f1f222c5d236ff7fc335236f20e0ed0dd5a041e80d5007361c7ac015092b9629e05de458980588fdcd3ef5ee659c39440b0ef6f609b4df5c210

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
7f45007006184d933d003e3e85a85cde

SHA1
6a220ddf590e5d055ade5315ad83c1b3c9f7ef81

SHA256
88696ff0eb7959ddf3ec1520193b17a8ea22e8d8e547c61aea745a622f55c4ff

SHA512
b549efc6ff2836e523913980ac16fd1de861e9607bc558afd4af395c6736ea724503b8025106a2f6cdb9709946ea5279c7bb38e825d467d13355bda6e711732d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
d490e924f52eff31d7d9600c4f7a1075

SHA1
e2181242efa9dd7f240a1e958dbfcca41be0e117

SHA256
0db464de32b62d3dbaf9457db0711066a96ed8d3456aa724d3270c22d028eccc

SHA512
1d575caf202caad31e8ef3ec8f6b21b01429157378707e2e8fedbdd217585ca72ce9f42c0df0d43a40a232a7dcdbbdb87e9d4c59fc0ef7c7cd2d4d619f9694c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
6097206e9aa1993e83ac179c9ed26670

SHA1
55aab39f914c1fca92447360b8d063dee9262c03

SHA256
184c37067b474e6ceac009990d97ff2fb1399e002b7b6ce95aa845a4e09ad881

SHA512
5d1ed2a191fd7d7d50be2575e4e461289d39e3ace87e89e7cf13db3b7ce037fe0e65141e8a5d0326c4fd7a9b39f6525c242af38389735361bf3fd6eb6cb4ba80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
00f96440de018034443e3bf8860fe1f8

SHA1
e412e1f734944d1da842e6a22505e808a61fc90c

SHA256
ba770a6918509c9a50b2d474c5f23137201d6360d1ce7d39a1d00fad981d317c

SHA512
a93a7b533a2b668f19837bdc29d3817285d23a8d628eec6bfd8225b73b6b2db4d452cc9c4e2ea641e3d2bee5aac5b1c204d68e89707124007293fc2475442318

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
4ed3eb8e57312f542f82ba2a51e12c1a

SHA1
5a6f0350c7ebe11a49bc67561f3371ed0be21b05

SHA256
4c229ea63665f1b3f33f03ecaaf7348a45849c68a1b5ec62aded64dc6a3e6755

SHA512
3b0a1532b82209adfdc2e1ff850bd37bd814bf6686febf963afdeaf648a99c41ea5e3211e0f18e706368754d69b6698c6c9ac69d453ef600a8276fdb4d4b9eaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
cd6fc778de954136202b1b09a64cde5f

SHA1
c5a9c61ff778cee8bfcd3ac7e8b4a86a15b41bd8

SHA256
b87d5e9ae343888665f00a9183f7613a8f88a2acdc5f970b6e08fb3f748127cf

SHA512
b36880ff0ef4153f20b485c684550a4e0061cef344c562e96be74a4cd5ced41b57264e7110a1b4b86ae13dc310dd3fa4fc894ebb8a6d5b3238ab70f8bba544ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
88280a5d127007d9a4f9424c5a20581e

SHA1
7101ae38c17731f55a58400c347f44ec12f5e043

SHA256
1a3e107bd66b6c78b912256021d715d02cb1883ada9601b215c4a3e313e9a109

SHA512
facf57c580acb672511844b5617854a0b6d0bbc682ccc0a10b98bcdd4cb56f47cccc7d1c407b13e613d33b751f85076f8719525f942582e5f7526e8c55b69eff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
44a36f4d8a4d136fbc9b904282035f54

SHA1
ebe1c538c51fa033a1511c16a024c6f32877b78d

SHA256
346c011dc9e9b182d24bdb683e01b3994b5a4a984d875001e70758ebe0f4d28c

SHA512
99abb35d8ef74522c6f705fd71265ed885875acda7d349b35f18d54706551d8d5f9875acadfb4a1df4c23d96092bc0896eab655147fe0b163c1326de1b96cbe6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
74ade471edfdef4a37e13004d07ebc5d

