1804a903481495cd03a0ec5cba55242ff0ae1407c025c06a17bce73509db4fd6

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
Size

1.4MB
MD5

60c486ff76eba7919a4c7e4b2909ba2d
SHA1

9acbd7eab72f1592fee33bccccae60627eec7519
SHA256

1804a903481495cd03a0ec5cba55242ff0ae1407c025c06a17bce73509db4fd6
SHA512

6b04519d2724278554825c3131cb7b99e3cda7bf845bc3f48aeca3c72aa724f0b0d79cab34a67afc3e7ec905336dee8887abd4f7e1e9a0a38b627b7f47e6bb29
SSDEEP

24576:cqxc8nX2OD9FLB7DrneLODlayAjnIGTQKIfP87wxQsqjnhMgeiCl7G0nehbGZpbD:cs5XDB/SDT2fP8mMDmg27RnWGj

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2456	alg.exe
4680	DiagnosticsHub.StandardCollector.Service.exe
2956	fxssvc.exe
2144	elevation_service.exe
1468	elevation_service.exe
4072	maintenanceservice.exe
2676	msdtc.exe
4352	OSE.EXE
756	PerceptionSimulationService.exe
1840	perfhost.exe
4892	locator.exe
232	SensorDataService.exe
3764	snmptrap.exe
4780	spectrum.exe
2872	ssh-agent.exe
2228	TieringEngineService.exe
4720	AgentService.exe
2484	vds.exe
60	vssvc.exe
1528	wbengine.exe
2860	WmiApSrv.exe
3116	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\eb4cd2a3b36a5b05.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e6b9051a0f5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084c72550a0f5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd539751a0f5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008414f951a0f5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9b1f651a0f5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a1de552a0f5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000450ad252a0f5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4680	DiagnosticsHub.StandardCollector.Service.exe
4680	DiagnosticsHub.StandardCollector.Service.exe
4680	DiagnosticsHub.StandardCollector.Service.exe
4680	DiagnosticsHub.StandardCollector.Service.exe
4680	DiagnosticsHub.StandardCollector.Service.exe
4680	DiagnosticsHub.StandardCollector.Service.exe
4680	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4800	2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
Token: SeAuditPrivilege	2956	fxssvc.exe
Token: SeRestorePrivilege	2228	TieringEngineService.exe
Token: SeManageVolumePrivilege	2228	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4720	AgentService.exe
Token: SeBackupPrivilege	60	vssvc.exe
Token: SeRestorePrivilege	60	vssvc.exe
Token: SeAuditPrivilege	60	vssvc.exe
Token: SeBackupPrivilege	1528	wbengine.exe
Token: SeRestorePrivilege	1528	wbengine.exe
Token: SeSecurityPrivilege	1528	wbengine.exe
Token: 33	3116	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3116	SearchIndexer.exe
Token: SeDebugPrivilege	2456	alg.exe
Token: SeDebugPrivilege	2456	alg.exe
Token: SeDebugPrivilege	2456	alg.exe
Token: SeDebugPrivilege	4680	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 3160	3116	SearchIndexer.exe	115
PID 3116 wrote to memory of 3160	3116	SearchIndexer.exe	115
PID 3116 wrote to memory of 1928	3116	SearchIndexer.exe	116
PID 3116 wrote to memory of 1928	3116	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-23_60c486ff76eba7919a4c7e4b2909ba2d_mafia.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1568

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2144

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1468

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2676

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:756

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1840

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4892

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:232

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3764

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4780

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4956

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3160
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1d4dcb2accee0db0dd50f56bb2a5f7a2

SHA1
4f99baccaff36eb49e0252d76b0d710834bab5e4

SHA256
02844bbe7dd95bcb89e72376b999c668a8a20a099a4a4debb1fd5c768fcbbfea

SHA512
7cde6fb0140f029b8a938c03205dc6c46855aa85863f5f1a5f1942b4ddf1e2e02458574afe1b97db0635b2eabafb5429a5e594d0334dda4033198d4a9265a8c9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
811ce754dccbfc4dc1d54d892793a0cf

