f591e69a6088c8a72f5ca83272821f2eaf225bb114fbc91177d4416dec17cd03

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
Size

1.5MB
MD5

2888a80d6ec92b3a3afd6b4a47f9cb3e
SHA1

a05ce2d74d95b7517b893c6732555c11410afd97
SHA256

f591e69a6088c8a72f5ca83272821f2eaf225bb114fbc91177d4416dec17cd03
SHA512

d30ae3952f4fc2a45709efaaf9a9a05c2d4db2f6b8404bf16b68020a81915333b66425d616cd892845fd8d27465a158b8dfc0bdab383c91bebf82ce5f28c2a53
SSDEEP

24576:PvrHWdZcy2IyqWarHQHzwqTMV87BbkjCMvGdLtfsqjnhMgeiCl7G0nehbGZpbD:Ds9LbQTjTb7mGVtDDmg27RnWGj

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3712	alg.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
932	fxssvc.exe
844	elevation_service.exe
1268	elevation_service.exe
3008	maintenanceservice.exe
4364	msdtc.exe
2408	OSE.EXE
2432	PerceptionSimulationService.exe
4032	perfhost.exe
1296	locator.exe
1684	SensorDataService.exe
2760	snmptrap.exe
5076	spectrum.exe
1844	ssh-agent.exe
2568	TieringEngineService.exe
3348	AgentService.exe
2292	vds.exe
3180	vssvc.exe
4224	wbengine.exe
4408	WmiApSrv.exe
100	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a3a6776f983eaefb.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c98bcb5aab1adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e378b85aab1adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cdd9b5aab1adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019dbba5aab1adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cdd9b5aab1adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb9cfd5aab1adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005029c95aab1adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037efae5aab1adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c38e8d5aab1adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2320	DiagnosticsHub.StandardCollector.Service.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
2320	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1804	2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
Token: SeAuditPrivilege	932	fxssvc.exe
Token: SeRestorePrivilege	2568	TieringEngineService.exe
Token: SeManageVolumePrivilege	2568	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3348	AgentService.exe
Token: SeBackupPrivilege	3180	vssvc.exe
Token: SeRestorePrivilege	3180	vssvc.exe
Token: SeAuditPrivilege	3180	vssvc.exe
Token: SeBackupPrivilege	4224	wbengine.exe
Token: SeRestorePrivilege	4224	wbengine.exe
Token: SeSecurityPrivilege	4224	wbengine.exe
Token: 33	100	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	100	SearchIndexer.exe
Token: SeDebugPrivilege	3712	alg.exe
Token: SeDebugPrivilege	3712	alg.exe
Token: SeDebugPrivilege	3712	alg.exe
Token: SeDebugPrivilege	2320	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 100 wrote to memory of 4524	100	SearchIndexer.exe	112
PID 100 wrote to memory of 4524	100	SearchIndexer.exe	112
PID 100 wrote to memory of 3336	100	SearchIndexer.exe	113
PID 100 wrote to memory of 3336	100	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-10_2888a80d6ec92b3a3afd6b4a47f9cb3e_mafia.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3936

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:844

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1268

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4364

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4032

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1296

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1684

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5076

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4804

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:100
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4524
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d05067f68f82b8ed2c285cfc7a94a6af

SHA1
3b13a05310faf0256607f89530f7f8efdcfd21c4

SHA256
e779d07857f9377d383de40bd400efd74e2e0a0435d80e825bf0e90fb1cfbee8

SHA512
5bd747fdbb79f70237a9a5e6fb3d25bde3e09c088be629808b62e373a75e2bc083b7ce9d722202bc9e27b37178570a42fbc20bc98542672c8997d9a54314d546

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
2899c483d8d6973cc17e510ebf7d97e3

SHA1
5153d77bf86cc719af067b758710f3a28c49e5a8

SHA256
79c6a401dfaa5107ffe6ae20dfcff7141d72f46b1d39285cb2fe5f2703568a3c

SHA512
d83124601bff541d1f6e0416763fcdc7ccfd8a21304af8de34496358ad0a7a4853a5e359a72fcde03bdd46a44d7fb648e62bd276c07d4aeb751a185788f1fde2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
3b4e97ce36312dab8322cdf8201b0e49