SHA1
7405567e9aec01b36c25ecea698ae6c4916fb99b

SHA256
91fb1206d7174101f4cf252de30b38e16131e38cfa5af8c6b588c214aabc3c44

SHA512
03c47970fa53d3d9d3ea284a2e245cf267befe2d691fd2a8340bf795ed62e885a96656b83a954360125eddb6b71159d7e9d4f6bc0c1d89b352a796ffa2359c42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
8ff51601a884feb89a1f8a544c75e8f5

SHA1
3ec2f15fc92de31b9b4520373111d90d76b37704

SHA256
a94d76f5c57ecd2612090834726014d6f5025a9af60a6cb8bfe3eff93bb220b3

SHA512
afdc2177efa909837ef56fa039778bf5527446d52af4c3e05a55909012524a5233793e13cee25c788608305f23325d5f246310f6095983b264f736bad400a7fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
edc24a577ad5d98cafbe23cf9f7e8481

SHA1
0e8f70cb26cbb93ae58da7471da669f45f836ace

SHA256
d2fd025ab1dce8b6168a4b69495771ea79b8a1354b2f30742201523679c559d5

SHA512
d8179d88398fffd71cdb28c5b575d12b9425756400bd222f76d700e8bcd8b772accbb8de1b2032e1f57a32d8c0d12cc4df60427962a15fc77f5555d1afb683b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
593a0d58222cdaa23960e1d8c5bd2fdb

SHA1
aebd15f4f989a18ac4b735c83dfee91873ccd8fb

SHA256
27f5764f9022b85a95f99be48dc4936eafdb210c28387042ffe0a2f2876b7bba

SHA512
681e9d11c9ffd1016f3c24e320a9731ddb5546d8350ce4cde2015da7522d236cedd43670cff5f57544b04cd8952289ef894e8d6941a1fb2cf56571e0011695bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
99b193c8fad1ded9626a67077564c272

SHA1
214cad513865419c6722606439c606ccf25e0909

SHA256
4cf151ef4022cdb7db4b042a50577e45c51a47829ccabdee5dd6596fc59623cc

SHA512
9e30e19bb5e8822d63547efc8ed01b8d66454c247cbcdb2deb56bb4bb74dcaa8ceaca6fe14ed2d19f2d9644cdfafedb8857e47aab67d1ab67f1e21d0d68f12d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
e0ce246fbedb7aed6812f1288858043e

SHA1
2ba3b5b236f358a797afa762ac6f13368a580940

SHA256
d109324cf768ec1fd26ae80ff1b1c21c7a2423cf2c9218d4525aaa53b6626f5c

SHA512
737eca440cde6611a89b0f9d2e095a7803427e15c082fdac1da9fbd8eb0846cdfdb31b832863fd1207861633ceb57a183c42144e2cb8f076d15d1d32b64de368

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
7efc67d3dee4ad560fe8f3dbbb9d8372

SHA1
5f19e231575274ea6ff5958d91e8509e4624863e

SHA256
13b15f777b310138ad74b2c0252066c75c92369091be30030a8c1bd44b0d775e

SHA512
22aedbd778fbb6824b79f780d67d9b241661428576975710e37ed39ac4190e72b1528a11522269c46a32a10e3c51b670f586bb8ed6a4370bcc3e65ac8804eadb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
28bbafd3dee73bb1dd6dc626c34afb3e

SHA1
bbb29a521402ac6f68bdefe2e691258ccd2f43f2

SHA256
103e28f7ba8895d7064013c10169250d9808d93a8687b10c0e051713e77e4efc

SHA512
bdf30470c190e49084f9ba8c75b47aef4ec2f2cc336449f32084b3d53a1ae4e496476acc3309037ddb7350ab9fd493895a990d9ce08dbec907c90e8a188067fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
83d907a7d9dd9acdbd23afdb35c05cf5

SHA1
31bc8c951b7799538d6b099716fcaccefe91be9e

SHA256
3ac4fe7e6b3fdcfeb9c0b8e50b9a65d5299c958199f9d9dd6922c39ec1cf3450

SHA512
26f98641ee7c612bd773008349f970ff36d5a946c8221e7d31d8eeec910ac4299004822362f817b8cbfe17af5d7ac42a682ec0d34faccaa1d3c2575f80007282

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
5ea72da843bd8f1fb2313091b4f2970a

SHA1
da1212006a63d6fea938d5acd659876e2d39caca

SHA256
e0506e7c6055a2d6ec3f53e3d1598e6c9788d1547f21167e601420e6c958074b

SHA512
067e0886d339699027f7352ee1ad4615461b894a06ee23d31ac67f7a316e423035921a26988ad8c81bf231063fe756eeaccb33b6113b0a53b5a89f8b11283162