SHA1
a7dbb3c9251f203aba74c5fc3bb67eae44935c61

SHA256
380fbd877843e3f0717b2c33742a06c0d27ec1e8a2bc95ba69aac01101c3d704

SHA512
e86479731143a501ee5faff505ccd29f03d5e2815ce7e7f9272c1010a9b7ac2e5835b154f37c36e101964f821ee9e72bbf7eb2e8ecfd9fc3da0fc5072f19e4dc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
5883125bc8375f5f65085e047c376bba

SHA1
019408502094ae6f3c429027d7e5a39a78e89298

SHA256
cd377b26175e8d39c568f76a2fef79f81eae2b54c972248cb6a26ada73b66a40

SHA512
eb5b12cf8298c17ab3a1e73b88bfc5f2c1a26feae517f8ac35c26c75be21f2bc54ab356f258e6e0c98d1db40a560604a97b502d73fb3e1c3fc174500047ebb39

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
598e6a6a7347065ce9a0ed4bf1b19c8a

SHA1
93465eeaaae6a94fc5d87364b7a913a4ed6c2d57

SHA256
53ad29dd0ec9c45cd44f63d12b0a70576c15fed431cdfb0b064a58651179ea6d

SHA512
544b88ed814f7cbbc2721895c50aa0b8854cb2ed42a2874455734721df8c4552b208ca83c72998f09bd4ad930640ed117df5852508d183f898f52508af3840b9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0752f6be2138f58f3ed346da2fd157ed

SHA1
b4f017be83c7560a7aea5e315975174ce4b6e4d6

SHA256
a47f02d2a6b57928b6562d2001cef8acf01d8c2844c94a0d55adea028a2ad4a0

SHA512
8d4461029851f645e92f3425c100e950ef73b090da4aaf66795d61a8f6c0efabc13c939e61acac533bf60710e765833c56ffa963aed55b152f8923df32be6f24

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
d9fb62a8b68d321a066a6637a0e1922b

SHA1
214b528ed75fbc2d38014c0d1525407ad32801d4

SHA256
6d85d69cdc2659555768e4a3fe4a62fbd32160d1697a2fe16f59740e66a41259

SHA512
55b6c111db248013237bf2dbcbec1463bed6aadc7310287c263e3afa2c643edececece8769ae419300cc72c6547f9fa48035438e2d12c086da822a1ae1ff83c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8baef572763ae14b0a818e4d9cfcd22a

SHA1
5782cd16a638b97f8a0b48f7597d920a34e89b9d

SHA256
f9b37ecdc32b7e65a91da9c0197bcbc8ba127cb5f4174dcab0b471fdb07736b5

SHA512
75322ee3797c264d203f2efc47295676c9b93c51312c23a1333b8d9e2a871fe19e4e2264dd7f00abac6f09d9bef0c2915b874895f5e51beb9f27985ffd7cb178

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
26f69cf86fc50d57a214d0320723f2b2

SHA1
e1abfdd62e70ac815da87aab205017ca804dde59

SHA256
3cec187e51d74b6a674e70d4c8a8832ed569224639fc3dac8c7c3b0a89c4669f

SHA512
b22235bf8fc2d0675c3696a065cb3e27773257f206bc7d2d4956f312ee0ea7cf34739195b32d58e5f12484842cc971757c244722b64f4511e7a06acbe44446a8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
9ebf7aeedf7825e81b0c57e2cf065d5d

SHA1
2252058c06afa125094fe44c5fb2f67bab302a94

SHA256
d6ccef548c65f9f37e2bd06a84cb1be4dc9385c1c914b8ecb251cbaa878ca961

SHA512
2f2de5b02f4dd0c277717e9a1fe908ecba1a63f9cbc7d7ab3257300601498d5bb3985bbb789b75f6cc2850806fad890357b7edf3753e6de94c1fa3720be1132a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1ef9a7fe3c65948296609476b5db0efa

SHA1
b6187c194cd75c7b4b1679cab3dbed3c1af71458

SHA256
2c5f8407a3a92fe05fd131407c3730beb1b7e98e6f2621833bbeabcbcd3d59e0

SHA512
356ddff12d4ee7716ce93dba84d00b959a9bf4b21ecd03a7388a52389802ed77849d2cb1b89ad6bbe27d12b12c6f50dea2d812c5e6ec29ac4a7d609f31498b01

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
86c7b544cff4ce7d0191c5a6be592bc0

