c1456c256429d9dbc183dbb018fa5d8981aaa7d689ada57138a5a82c421f00ef

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 08:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
Size

15.8MB
MD5

07c3aa2caec7832224142e24778e0dae
SHA1

d3a42ebbc777c76539c9d24a66942af5e56cc430
SHA256

c1456c256429d9dbc183dbb018fa5d8981aaa7d689ada57138a5a82c421f00ef
SHA512

d0c884894fe222fcdd1681f8cab084e66f1cf04d25a834dee21f7b50c37329c007e5913fb94d5f882dae32fe2b727cbb1aea46859a54f712507eb91a1d9c827e
SSDEEP

196608:lRPRRkAjgpoBMrvZvOHqCflRGRR7+wAupKReCdhjuASHSRD9mCrBrqNL2j16knzh:llRqp+rlREdIgASKD9VBrqNNkz38q

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

pid	Process
4116	alg.exe
3756	DiagnosticsHub.StandardCollector.Service.exe
2280	fxssvc.exe
1032	elevation_service.exe
3040	elevation_service.exe
4900	SearchFilterHost.exe
2388	msdtc.exe
2816	OSE.EXE
1984	PerceptionSimulationService.exe
3384	perfhost.exe
900	locator.exe
4580	SensorDataService.exe
2524	snmptrap.exe
4864	spectrum.exe
2908	ssh-agent.exe
3200	TieringEngineService.exe
2020	AgentService.exe
4072	vds.exe
4308	vssvc.exe
4272	wbengine.exe
2316	WmiApSrv.exe
880	SearchIndexer.exe
1384	SodaPDFDesktop14_14.0.241.2517.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2b01dd98999e850a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efa86ac26865da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d9395c26865da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000386c8ec26865da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec19ddc26865da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001509abc26865da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055fdfcc16865da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060a789c26865da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001945a6c26865da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b838f8c16865da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000594587c26865da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e43617c26865da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079e384c26865da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}	SodaPDFDesktop14_14.0.241.2517.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14_14.0.241.2517.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3369AF1C-BCC1-4977-89E8-F8B79497C982}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	SodaPDFDesktop14_14.0.241.2517.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1384	SodaPDFDesktop14_14.0.241.2517.exe
1384	SodaPDFDesktop14_14.0.241.2517.exe
1384	SodaPDFDesktop14_14.0.241.2517.exe
1384	SodaPDFDesktop14_14.0.241.2517.exe
3756	DiagnosticsHub.StandardCollector.Service.exe
3756	DiagnosticsHub.StandardCollector.Service.exe
3756	DiagnosticsHub.StandardCollector.Service.exe
3756	DiagnosticsHub.StandardCollector.Service.exe
3756	DiagnosticsHub.StandardCollector.Service.exe
3756	DiagnosticsHub.StandardCollector.Service.exe
3756	DiagnosticsHub.StandardCollector.Service.exe
1032	elevation_service.exe
1032	elevation_service.exe
1032	elevation_service.exe
1032	elevation_service.exe
1032	elevation_service.exe
1032	elevation_service.exe
1032	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	628	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
Token: SeAuditPrivilege	2280	fxssvc.exe
Token: SeRestorePrivilege	3200	TieringEngineService.exe
Token: SeManageVolumePrivilege	3200	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2020	AgentService.exe
Token: SeBackupPrivilege	4308	vssvc.exe
Token: SeRestorePrivilege	4308	vssvc.exe
Token: SeAuditPrivilege	4308	vssvc.exe
Token: SeBackupPrivilege	4272	wbengine.exe
Token: SeRestorePrivilege	4272	wbengine.exe
Token: SeSecurityPrivilege	4272	wbengine.exe
Token: 33	880	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeDebugPrivilege	3756	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	1032	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1384	SodaPDFDesktop14_14.0.241.2517.exe
1384	SodaPDFDesktop14_14.0.241.2517.exe
1384	SodaPDFDesktop14_14.0.241.2517.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 1384	628	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe	114
PID 628 wrote to memory of 1384	628	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe	114
PID 628 wrote to memory of 1384	628	2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe	114
PID 880 wrote to memory of 2840	880	SearchIndexer.exe	119
PID 880 wrote to memory of 2840	880	SearchIndexer.exe	119
PID 880 wrote to memory of 4900	880	SearchIndexer.exe	118
PID 880 wrote to memory of 4900	880	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_07c3aa2caec7832224142e24778e0dae_magniber_revil.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Local\Temp\77838353-3042-4377-80e9-f16726563d27\SodaPDFDesktop14_14.0.241.2517.exe
  C:\Users\Admin\AppData\Local\Temp\77838353-3042-4377-80e9-f16726563d27\SodaPDFDesktop14_14.0.241.2517.exe /update=start
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1384