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
635cdcec90c7c883f00135a2f856c1bd

SHA1
cccb7e25aaf240c215e7b2241817ae30ffd1738a

SHA256
9b878d1bdfc4f06c50d921d447182884e41c5669c47f29d1bebb75a1ef5230f9

SHA512
c9262b014d78b9ee2ef7c387ff8298912c01eaf845d694b1c3703218bf4b4242da75933f2766aefd94e05ad7b1776353f73c2cac6547c8839d6f15e4d3616ecf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
7fd7de3531224db63145e525434e4141

SHA1
14a2e3851be1499aaac6d08ed21fd848f93be1c8

SHA256
7fbc1affa0c93e5d4957419c6b2cfe935c2ebeba802b6a6feeaa592622711658

SHA512
3b10526b015ffd4bc5e25807ebd77e883d2723fa06842bb683f3ba4f714cd9f88b2b260336c841307ca237b2573c155f6f31d93707fa7f665d74146c32013607

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
992807f7b546822f828be1c04e58b83b

SHA1
571e0f34dfbfe73447eef63f064c9dc0f972612f

SHA256
d67bc9bc31eb6f135930d3bd96ac18ed5cfb529de96de6a18625ea8690ae4de1

SHA512
7139f678786da220e9e94d9173eac383047cc793145f3aa68bb90f38f7fe5452dcd3992399dcfeedff0a69ab196cfe3b7ee191a79cfd1a6014209504b11301a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
c73d190a5317f5e17eb5c4eb3540beed

SHA1
a26d088a601ff1f60a0f4a9632a73ccbff356573

SHA256
bb3f7693609c11d6c66636f420530a44c784afe6065921c8619e4982ca7b6a4e

SHA512
2d5ff61d27442027c1c7e959a3dda89f1bd10ace9f22bdb18fc297ccd8c0830a11f639adcdc2ef579e9ff77dad1fbb3f5dd2cf993c6fbd75404d7b451d7f3acd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
07acef2dbc5b81fd5ae336630f049ce7

SHA1
06639f822349286406d68a0ffb3f403f2cff6bbb

SHA256
5288b2c554c7e7a3835db4169b1fde0cbddd48ece0ac5db5cf65e60f7e066ca7

SHA512
a00a1738c10644f1021b60f7c18445d0990e8f604ee6322da00b8d58b0dc2093f0bcdf2d40cc1e6ff3b18ccf6f924f11b037d5fadb54edeb3e41164552d52d10

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
1c238e7030e13fc29e4a62012785a890

SHA1
7f27e2c243b6c3b0b51d9fc9afa81ddd5f8b3f0f

SHA256
7b0f4fc87d85522ebaa82b2ccf00030399681131458a60b12cd8fcf0e58f23b1

SHA512
86b1ed8f303bc99a5aecf81c9e181a1ba4bfedeb431157f643f115567b88327a123d227eb631ff527c67953108d5e6dddb4ac9bd6b3ea7f32da833c0adff022e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
23644a3d98058830685537b0fe46d7c7

SHA1
c724d315dd5d72f55d23536cae5bb2817932ffbe

SHA256
c0c24dbf1aecec5eb555aa74a84352f4df36cde099b21aff9cae60f71e9ccab2

SHA512
9753ae6c98d2fe34461c4ce589fd269f0203158891f7b1ffa13f400f8a6f038fd55e6c8dca60a3a97c7d538e1f7fa02dce20ce4feb3968f54bdf1ac5586b7a56

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f9f42476a974bc2f9a4a22fbb728af4b

SHA1
e35679f8f1991859f0fead90ec7243528b7dd1f1

SHA256
a2207eb4740d602bc63735d4174c6d6da67b3977214a7216498bdfd6d9b63472

SHA512
8553b859407fb0a710e7934e4d917c41d32fa29dcd5a33fe434f598c58b7ffb405f2a16fba5c83364c9149d5815350b06fa41cf0ba0bdd15a24ea47d0a77fea4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
4580e641ed87bd4da91f4660ab76a026