SHA1
a0b5f9dcba818fd4a154d539e4378456140b2d8c

SHA256
facb8f0dd8c1b55a132268587611f9cdc2ec1e0b45f39c2fb09310018db1e78f

SHA512
1d2023341336cd5c16129af2224dfe9697c29df5247bc9d7c67fc2d641ef1310931e577ca0e2396605e7c36c654d07de2862e648914f0de51255d1d5e89c5518

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b6c850db2c391bf82809b8527f094649

SHA1
c23d08659c46531271567cd4d4f532cd2a11e748

SHA256
966887582b0b8857f55e3a48b6ac273aafc02b6c9afd4b1de4194e5d16032909

SHA512
86897b7ea18cae1152d6476219258311f072e82eb26802d48fb746f76243abf7018c901753e1f1ef13ae0025e70b1e736c335e3729cd1a75b202b827bcd7f704

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
82ba0dc51214184284ad4ed8f17852d3

SHA1
7561fa693ca9b2912306c833ef82f369d8ff08a4

SHA256
9cd9e612e000d3cc9d4dcc39e404c0e431e9335d49381c61741393f46d6412ec

SHA512
98d7ad5094ed53d7163cad2686a91f1f64828d23e1dc1f2ea2b54d7c6f02a98cb05057485628b46509cb41efe74864b232db9c9dda00037d532cfd5e45d6f698

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e2b2ed9258f0fbcaa4db8a051cc21dd1

SHA1
b2cf23e9218bc937a134e64541485df36911b61c

SHA256
93fd54d6964b7079188b3ed8c6c652b1fa661082a79563ac611a1e1c585b2058

SHA512
bed6285c575d9757271bb9d5cf903817939cb28a24a48b5e627c8076d6b5e3dd9e122561331ea75c221de13be2335f1bad10709a7950a8b2383900e9713f1810

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
a0ceaa4aaf2e9b6afa354fdda494c031

SHA1
e6a8b257c79145ac7c76541652bb0caf4ec68913

SHA256
eff559c337ee4bdc44538426b8b9b9cf9f8c66eb3836db95dbfdbfb9b2371cac

SHA512
6a87a1e46d8622ecfa32830aa86dace551b025cd013246c13711a7893a32bacbc0f07fe29e4e4e95b922d63e4ebaaf249d489259f141177d0c44601550462387

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
8ed334d415817b271c774383b2de8289

SHA1
fb0d2ce2e0daaa513405a6fb789123a0b3951240

SHA256
07fd07536379fa9efb74ca1a53fcc652fa4db2f67a45b93535291019f95e1ef4

SHA512
3da8eaadf73733983e357b3a3cf9da7a38a999561ded6162e7696d81f19db86cd686bb3719919275c5d5130929f8f7c9d9f0920954a5b2eadb1fbc6cd26c063d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
e0eba7001ee0436000c2c61f6dfad408

SHA1
c0f76b7da684e5fb584926c194501b24eb32a1aa

SHA256
cd5e0315809c5bac4660b2f014794a615202d692c234f988d29b3f09bc7b4511

SHA512
e3f62589dc5ae5b54368557451abb157ae64b787ae967c9a47c1894daafceaa3af0a4d851a2dbd9990336eb62f7b1de05a8e49fedb62c4e1aec3c460df8ebea7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
166a46bea76f5406d4964f885ed4bd52

SHA1
720c75b71d3c5d591cc950763832cb79b5d79e28

SHA256
9bc76534b8ca7bcd0d157d39251a2c9447bcd62aa77bbbb3561fb770af65e123

SHA512
758217fc530ce1ce861ec5f08110f6987b85e1280b340f73ebe314875be0bef96187216113a3aaabff14d08c33895e33c682913f68f24861ea8c567554c0e191

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
43861c220f267e958c773ec9d8fcaec1

SHA1
c7173900461f3a6fb44da7a03558846468da1572

SHA256
31ec712c63fe12dcc4942fd6b32e30f748ca2a1b3b6fe4234bc32f9aeeca59c5

SHA512
ccc8ab8ade21335bc58619ef79e89a065a1c5a225edf1529b7afe417cd3ad93b0a6252694e78f15cdd8a97c1852ac204d47c3a84ed86df0aa0a7d3f213b306fe

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
9a5b44507fdc0e3f2b3fff1fdd8488b9