SHA1
cc176a1f8960953604359e1ee9b96f2ae32957f4

SHA256
cda14044c1195d2888929c3721103be2ab9039be0df2c326802ad1c37dc368ab

SHA512
413eb8cf94a7c3a5c539a46a6f13dd7f3f98fc12025cf884ce2fd3f34946b336be24bb4439411abadb8f52120487e40e2ba597bded4885a1bd35cb524a9f0a32

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
08f7187e947ccd51a5a2cede78217372

SHA1
9eaf7d303b87ff8c4958f5ac11d1a6d7d5eb2d8e

SHA256
6fd6bd3ba91fcfb57f2ae48704bda0cfa43ed14167f0589019faf3e776a14530

SHA512
115e095c1942d4152812985e6a712043483ec24bfa5a15b034ae25e1cbace8bfa0a65a1b0f2e5e508ddfc803c20875f3b91fb12207380a495d136f00a681a62d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ec1b30dd03b0dfb6d0121f112966e1b7

SHA1
daf266bfb2682e930415bf0f29b547129ad369fb

SHA256
1e968a8527ca4521643441d61afba3379a00c2f7503911b15264326c374736e8

SHA512
0e1a5cda8ee7c2452d6476d48ddde1b3b634d63d40a9b1f3d3d3c9da64b8411872e18131d0f7f0c8c9abf706b91e4ea018a88a7586140e916308711193572a6b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
78ff2e6b7bfa0d8045902b9a6c690c5e

SHA1
eac0bd3f2b88b15e41f7e930c2905a91d9b0429c

SHA256
30d05027aae06d41ca243e5ec7d072e30d95981fa4c5b00e53abcbe1de9e2bbb

SHA512
b85012de80342bba83b6d9a6cefd0a2a37a00aeb44e4ccdb5180d8fe523a24e5674fa54a55463ae642049942bb1b8019188f0e10ef121e0eefad68e7c1df1d91

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
b05a8d67a3c6ab10f1adf540f30f6eb2

SHA1
9bec8ddb62e2c8497dadaa675e5b43700de9ed67

SHA256
a0b53644348dbcd959d478879e618819899e0ceb45a7508b13773d890394b975

SHA512
be7df50c599a479c70717946513caad508038d752728531e6340b17e86dbd290535f22966c188a0b87d0b8df1c8bbf0b8f549db6e1d5af72c1cfa9ccc7a7cea3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3721f9193061b10fb46ea14f2d7081fc

SHA1
e972d6fa5a97dfa7612b0150484553a4d3a1ef2e

SHA256
da191fdcb2b7e5b21a30ce55e9e68c068c310dfbc9d23e763868e26fb3fdfa5c

SHA512
0672da2b48f85a143bf5e2f4fdff4aa5e3164e426db9d1a078c4289783502614c1b1f78e5e0e6301c78ad806e9bf43e19842b84955eae3aacacc1e9b9115309c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
52e22f5117faa5579d34156889729ccf

SHA1
78ef04553c90ebea73d15c1cf2df77b9cd79f8e4

SHA256
ca96dd10e054cd73bec6f4b7a51376f938decac9920e953f45a665eb1e72f1ab

SHA512
631ea275ba7d4ac3709a40182b10eee638d9368c16d1557acea46e844b0f1bbe3096032fd215fb15d31c2fc8643d95a3febb6abdb7566e2408f89e390e41f18e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
619e56cc2057b5774126acb4e3c4c36f

SHA1
39faa6810440836e651f6ed1636aac47577e3eba

SHA256
1905ee922dad1ba31ea9e65c90ec4e5913add091e4f6f299d05d5c76d33ccc1e

SHA512
937863a82f322d937fbebf2d3ba820eae4077afc0e1339f49e682bff12739408c270c04279499f4596250ebda06a260f190c1efb30d72e3199164a36164099d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
69d2e6ff08e42646167f17d70354a074

SHA1
55790dd19cac937b327ddef72f780b8b2731cb01

SHA256
12a6ebd1ce3743f551e57d26b67f52a49350a2e9c4dafdabcc6dba7d62925f0d

SHA512
90e84d0a4f433f2cd4b2468db9f0e2748d1535d1a0223bfee456244e28992de3370d2bfedda35fb02360f3f4b965c1609599f0d649f24305115ba6a8e6d0ef77