SHA1
0969f258aa41ec5ebfd094db89b3c2703c2fbb7b

SHA256
b6ac0b48a177a5e3724676b11d0b26590c3a76e02469d8db8cdf3bf221c12c94

SHA512
8f2ad8b6c5b62753041afb11fa7c01c575823f11c40bada1452391a5d1a1c4a27ca556050da8d8ed396d3c8b1604b133514bf2711593e3fa574a00225931aaa7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9f5b2468cfad3b1d2f3595e5de1c8fcf

SHA1
c0d1423a1a1fffbdadc6bf23e395f05e693c1a45

SHA256
c9119c82f6b5bb4bd2c572683d07ce8994a756168098743bc646b14d3cbd9790

SHA512
e298965822d5dd61dbfd102f52c5520b7e7882892a0d0468c8b0795e631a6873d9932805a9b7c8cd3a926627b003f5c2ef87b00eeb4415e9324c52e1896f88bf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
835ae382017de8fe7fcd0d96f13162f4

SHA1
74fe9685a736fb713bd569da1dc59b3a1a9b73ae

SHA256
ce2ff0e371ef0cdba4c18d1c3d6af24759ac84bf5269b5c9a32081c86c751af0

SHA512
bf42243beb251eadba41708e1cff03e911e008f4d9c316d35c137101ed33e51337b29a97f1b663b2fa4a896cfedfaf386003e1e700ffa0bbe26143c9046dcb54

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
4ee0d370c99c213749f5a06d0fd116f3

SHA1
fa83cd55c3ffffb3882ad77fe8ab8f72de95c171

SHA256
2a055b47e8ac7b3b95f00e291eb7dbf072e9d206770250f4ccf4bf98c18c0239

SHA512
c3b31a690eec8f59aa7f4bd70be06b3cad4c2b30016eafa6f7e92f0a876822769928353655f002d991483f433ed57655669e3d86a975d159fe6988b4b636c074

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
9de9422bca3b5632381c8ea54d3f0402

SHA1
433a78718daf9f1ac874652ede65b02bf17939ed

SHA256
255e6a035da0d8b0a2ff03addd4226236c1d51d09547f47fea164dd3393a5df4

SHA512
cf5d9e1537851286f36bb91c1fff918a7dc1118291a866d0b20d60303809dfd6f429458852df8d8d0f9b6ce49419de91ca406152517c271f7497d248341cf07c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e00d3ef098d9041b87d0ead4db23c527

SHA1
7d720e0aff75c97444e0dceb435ad3e306b4c1d7

SHA256
c7022453414af40a7965adb22cf4b9d94d33472a3973ef7fe8ab3b9b03665d9e

SHA512
424bca8696e4d3fad8395c48440661cd903c17a623449ab4922ae12859d42ee9cf9dd91ac6eb8344efdc54b96484c9a55f1b63f70f673e98896bf3030e907f51

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e47d29cee7a6d27dde0413de80e365a7

SHA1
90cb27525ed20b285f73606ccb1cfa1e1189bd36

SHA256
7e87f5203b018ef7dd6add9023483d73104c159b689d8c6047e1b3789dcc5112

SHA512
248793b7e91e7cbbc98afe59117e357feca7f5b1cd74620b46d00141fd43f2ef1bca971b78407b400f59fdc1e78b5116aa8980ad0b8555924dcdc73d7f1deb0a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cf979f4db6caf5635b7ea71cb08402ae

SHA1
42965ea773af9f2129ce6acd54fe65bc9ea9df4b

SHA256
d827071396a24e734b69bdd021ab2e7548cd2b936c47b3810637529decdf3796

SHA512
462f9c545c82a9ff141083d985d0158c9d2c3fb29826664e8fc57c12610ce97c20cb1f8c7a9d8f110671a36a0ea34cc500ba58b01125311601c10944b01d3c73

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f165d827a5189dd005e8a0d6af69b761

SHA1
87d489252e99ca7d154f8eaae0267f1f03e0577a

SHA256
a7dfd51b26a8df036a9b60b3e5e1bbb67b9ee8ab5649681ac2d32643b41171a2

SHA512
834b76037a4516fede7882838087320b30889cb2c56781c78bdb45df14bbbbfbee87304ed146999f6ac53c2d9fecf63c1fa51c3182c6d5b146b7841127578f39

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a42149a04a7d47851e17137b51fddd9a