SHA1
401ad474166ff044b0550e487796870db784c54e

SHA256
6b83351702b12578e08de9a317ed2f7d65eeb23b621ab128dd4fecfac6fb6a39

SHA512
835d9f70c644b55921b87636ff6e7857c0caab3796bba199356064ba4f31b25bc45ef9718087ce512ea88a97a9af69cb8a46f01a1fb8a6015ec31364678920c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
2caffb234a51ac3408c8c8726246719c

SHA1
18691279f02db3fdebd399ac76f8bdfe5f25938b

SHA256
0f958f82820b5bf2b7be67401bd32c651a8226ad91999294e3c6500ba6f85d34

SHA512
94d5591cc95f564f34987ea5ea5d01bd1dd6e7ed90496fdc658ecb2a47d84da9c953400517abb20062f74405903e1cfd9257c7128f88f54cd452aaef0ee7c621

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
b034dd09d204092bf44c853d316d58e5

SHA1
6f169ff88bd63ec9a9675d7d02b7e9e9fa00a506

SHA256
73d8b28d8907b98e73c8d307922abec4f68d3f178a0843f32040a1b1705f8d2c

SHA512
b9ccc90cf792b755e9ebbad41a5bbd3f0e605287c5dfcee64930fdc0627b0169349ce31b9916ebdfe90e2a4addc025a749c71fdf97ffdd64953e85e7982b452e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
e3b960c634b0a92321b82613dd559ae7

SHA1
40b55c5890f2de1dc69a4918d62f9575e74b8c84

SHA256
2fd204882c306ea91e162f165a231db52591ff2e271e7e4fc53c783c97d6a8c5

SHA512
6a1f35abff08cbd2643e7cbafb263559becb841a7719792e4d7f51872757f6c359d4c5dcb2137849d6013cd2ac358c44ad45c192bdad4e09658dad0a8e7e740a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
6ae8f78bef0dc5a114678f37b10c3c89

SHA1
b4902a2e40bf8a1a30b4a42d26fb106008b4313f

SHA256
df20bed00240e5f9e9024169e389113f538023a6edb91d8d7b9577b771892ade

SHA512
8e3749af44194aea1cc4670ed71b353760cf6fc513a13bb0e0e35ce07b1b7b3925e37207c590956b2713d33303a926e5bd9fd6bb3fbb6ddeba6ea5948152762b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
c3a8c67a9237bc3069f2c22348bb5c78

SHA1
2d5fbee6aed15ee32547d343cc8b1dce11152144

SHA256
783f676a81f017dca9a38a26a0e12c4ce29287b345a89b0e0619a43eb7f4ff14

SHA512
daeec6da2884cd90106e3b3e996f2f795609a15d5ee5cfa84eec8251b6d3d6995b144383a3731cdd919a425c3f7ebf7fb468a03c5ff8afbe7fee4ff1a3bdf7f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
4d39630082f65e0bd37ad2512da7fe25

SHA1
24d1c897d81166230799ad9174ef62da7cd39b5f

SHA256
745dd882cff0db12c847eef476ba5848d7c348a446bac898dd91c18e43e2d6be

SHA512
03e63cfa940aaed1d9faa568bf77fdf7466f09a5e2594fa69480a4f44cb8a2a37877857696211252ebac4f39472b5ea9a4cc2ceac63caafd3ed605547043b948

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f16012e1093575e83648c200f4831a7e

SHA1
9323e3558a1e94a6b6a834eef54c2700d69542d0

SHA256
89577692da9851bd87d97d3e74460a034ab9970b4920d38abdc08d499cca1812

SHA512
fa215f9b87943b474f22d726b4aed2313b9250403c78fc32f40719ee9fe5e088e3709ec43c54bde3a35b521cbed0ac490eb53ff4881c445283adce49f879e39f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f6a5cd728f1ff4a2293dd39ce23c818a

SHA1
8360aac5ccded9bc6105e4b79d404af8513049ff

SHA256
5fffac6acee993f0508071c0ff18451887c1235d300275de20b59a5634ba2191

SHA512
e39eeed7f69ca7fd69ae96a4abe5605b884006d5c5f2737b28092490fb59b9fac4be307a9688be792482b121cbb294babe7000cbef67212723e5c9c1d73f09e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
38fb67e94a0bff27b82dc2c6989dd954