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
19379d420ef4abf67e2d62d3e4761d91

SHA1
69ac42b85844343a507567e5234eb82e8b14a017

SHA256
c357f16d5a277ed9f1259144ce5bf2f8a33fa836c226d11debda478d5f198bc0

SHA512
877fefb613b8a5df3e27a6d9a77016ffe3ad9e72aba0215da7610d57e3e6eac4a2d4c43e39580a01015aa783522cee1ac464a23b80c41a378259c881d16e8913

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
21dc9e7aa0f8a72636689547d1eee652

SHA1
2cd83e58d4d3760198725e12a69ac3e6df86e184

SHA256
f452ede8d99b606a61beca56a660ed0b61f28734642c98a9d7012b9c1045063c

SHA512
c8d96696dbd2758013613b80cacfdef9673b6a010d7f80616f6e0edec90eb34777004622a1ef4efb1f7f69ba1c6e7cb0fc0f263ca41e4c6bc5b26cdf98a3e1a3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
2c1346820845f09bf46b818a0456015e

SHA1
5013e7b57af17eea13686e7906f3d18ff66266c3

SHA256
3c309cfc25278019582b45578fe2e17aff009af624249cf63fa26bdbde9e0d41

SHA512
0fd64a43d1e1df6dba807262dc1f29e2ff2c2c8f7b9c5bcc9073cf21a1a8ee6458e7f76fa4ee5377221da98ded8d00980e77b7b7d27920893d30d6a8031a33c7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
497c27ae1d6ca36e3de58328daeef959

SHA1
35ed034e620fa7c801905f9e4456f441182f8ae5

SHA256
f97409bd6e517c1493339c07f46a63d9d9ae11b2e7f9255a66121ae5dc5d4f25

SHA512
6a4e0c691422ef6be6ce4efd79224b6ad36b49a9754de059dfe107294c1254e939a3aa23be2a2b3350e200cc7c3b16c32c3ceabd4bcb247bd39759352f1751bc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
950e9d9efc0a05272871131538e36bc1

SHA1
132017643d9b550e0884fd82550ab17a2813e5df

SHA256
93349d2a3e2737991948f42fa03de4767ab2db392af0d841d432d519b341c7f8

SHA512
4d37046518ab2c6a81a76314ffddf402c702ba8af779175815fd8aaddd81577a7501816655fe67bc6ca218f686b9aad7402785df2729ebb1b1501a581696744f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
911386638417b4b658596eb4a860add9

SHA1
5e4cc314188b713e281eadd402fb7b79472e746a

SHA256
a8d3fe9b281644eae8a4b1652559b8a713033c45894495ded4f0427afbc5d846

SHA512
fc4afdb70652ecadb5995bcb6a23b2067a99ed51120c5b4f6e0636c4b503d687c17d2f4c9d4f5cf0df17746a03b9ceec64ab6f43fb432e43f74cdfe09c94ea94

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
1c0df4763cce8ec2d668ac6d8c172bd5

SHA1
883a3527c0fb4d4758a0cefed842a8b27779512c

SHA256
0c309c5ecb6735012566e2232ea9fc591390c37d3d2533fa844b1ef92505bf9f

SHA512
93b6628578c5d69c3fc7bada6159793fe97b35d894bc6d9421fca2b7ff2340ae23b61b1fac631eb3baf79920546d87d17508516342dd2f7c4c34341cd98c9a27

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
306cb72e99f7bf25bddacb84dc45d74a

SHA1
9e0403548b840914ca87aedb538d604087e2c578

SHA256
b3d0a83b6eee0671e7ce2842fcb0acbb99982afd9c248ae4f49237ff940713b8

SHA512
efd3a69b3941c823c1ed03c5686ca08008fb9f47eb21b0732c41f6f5f41e266d52d195b8bd4d4746fdeaaf54fcb3519889a3427cf8a3d29998fac2b969f89a65

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
fabcc500a9cd02d45ff2f502119ed260

SHA1
42a35098f79d1c102b65c345345dd491c71ac23a

SHA256
01ab510e05d76cd3b2212a03b07ef31f71592e6fd240f64134f7cb154a5eb6af

SHA512
d3d21b3e7fbeda1689a2d539ee8bd4323be6cfbd34747c6c447e076b45fc6eb31cbc93e32cce90117b27a94b6b1dc8b02d4cce6a79041a82150b78a14a578f02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
0d7587ab9978a7d83bf71f0a6d012cfc