SHA1
f73054e72e4ae24db6fea6c12b9412eec7693ae7

SHA256
92b43994b5e3d7d45f42aa68be135460423341dde0fd67c5c4f672518892a246

SHA512
678e1031b9228ed47875b215d88be1b679d22d4ef0b3228e6409a07de89f48659228691dabba8c2ad834ccda61b611df7c403ce76cde2eb41f9489ee051a7eb9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
6f862555e80e74317a14a208a58d044b

SHA1
9e1aeec15802af8e52bcd5c94906f864517c1567

SHA256
299bf68dd8166f79f4c29d257ca05d1b51dc600b4bfe028197137e60200e8d04

SHA512
7648475859648364ec6dc68691b7b95f3305cfbe447795ebf8560889db53e5c9d749185a4c97fa2ee9f8f64d160e77a1dbcd1fed2ad6732d74b64348c06acb58

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
00c294cafc3ad596391721dfe259ffa1

SHA1
723f4e0204501642aa44a5d8a82c9efc386ad547

SHA256
5af8888340d8fca1ddbfd00f323b9cfdf18143f43c15bd0ee089a2a673f9b6c9

SHA512
abd9fd690e99ef41446e0e051d89b1432000992f12e879763352b087c4fe4cfd08e3654118a6d2cf754bf674743d6847e937965443fe33ef588c9d47b805b835

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
85cfa75307bdec8746bdafd6bfbe6528

SHA1
705d3e7f042afec4703a3a472b56cca1656efe94

SHA256
f3364595ad2316a741e425b864246db3c70eec3fc700d9fc7d50bcf030504f49

SHA512
f00726049e654f5dd20e7077b8a13cd0032d110d6f3a7d58c4bf3492c7b69ee0af160c8257902b6f6a2476d520a75273db00ed236b2e1e0d77d92fd674717040

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d1caf17c2c2e521307ad5f584081206f

SHA1
53b086ee25951e32d9567047ddfc2bc02fa86acf

SHA256
94a7d30dc1c70ade2d4e115eb97d75bc9c3b68c4ef23a9b824fef41d45a42713

SHA512
9e7042bfe3ef388a876b18efcd122ef9048bb4a793d2aab97535a5c96577a00c1615c0bed7afbd61d5a0213cdccad83d6d9fd58c612a9ea4eab0f0f3eee8c9ab

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e62f03a4d3eb101bb1419fad1eea8e5a

SHA1
91aca470f9dea5c4cb639c17e5c5e0d1681eb022

SHA256
6436b6d1a08f1039f8229ac48a4840bb4221d3c4d0a729eabfa6e13f970979bb

SHA512
4f247e2be83388baa033cf774d022c34c6621ea6a3bae7b9a40637b83e84e76452f26845d9d2a666d52853e98e4a565f813648734711d95adab778a460cda72d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7af103b24af50bc91b7332256ab3b853

SHA1
c7aa00577c34b00fbd8f578f25d0bf9d40be2eb4

SHA256
d2bae2ed4b5b186013d39469094413b3ddb729a34512b1c33b2e5e6f73cba89d

SHA512
ffc8ae4491124eaa9de272b206abf2efd859258427715982c2fe1fb1c2d544eb6083ed319120c9ec656949e5bfc02a8af80cf5779f54b8fca7e44d78a52b3258

Download Submit
memory/32-37-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/32-231-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/32-28-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/32-36-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1036-232-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1036-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1036-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1036-45-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1104-392-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1104-586-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1172-403-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1172-293-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2012-379-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2012-267-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2448-14-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/2448-8-0x00000000024A0000-0x0000000002507000-memory.dmp

Filesize
412KB

Download
memory/2448-2-0x00000000024A0000-0x0000000002507000-memory.dmp

Filesize
412KB

Download
memory/2448-0-0x0000000000400000-0x0000000000614000-memory.dmp

Filesize
2.1MB

Download
memory/2676-512-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2676-319-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2744-234-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2744-82-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2744-72-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2744-66-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2760-365-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2760-377-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3080-58-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/3080-52-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/3080-62-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/3080-233-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3080-65-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3580-282-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3580-391-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3592-241-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3592-248-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3592-247-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3592-361-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3596-415-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3596-304-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3996-424-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3996-588-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4028-330-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4028-515-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4132-341-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4132-516-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4308-24-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4308-15-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4308-208-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4308-23-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4332-412-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4332-587-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4424-252-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4424-265-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4424-253-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4588-380-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4588-582-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4676-517-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4676-362-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4776-437-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4776-591-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4980-436-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4980-585-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4980-315-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download