SHA1
0a4e39852eaa5deed5f8aedc827270828cca2c0c

SHA256
6ea608cac40e3a89cc0e9a487608025bc83940f05250ca54e77f3f7c2858f380

SHA512
9828bc62cf72d8df7c16b5b766746d7624bae3307183fbe386d9fff18bb6140b0e28e09e0c69852ca6d1e13a0920755a6e76a85fcceae0409ad623038328a2aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
6737506f1515ae209691057d9edaf6c8

SHA1
1f651d87c57643e7b10ce2a23da6ad32645defbb

SHA256
1507072ec6974c577ab8429eaa985171e955afd371cc76f660c3a81c0ccd87ff

SHA512
9f13ab04627a5babe7f88bdcefde83fbce142ec522c9493a74142be29d0eb5b88e759687d3a9a9248240050a771d6ab8e38eeaba03add220fe19514323ea9f24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d669490f34e854a77c181268fafc0ab2

SHA1
12e9f2d93ac0d19904805e4315260233cff905e8

SHA256
3d8bf64de4163a30f67d0d62f474048409a29e7ec82fb6d7a3a03e48480aef74

SHA512
3397b6d46da45110c26b5d5b1d29c7c6ca2c8bf17e5aa0b984515b497e957f7362c6c1ddcaa04365f21472633e01492dc27039cbe5a6ff518e8c55bcc5b98f1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
7b74e0578e5dfee6e825519e83c9d6ab

SHA1
0f0d0f2d1af5f89b6bfe3ee58df5ee908bd860bc

SHA256
c172d6a7e26017cb75bc05beaaeb0fb8f1c9548b588d157fe31f0f6cc46dde6b

SHA512
724aab2c6b33e48ae99df859328dacd0f8178dfbc0d5e4dce9dc1758c1044d614e2614e7a85bce456ebfaf17572ed073e2d1ffbf6034c0fd2db96780d5a2ac49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
fbd58c5847f42537195181c89c43e49e

SHA1
e3557b4b81372ac3aaad84fd7212fee086dbacad

SHA256
a5bfa0ba606a38d336a2bad3692203a2d49355211ca77d250b6e4826bdd4abb0

SHA512
c128505ae5a9484e60c7db539180e22f3c9d89c42fc68f000010a9682a7ec8b4f59c2e6281427ccaeb9bffb74d14268982dd67211788c08f88b6826cf756de20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
d17f182175764d40ef8395324ab77256

SHA1
81adcbbc5bdb4115c5b364ea438e11b251b28613

SHA256
8944f8145f8592292203e90ec9f0ea9f6ecf2822fd12ca69ae987d1fd1280119

SHA512
193b9c4d82c1af93f32a0f5bb78753c9c5fd6fb60b3e74cbae53521b885cae63f84b61382bfe2dcc221a90cea053c78975035646545404daa4d0581a81e1224d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
247a99671328ae9ea1ca15f821696358

SHA1
3ff0c7b86bfc841af096cede1c935bbaf87367df

SHA256
e6edd6d05ba9ebe2dbe2b1d484879b47f06f3cd9286fdf13ef4e8dde0c5e71f6

SHA512
672ce968a7839863c33450e5d942eacb1c6aa546a4c97c98f643681ac69f35b998b434c1b6f52ae0d46cdb33b16ae44c18b6dbb0ae3fdc852998650a45f0ea37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
5b4d24ce3abbaaad48f0eb2be00de63c

SHA1
178400448e725a562fed2910bddcdbf0aad3b95d

SHA256
06fe28842b5395915b4bd32cd1f4e337cb75452d9cf6d6bd3165dbc039bd06f7

SHA512
e0c7c6481036606e2fddb13f7b27405072a403cd7702fd10ee10b89543d387e66e50cec255260ecdf8e143f0207e0ffc699a45a8946b24a17901b093bd64194c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
a6ee4b6d762324a9e6c0df22f12156b3

SHA1
b8a98aa41c71ca93da920850c49c9a54355e7c58

SHA256
949d1fdc9312ac8740e277f7a15ab34171e509054f99b00c4608530f0ed2d300

SHA512
258258e7c91b722e61283b75fe1bdd64dad17aaaf54fb8a5f6ae4bdab6726115b03bd7890c9fba0f37fd2d726b7d581f933d9aad8adaaf04e901d7d246718b1f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ac22465f25f0e632e0247b1478ef2885