SHA1
17473a3fcc97ef6612e7eedd42c6cc0e0936da96

SHA256
81e693d1a7360c1a61aa93c3d483d3c8b615bccefea8cb3d6fa969f847a85a6e

SHA512
70d47c96bdf4d4618dda796dcc624d5c0a9463becf634def0f2b0b37c1eb6ff86163391d879617b86c064e5cbcf0e5d5bc503a6985f9d65e3b555c56eae37fab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
506ccf6d9f1968f88c4fe8179697a470

SHA1
80295a26d0bda2688ed62cd4cf7b21d95e5c0d32

SHA256
28f1a6be0777a8b09faeb46565b1d7e30a85bc735428b412b820cca8e2ed4ecc

SHA512
493a8c204c8aa485e94959e9391276e64bd1860e3cd152c160ad676e09b09fb460bb2e7fd4e25791ab4e170c9a2b39dbb67860687cc41d1c599f5c70846ee540

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
8fac11d44f5c793dbb9b103b7bf177c3

SHA1
c3dbef2cb8a5273668df100205b83e9e4af6fe57

SHA256
3d2999d0b221053d21f54d456e8bedd6b1f76bd91d29276d0261ccd2bccca609

SHA512
04ddeac3686e6a8f92042aa2bdcc9710df7cd5cf7c62aee4be9432657ddcd9e6ada6b5dff5cc5b51f271c33e5e698e1d98ae4fbe02fd55f83193df3afd356896

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
3398545d77f10f7a9c0fe8378bf9dffb

SHA1
722b71fb81419bd2cd044351408f862526a11c89

SHA256
862d695ddb7a76667aa52ef65b81caa2ae579c778566f2e7eab9c92a389054e7

SHA512
2b236b240860d4009cb488988c3e79ea9b19a1d6a440973685cc3567e1d4858d42cfaaa454e7b93abb279ec0699e69e770dfef585482eb7cd8eecb1d9897c466

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
6f2ef0bcfef2737ace769ebb431d486b

SHA1
b77d55d550232d26c9aa3c85076f0a697c79e91d

SHA256
09d9e903103d0754bef196fb7a1c553e4e4c4eb0dbd39053e4304ff4e16d9521

SHA512
eb142f0c0c85f2bbc9b1bf102605eb0729fc780ae66126757ce2b0120070ee9ff58493a52018fe8a40a764023af9476f0cf92c693a17adcc6ead904a9bdb1a82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
f03b3020115abcd9ce418730f3aeeb83

SHA1
3689b79cf20f3f4cef801567d1f879b562d692db

SHA256
ea05a5b4469981399717b523c54aa75e8b64412bf94a992a21bce6e4a1517865

SHA512
8c334dc2ec961250d2d8f81b3d30d6f1ff0cad8aa20c70f3a74422ea839b597d4111cc386d5dc22a7afcfb9f055b7ca381e1a7858792c69389534ab190b902ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
88b6e056eb1271b61f88d756edbe228f

SHA1
0e4b32d5f3f71c7a62640c6e951a6dbaff20d096

SHA256
338c64d04a901d3528fa03609769afb42dbee14d61af4b637dbc9850f1840fc6

SHA512
d3bcf9848cb025770caa8a4357ea321d74ebc7df7905a008a289cc7d2f76906ceedc4d8d30ed3e7cb4852b381b1a94fed5a792ef840f23a4d8282983d7610700

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
a4826546950da123a354066cc4bb917f

SHA1
3c73aff30b3ac4381b2517e54abd3c98c255a68a

SHA256
54f6250ce28f375eb1c0b7759e36d9b5158b45919599081536b6d568975cfbb3

SHA512
1361239c4bff95f0f6e4370fc0ff3c6dea20c8116fc66f6e3c3087e96e9a16d2cec4396a1765722275ade45a441b9a7e76856417dc10172064750b06d1bd5b4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
baa599b8ed24d3683cd986ec73482583