SHA1
bd3ca4559431dda95c09c3cd8e264bae8ce9b8bd

SHA256
4d853bccaea29db325d29f5882cd9126b6e28e27bcdd910f6194621369876808

SHA512
f2e51886c9a9f5e578a750be63d09c77de7a7d831fc8eeb6ed5ef181c2d37718ed289bca05ea46a7fa00449004bcfc02d4c7976f0b028f7584af6ebfc0790a91

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9c179f346cf0ff8f6465eaf8d35d9222

SHA1
1eaf6f9dd570ae0b75c3af3ba915da39fd89fb5f

SHA256
e85ac09c65ccd394ef64e96cff9d4795d2a49ddb91c5b82c4b6db74ba838741e

SHA512
9822a60c21827a7d791deebacc49e9db8093c7c2284e66f18a6db1fb1d543feaff2a97188cc4ec895254127422e0ae3bd625a475f5056bdc56f68e9f0ccef3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
96e17add8930b7b103df0c1e9b697b28

SHA1
c3cc0bf756760ae0e5db3cedb6c17a086864562b

SHA256
19a49ae1b5f992235119969b2ef39750ab73e046171e1dfe5ba624d205dc44e8

SHA512
7efbf8bc544cd1e82f25c12e2d1d17646573327af177402e24509e2fd04ce5e52d446b0f40ca942c9652572fd57016c268ad5ea197badcfbf112d91669a7e263

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4c7f67bc917e5037bba9a20e6891112a

SHA1
15fa2ff6cbd4bd09bae4bee1dde979a91e0ec0d8

SHA256
618129460db0de1d14e340657e718511824da53da38f2d635c1a1a832cf5de81

SHA512
b515106d88b35f2c6fadebb01acd921ea9f3eac201b041b6f25d312e1d003c73241a83c74b42f14eee659ebf5f157bcdc79ea08e45f8b2079bbaf2f48a31827d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3c1baf40dea6a32246940f70db24d58f

SHA1
beef614a33e8bd844eb8de894a10ee4db21d7d4a

SHA256
0d6d76feeb3ea3070d35b97ffce865a4dae96f6662ac8156364b55a96d518da3

SHA512
431a3075dec102132535ba40dc95c8182ad97630fc5189bda039cf4cd99ac19393bf482dc0b2c0925a07d30091b1dc3e42b7468339878bee74c5d2e1e07a7a0c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e83691416d0404a582bcf9c63b5c1a04

SHA1
432f7a9e803744964c379c8ac4413c0fad4a5a24

SHA256
a63b3bdd3317b6436cc6b86c9cc5e444130a7d1cba259947908e98a08d5b2ba7

SHA512
88108101871e8fafa81df5b242cee94562c8dc71b4db2a9a3036e2581dbcdc3a7803e1b47702cb6665338032ede4c9a1eeffc7d338b3e73dada6486063dca7c8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
061c0975ad97d299b54b88d3ab6efa22

SHA1
c3101b85e80b40249770455fac8fe6b46f70bec0

SHA256
19a38bdc900348a326d83dbee7c93285452da5287c0cfcb90a652fc23c4577ae

SHA512
4c257f3ce1ca9124122c5f73b8e25099eecef3e3be10e7d2713f721fb5f815f40a253e31276138ddf7602dca564d8b787f1917ed28bff4cef595ebeced87c3f3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
35b3e3ba6784ed69ad13588d56f0699d

SHA1
77599b427a3b221f5e2a1b2a7e12e9c03c161f22

SHA256
9eb5a5263a0087ab0099ff9a01d208299e13cb3623baf96fb82383cccdedcbaa

SHA512
a46100fa31c451867662f04ca73da1bf635b13c32ebf94cb805682cd3f6438757134132c3b1081cdf4185a492e7119146bf7e137e9eea79e0d68e980e7b8440f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ac11c1919aa2e46e913a291f9fcc6f98

SHA1
eca418983b032ea8321895e6abccd3af0fdd0914

SHA256
1b40516e44a41ba843679e3f72866e30b307ffdec6d431a57e59dea61c5499a8

SHA512
e473349eb010112d8063d90a4fba36e8a0e665b4671012d18ea71492008f90b72694dbebe71e66cd5a33d5b359a018e2b152c85860705e72b47229a7e3c8738b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3def1883d2eda384f97867247fee9462

SHA1
54bc4df3ee5524248ce9338d13f68404f51f492d

SHA256
58f78475ea8fa38571e0eb935a7370ff5c5d18a99eaf494e85b8238276ce1734

SHA512
403d5e4eb1f8575908462dca5cf89d054a4066bd7646f48d34668f2040731f29157670743504658460060691b3054fb7883cf61e8d7ca577fe1dfa452b8314e7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
62f512e1f117543bcc6a424824ca5e17

SHA1
ad66ce9145abab105da2a50ea1cb1a7ca56874eb

SHA256
317bd2b2f71d4bb25dab7f8f8f7f78b9772399e94c46040f09a44d7945b8f5c1

SHA512
bc07f72f5faced1fb8090d9cfa93dc2bad97f82e4f2702ac2b67a4101c17fcfe576ef1afd2d1ef7c054c9c6ccacfe646cfbbbae115690cf99a73256588a7475c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
456337b60cebd79a3742ad9625bd96a6

SHA1
21957d962b3df53d45cfeebba222af5ba5e5bd67

SHA256
5fea0ba978bc3a4a20ccdbe76551b5fbd3c59960da171d8a938fa4f22dd0eca8

SHA512
ab935fbbeb8640f216c2905170a94695f2abc06eb2fbba8ff04b42eea9a57b828bcaa04fa45af2a2ad55fcbe0360afedf5ccb779f430b81f71fa91c363f2ae8f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6de5afa1877068f46d964b55ef00b477

SHA1
2e2a069d99ea607068a03ac447707d2f11791e89

SHA256
874f1b9e3cd9d94113e7523bdc0bd1d50c4c22661c0a8616e3f3975c072d9fe7

SHA512
d0b3284b57daa309b942aa5f7908995f1bffec7d93f9187e20e62f1d540491ecd671e9f657f0261066d098fc5ff89f53838531830979d8793cde4d3aab786bf9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6866c6162873825ce2dfd7726a0822fc

SHA1
97971fb16baeab3431006d64829966ec866f8192

SHA256
9ab573ce9cf4cbb704ea9f88148a4ce0417a07e9be055c031a36df9b59e8666f

SHA512
b815b05754f50eef5de9be4d2f6c5e7f63c653e3911c2882d64aef1fe755c910e1b2c9ea641bfd73a9d369ec117223f0fe634616a79a0f1f80ee38034866192a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
79fc8fd254fd074e983b8ca0798e4d3c

SHA1
27530d657a40ab4466cd70718c34bf95d00ee65c

SHA256
ca6836412452dcb31d116eb59536bda23ce091630f9341aee575b2c92b7137b6

SHA512
b45773bfbee3d55cec924ae0ee133e336c53feb1517e68ed1602da7c54cb7f5797d9fcae65a3068f3c2344fa8659b0251d52458c37f06f6ed94a3406cba3097d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
179fcb5ed7f757d82e1c54d8dcbe91e6

SHA1
45d21eb95b12afbe850f264996df6a03be21cc61

SHA256
c1f29a16098c270d0de97d7dff0c28dd98924870d8e9add88b6540c8b65c7dd2

SHA512
fcae52c180ad0d2eb1c573fb70712369e0a340bff6c56ad3ddaba869bf2dba8bf4b5b3ed94c03edfb457c1f3da86a4b1e8004569935107e1e238f9281d6b62a3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
81ada19bcc5a7fb4c2fcd4cc2aef46fe

SHA1
2fc37e55f5e321ca0aafff06a5d0c0b343b11d72

SHA256
78a6f8f1a882b6077ced4105b44ab6d69a6ada2aa74d234b17981963d1905694

SHA512
6f5c45777eb8b95bb3008679019dbdba729633b59829d579e44ff94afcc9561d2b6236a65a1cf836127f15378a5028353189bc3dba9b4a8cdda9cb149fcfc6c7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ab76a0560c59113f4a3557ff51365501