SHA1
bf573d5120d6993d99b4e3a4537ce72bc107defa

SHA256
a0c14ec04b96d9cd32eab82cef633b0699c711d5e2156598098fbdd32dbc1143

SHA512
91a42b176e626f5c10ee236c3fb847d49998205c148909651257c8b7872a0eb5601606714b06f0ffce43c961f7c8df48eb9e0134b114c169a4944b6b9613c34e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
88df2cae1c316440cb28b00f6e61cb17

SHA1
3e2f87ea2df95ac28e103ad2509e8442c648475d

SHA256
cf3e6ab7ed819f7ae917b834ed710ef6e0b7fa60306a399a1aee5ad92f0fd639

SHA512
ffc020a8a22206283d1d7d335e8816d23636dcad99c9b703a3c7b3beffc58f65462fc5f50b9cd913a68c58ae47bba449d478282b75b8628f8d9056ce4539e669

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
cad5946f917bfee5eadf59e2cd6bfbca

SHA1
0fe9ccf1e0cb9ca0c3f9c6eed40b668ce937eef0

SHA256
30d3852b946994065c357560c9001c9b3e49b8c4635a5771f58a806c29b272b5

SHA512
ff166ca6dab7954320e20a13f6ef8c20fdcdc654bbdb8278eae3d12ad9e95101f61b02893473e20b6c61073c5c11333fde79923f7b0a98ff45fc6700b4662a19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
c47a5e1717d94a4b9ca3303a3cdf1ac5

SHA1
e6ee026600b5fcd28becb21f379427f9be16efc3

SHA256
6977fd1ccb75f5b4a5d0fabba49ac852a67b7f47e94a0242fdf86cf9aa0e9eb4

SHA512
508eaa957af46393f0cbd1ed91f54b850df31f792a055cb04d299b5085eff5b533b674e885e69cb663f4432413b00d2f83daa620354af3589c3f841706825df0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
a43668e78a68ab20b80a9ef8626af21e

SHA1
3186ac31255a824a13db2ff3e9f864b12b7faa95

SHA256
b069dfd36a97d0d67b6e4c6e6fd3d55f02ebcf3b5760dce4cc82365b5c26c842

SHA512
8f07c0a881a8bb48cdca7acf01bc5de63601c68b5c001874c44fdeb83631e7e6bd226ee5d545af88ae124b6f8724210b34aed64d03f82ecf055f6fc168d56d1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.2MB

MD5
3906ff0f3594841488c8c3a2e7f78bfe

SHA1
e9250d025ca256192499b025f57a8a95753c1acb

SHA256
2b20a852fb8ef3b8fbeb9ebc53fe24a841d179dca8e0783b8cc2fbf008a93c65

SHA512
0bbf4018020e4e43b11dea166ab31db6d2e9dbe7280e12bf270646a9ca9ddad47f34f0e92a4fc53e3bdee305adc1e0d695d1db71ba392c4341793dd6b350690d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.3MB

MD5
1ac452a1bdc8fc616b3a809f5c4cc34c

SHA1
5dd541f7001427bb47f084f1edb0112873eeffea

SHA256
601df395e46ec42d128f318df01c4ba39bac3886b7056cfd6f4d2556344f12f4

SHA512
9abcbdfa6c62039644b8039165ad07262bc08fc13aae9c7910637bb8557e2c17bf5153923d90b17fc00b9e534b2cea674d8e28b3212b50f354bfa01061384abf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.5MB

MD5
38e6944a0609411df6a333491e8532a0

SHA1
c6747f4aca3b98a0c186a43fe5f5318d6e8854d2

SHA256
f31880aa6e5f157aeec43b082ebfa455608ca39221de6115211df091070c7525

SHA512
706d6cb443ed03031aee3c01e18d8b3fcb24d69eed149cce14b13c985229a926c38a16edddf0b8bbd54b16cd25982d9f22742a59270c5aaa69a587df182998cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.1MB

MD5
ad1fa96a73360841c20772c146567b78

SHA1
f486b19a9db66066c43e3290288ef580d4e87f03

SHA256
c0e65a64955c914ba52ed763d441054f0fb6882dbd602af75dc0ee94d12d674f

SHA512
8bb385135f09a428b8235c1fd305cba6504868be7f19ff41793d3bfa39913b7bf67d1e3d952c8e5f3e50c384be50cecbbe6660e63e5fb7cfec2a99c3c5d88cda

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8d68c82fabba1adebb48684f952714bd