SHA1
c8f858159dd346a3636c12bfbb6cd9da3bec9ced

SHA256
8261e41a67750905bbfa0f8f737fb69b33f0bbd741d5c2bd96dcd4c33a1871eb

SHA512
5eba1c715cf0829beb348acf435d111a5055b073c82b61e0d37a2b855b281a4a181723a810bc4604f6ae5fdde9a5ea5bb4543827c1eef6ed834ab0941be4021e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bba72e44d23b0c05eb582e369af47b3c

SHA1
df803f15086dbe3397d40d0cbedef457c1d7cea9

SHA256
2030ac75cd75dcca16ed8d1b71e1f0c6e0a5c62453eca97575a507f1306fa3d1

SHA512
6c657c63b1c4c4bedf36c7747c30764245ec8d935035e4aeb700caf3e3825cc39129cf3f378077138249c92a4b11697aa878ec84a2f2fd65947a5fb7f6eb5e5e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b7fa17cd83231e26f4d8cace3bc9424f

SHA1
cd01d2ba350f3a3f43988587eeb521b94008622c

SHA256
839f851742e9d8f574ca44ec8cc00befeedd761d558c143353f9f31c5f80d657

SHA512
741338ea13057c5b5a62c2795c0b08898b4de17e13c32507c87cd8814f2c90848fb7aa30098f497d0f657e3798ef3b086a197587d72adfdd7d48d6ac9f9db1a9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d644938f22faded01ee9918e94060744

SHA1
acc1dbeffc7184f36324545e90cd84b5bbf836db

SHA256
b0dd0e40d305319e34112455434d42b85240a18df227659edae3ed0fe92c55ba

SHA512
c8dfb955f3ad9283e733b456c1af5b9fb53372e14dc665a676bd4f9b1ca0a98c70f4031424fc98ed0a628247b788000a744d8c1c3ff0c7cb42b71db1907f64e0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
48833d7d9067587096a0ab37a78b80e2

SHA1
4b615a04f53b72eddcafae3f3399952ff73aa68e

SHA256
aed6eefbd8e490879f86a572e7fe2de52286659abbfcc1e848906363b031805b

SHA512
324a3e4b8410238c87410d30619f815ebbb1dc9c0896ce2a48c96584fa33f1657fed13ad6946e197fdbc2a97f1498d6ec44572549954236408e11c11faa37453

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
61d98d89f310f6a59b40800d412baa12

SHA1
f29ed68a9d6becaf85c9b1120ec1f46f0cc441c8

SHA256
498f3f4885c676c0e6bcd2383592aead34979959aaedfd6c8dbb407d1e425eb4

SHA512
0e60da628ac5f745fefae96290aaffec4e35d932638a17f142c3036b0b8dee054952a4d38721e8ef0a2c70182c084acc67f628d6d958e7e37ad8c26ab06a9fe8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
60c020864ce32a279d497ea312b8878d

SHA1
4039f453dbf56cf7783e94b6eb016ce887cf8061

SHA256
078b242328392cc2f24b0ec182dfbebdcbfe91a7ae483705e86d95725ea8893e

SHA512
29b78d71e75c5169d982a38f1b02a1f4ba0ea501b8b31181cd78fd5cd14095a5ca8f7ab6682f67db1e00c8a54a9fbc572235ebb42c71d5f648737d379edd01b8

Download Submit
memory/60-250-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/60-602-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/232-669-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/232-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/232-163-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/756-249-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/756-135-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1468-76-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1468-199-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1468-77-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1468-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1528-702-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1528-262-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1840-261-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1840-141-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2144-65-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2144-73-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2144-66-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2144-186-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2228-211-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2228-531-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2456-26-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2456-24-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2456-18-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2456-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2456-134-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2484-238-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2484-551-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2676-103-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2676-108-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2676-222-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2860-274-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2860-703-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2872-458-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2872-200-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2956-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2956-52-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2956-58-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2956-60-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2956-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3116-704-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3116-287-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3764-375-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3764-175-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4072-98-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4072-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4072-93-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4072-87-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4072-94-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4352-237-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4352-124-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4680-47-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4680-40-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4680-41-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4680-151-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4720-235-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4720-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4780-450-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4780-187-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4800-478-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/4800-0-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/4800-1-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/4800-6-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/4800-100-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/4892-273-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4892-152-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download