SHA1
443fae8084249d69bc431e10e0db4a6de9079995

SHA256
ad94af61ce3d364ac395f858420f3e0aa37e8edd5a318eaa5eec8752bc6cadbb

SHA512
34afe8da180c3df81e797f4760b52e9289ecb93bc89830371768d9387ba464c63a47faa3b93827446d7e2e8b0a8934ddf077b1f71908195e05498ed818e4a5c4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
be4ea1468c04875d4eda0b9b5b662ce6

SHA1
59f9043f07cfa83ba34942ec98ca214b18cf0e6e

SHA256
2609f6cadf9f3a1cd76adab1078d1596806ef56b13b923fee35f9a075104fbe2

SHA512
1ca2153f2b60c718063ec595ea74aa04095c8d835d8941492b49ac0ec2f6d174cf344603692984bcefe701e2d4d56d426aa4eeeac3a725759587c339869ba693

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
70bdb96ccea4d315b7e2a74815c4148b

SHA1
97c23f9466de6d04235f04955462af79db9ed01b

SHA256
0efee6a37454da149355698946f9adddae61fcc617ef5892e58b870a86c58cb5

SHA512
487d6e2ece3643650e384c3f7d3a1e445c7376f6d8a786ee9492cae7dac7bdb3690aea5b76ca897c67d58c7e173c679d674423bc26b82afd91385fd9cb8fc14c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
17c33d96c457f633993dac62d5019107

SHA1
b6293f55f41844a98fbbcdd9e29b19b8424b8f7e

SHA256
dda713168f16b9ab3ab972066ae64b062cd07a987a80bb78b1b605faf75e9842

SHA512
20111267b6225f2d3c9a6108de6cbc140b56b4a6770fc9436256f09b247c6efb23ff0e314824d48abd8f10a6fd49716012cfbb7f128be87a00fcfe0fb0bbd178

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b66a84808e6b56ea88696111cbfcdf58

SHA1
4dfada21a2293c8f0e8074077b604361a5290ce7

SHA256
35836f2f74d2f3a926e9a61df9f220996d6c4648c7103a977d5a2227d01985c4

SHA512
a6019df06ed0d7e2525cb47cabbca2362197fb6fec2ddf894938f2d46d77ee666ddd5fe624e7d4e0f0317506e1ee576e807f49ea027270bbcd1e02c51705e460

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
0e732c59b79834c15e960aa6a21fc816

SHA1
c70bb3a58dd592ae588b348386033fd21ca29923

SHA256
d59cb61c41dd137ad2aabdacb8ffbf32d1d859a65d93b4c146a58cd6929a48d2

SHA512
1ca0ea3459a3c1281ab8ffe04b2ab38cd052aa0239090de31e827a7d342f3a7efb63b78d23fb386b31caba6625bac752195887045350430b2386696129c66e70

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8244acb30731921beb07b61e1576bde6

SHA1
b3543dcf30f9a76af5841c09b3163e3da09e3bcb

SHA256
3b954b468386221ce17401f1dcdc1dffac0277e85c2c641a0a619e58383e6aa9

SHA512
7f198658ceadbe0906f638f258ff619257fdba2d8ff1214cff12299a7e423119f412b32ec551ccda98d7ee3ad82853490030c06cdca2103e27021c5e476e891e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
6ba75f0f24ddb5872d645be881772cb9

SHA1
69bb587f14518d4d2e1178ae2320166de689f1fb

SHA256
d9b681e845feb0fc83d6c4247776ce22894418bd0d51c2a2d8c4023097e9a1c9

SHA512
9c7fe753f7d74298b4751176e6e60105691f638f99cba873411db5faaaa1ffeec6f6342a0769b733a898528ba82500c49cfc9e1a368c8f8dedce99c6343271b6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
88661b4cdbbaeec028d8b1b851fe6715

SHA1
08650a80742eab09e72a66dc59c2741461a9d331

SHA256
a8233f5962ca1020d9b6e77afd2c6163a16cfcbfbbf43299e20b44f8cb9f03d9

SHA512
4d049ada3edc8adbafeaff7f1b7911b7086b256e790b3fb2ec081bde18941d7b1e72f536e21c460f5e630a74a991680015b967cae06e984554ef951fc4997e15

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
912142937accd56ebd3ad0d946f910d1

SHA1
10c2ba28a0908ea668c33200f73a96e56834e9d6

SHA256
f58d23efe96735169732b14308457cbf34ef5facc9e05cfc4c5c26098487769f

SHA512
d98a99f9adef0813a185d11287c9f4ae8126f7cd2cccca9d89871a47e126e1ffe1a0b8c7f1a7a002309fce8e1722e7c54028ba54cbd4434b14424327a0023916

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0ce04661e9e3e943909cf57f1791c4e1

SHA1
12b0952f7a1aca32329fbe1f888f0029c8f0ea17

SHA256
2fd48cef34e50babc749730ce87e4ea68b9cf395284da1285c4221e20ccc9eed

SHA512
342f85f6f06a9545c568538e7ba255a08d3cdd3c14a929909f08b502e1142852e0e9cdc76f9d1a40c155f4ca617a1cde140140533f7452db589ee70a05eceffe

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4443cb49f8cb4ef7d21fafb5f98254dc

SHA1
85cb2e7bc9cbf91346aa5226bdc595f990356f8a

SHA256
8ceff4632fe45c30d5dd67afde6bab821cd18337dcfcbc6db07aa2fe0ecca8f0

SHA512
80b3b4bd0fcdf25311f0c2d2b7b56c57fd114301d29a6b933a175349bc086509237f965e23b4a7ceec5b79a72d890ebe898c2b61c51bdb632493e5c1ba42994a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0407cd211a03ca3fc39f9e1b3e4ff8fc

SHA1
7fe196246933d478936906c0abd19e6f8f152d70

SHA256
f72c8372e600e6909e00f53ec3eb4994ab1c6d16e1bc0755f6a145a091fa5219

SHA512
64084b0f30d7f7059aeb57a2be992462829491e55c200efc379c7657f4623a9a61a591eabd1b2cbdb326124b73d076b97e928c5c515d9fc98e417c7be23d6802

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
4568f79932771145bf9e9db6a2e44113

SHA1
6c4678dbb386d239a52d59049ffdbef83b1d4d2a

SHA256
4ae247fbd363c749eb1746c892387638420767c821ee2ea2b21279f57f05abd8

SHA512
c51db6589cb54d674d18097259d1a661a0d1db3354e2a6f1781df1b3e6aeafdae15ebe5a0652c52b1f030fe12324cae031c724a8bb5429f042549fa1929b17c5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0f3445eea5f321ca880bce861ff8b486

SHA1
bb22306692b3ddaaae14ea15a14829b08530a873

SHA256
de40d6efc6618067e0970b2ecfead4c17a90af7adac8843e4aad2976423c81f8

SHA512
cd03ea0d5cdbaeaaffbc726a052ebec1ed407a61e81ce1863ae7e6270d2a3ef8a3285f3400425b094d68b37798b521c838e79cd90dc780df0ebba2642b30e098

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
9bc98a8c6145fab47d0afce6882d2109

SHA1
2bc71b1eccab9308bc5b3b59a16b332ac39a46ec

SHA256
8058d181cbda32fdc121155609eda92ac6894602b81a5bc73bd2c1c246c4dc5b

SHA512
5fb3ac1581338b0ad26d38d2ceedb682715e7e325ebf352fb1f4d859872f4afad14ceb8d51745d9db4a25fb2a0cf19c77cc96ca5a5f8f42dad77d58fe17023ea

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
ae10330db429ee2c7dfbdc6e5100c34c

SHA1
3352a12fb8360faefd4d5466616df3faa9ebbd16

SHA256
69dda85c97ae84148c37fdbe8fcba6c1608cc38cb5ec399e084c68f34283454d

SHA512
4f4017bd326f8609ad6c18e0e9918308fa1833354c76c1ead4b8554769794ee586b8c346a3a650191748c85f61f1a885d14538792dc550a81bf0a65c0dac1247

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
2a8b160fcd2703f3c63826645dddff12

SHA1
1cc71e81ac9769144351245981dc428ffa0f272c

SHA256
96f11ccbf47ba07863b27af8e8c9de8d59c40a6488453f879c8ee454bec594b0

SHA512
126cded9cb19d4044ec947965c9c36dc81c43a977a3b363a6886c82bdf34f702441ae17d5d4dcfd004006057998ec0046001d1c9ee9f714aea01ffe090e20692

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9ce015f974ca1161efd31bebd00dd869

SHA1
1c08f607e92213c66f015746c0b7b26c5fc29389

SHA256
62861d67ee51731f7a56d5f2d149f6e427b513dace865f61ff07ce9d8aeb9229

SHA512
f1dc56fdf536ac3837477c9d96cff516cd4fe4ad143c6be024551b2cfbe300f70e304e3b0c58375dec5ff1c9b459631d3fd46750d30cd07615c0c371815213cb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
8ade1e0ca960ae859aba98a729133beb

SHA1
b6a96c14a3005df11bd1db90639fd6e57d1259a8

SHA256
2d433cb5a017006b10a34a90abdbdc0ee143f2818f6e054ecf01a7fa1d883988

SHA512
7f33bd656e72e758fe1575563d690314a0f07fa8a1dd438878f5844d10417e3692d8dbe0659e8e6afa116e05701535915af5c2611ed93f4bc777c8dca45b4398

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
95944760cda96d580f204e5336da8cd9

SHA1
ac08112aac386b8d78d0dc7ebdcc2786d5c3fbdc

SHA256
45d4eb9bfa8810ac420c5444df68cd3fc7c970f24d378838ef77e7257dbce135

SHA512
ac4face0791d36ef40a204d4f54532d1c5878a4aee172be8acd173938edd720ddddeb4f91213d1ace2b4cbeaea607ea76b2c991e95a508cbc4288818330f8a84

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
32165f5b49b05ccb57633472c2319380

SHA1
12b07c9458a593c936a2fab6e237e1bf9a57c3f3

SHA256
613f32d99c874ba26416d2bc75cdb446e24c3b82effba50bbfc7406f9b0b2788

SHA512
ce44cb0df9b1ae117278706f5c23d28076a3a911456961655a827c3dd3a7ab41ce498dc4411f685504abaae29d98ea64caa2f2f7b6272d3c9093357544b6fc7e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
8996fae08c44fdf2fa375bf16b5a328d

SHA1
dc0bb246bb8668242f8cafb4f73124dd4a68bf34

SHA256
2a6bde3ff64d31f30733dd6e6ebbdad28b45d7105662d51a9746a10280d247c3

SHA512
60c0fc33cb41117341829067aef6aba9e3939fb2633382bfec17ed91f31407b72f846ebba21c2bbd5b29b347cd943ac46d4eb4c6bd4f3981ee9662de801c1f1d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
795b2fabbc04b778b8cf1f0f8cbe82fc

SHA1
f8bf65b8c4acc6f93b17762ce338ac1fcecac8d9

SHA256
a74ea3933612bafe71effdd9e20eadf6201cd4e89918868657fcd751fc8cc109

SHA512
ae6e02a44f127aad915af2bd7160d33b986d57ea15251fbc88e1458b25101d8bf9ce5c1515e645e9c96cd1c0f7c06919d87c2a87b2bb2278615fee93c7eb0654

Download Submit
memory/100-283-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/100-672-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/844-182-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/844-68-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/844-75-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/844-69-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/932-63-0x0000000000DF0000-0x0000000000E50000-memory.dmp

Filesize
384KB

Download
memory/932-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/932-55-0x0000000000DF0000-0x0000000000E50000-memory.dmp

Filesize
384KB

Download
memory/932-61-0x0000000000DF0000-0x0000000000E50000-memory.dmp

Filesize
384KB

Download
memory/932-54-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1268-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1268-88-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1268-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1268-194-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1296-269-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/1296-148-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/1684-282-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1684-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1684-615-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1804-0-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/1804-105-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/1804-8-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1804-394-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/1804-1-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1844-195-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1844-482-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2292-580-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2292-234-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2320-49-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2320-50-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2320-45-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2320-39-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2320-144-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2408-233-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2408-122-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2432-245-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2432-133-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2568-207-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2568-560-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2760-171-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2760-356-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3008-90-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3008-91-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3008-97-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3008-100-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3008-102-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3180-246-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3180-649-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3348-227-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3348-230-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3712-121-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3712-28-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3712-20-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3712-25-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4032-145-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4032-257-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4224-667-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4224-258-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4364-218-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4364-106-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4364-114-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4408-671-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4408-270-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/5076-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5076-413-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download