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4108

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3040

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:4900

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2388

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3384

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2524

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4864

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4580

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4200

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2908

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2316

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:4900
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
824KB

MD5
3aaa6618a7b51f8935c8a0fec0bd2fa4

SHA1
0d9d357574a91618e1a8bc0fbc90e7bec60e81ed

SHA256
e91af489f4779b6c9a3d1b71b9d0d3b3bcf74582b8d5e97379d146f54b1cb107

SHA512
876899fedc44be3c5d363cfda637e683edd245fc12e82796a566f40492fb75bdbc5206e130540a1cf0f60f3c7e87814de7d426ea4bbe1f2cc74fa4b05b60168d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
354KB

MD5
f078849de36dace69a93f6501103f783

SHA1
384009ab36b0c2e5642c42a1d5d03d9397c035a8

SHA256
1a75c92c24a0b53f35fed653a28c57965aa8e18c34bb120077fdad94adde4943

SHA512
3fbad78db7dc8a70ed8a571404d56a52c46db2c1e5e29c114db00e22bc213fa66f20e5179b4b01b0a97ac79e10b9e3fb747459f1b24613812f3c132863f1f9e2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
460KB

MD5
b12aa208ae8267f7e166779acc0eb5ca

SHA1
8f3345873fa555c4b21dd5ff799dc0a4a8a77c22

SHA256
9e57eccc85a4ae786f1e1de6c79064dd9f820a5654e5c70335008a64106dbfb7

SHA512
d2577381989c402b40e061cfb0da1810a5dcfdf6c96f3b18a652a56125151abc5655ff60f90e5f21ac214686842617f51beceaa36d9a55acf7daa5fe380d0fbf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
294KB

MD5
84e9a3c7437827d3339f0a6745ff1797

SHA1
8d2f39edb0d3f7beff667fee78d30afa25378d17

SHA256
279d0bd359971159d82d2b69412826220737db5573ac2f3feff25a1a0bcb69eb

SHA512
d37fcf21d23e232a2b25c717e31be26b068543b2e6d21f419660dd951f3c66263fe3454ab6a49903c1690f12438a44dbefb48951d783bf69cc08c174aa711b9a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
347KB

MD5
05ddb01f7f402682f0fef017675fc1bd

SHA1
e25d08e22b62c6e4785798aae3e29b1989b29bec

SHA256
dd16ed0896c33bd5794d690e4b39dc3eedae5678aee690a5c99e09b7bcc16100

SHA512
d1bbf64454ee022135fd7d18d53d4c8ca2a6051dc43b81a6eab902c0982017eb057e069fef37fa4fc939df8b170c8bb5f29ff0b009ef0878c3f7f64281e3e014

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
221KB

MD5
def891eb5d1a1034aa7d34ef350ecfb5

SHA1
1b5c0b8d396074c205e6af2989c05cce3487b13f

SHA256
abdebbd32b42f42a3146e1c33e0115376a3b91dc3e42d0721ae421f5ed500f7f

SHA512
5c2f349429c4dcf3c855902e780a970525543d18f3e134cb6e564316b23ef34e4205af76075ee9958eec29551872d2e45543edba859f23a12c08fe888b4a9873

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
212KB

MD5
1064f82578d3682fba8ddcfe913b82ef

SHA1
c8cf1aeb1db1dcc31263881324d6b55ff6990be4

SHA256
f147c21f8ba5ec98d8b67c3da5ca6814b90d5b08bfe0410e56599bcbb04cd683

SHA512
260b035be52bd3a6a1c74990e176c0dd4b5e6c5ecca2d198b6df9308c370e635499628a2d9440b1fbbb48a8d13968af12dbd4e838b50318f1369a08a6edc38f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
b00e31d62cdb608e0604023a391fa767

SHA1
cba48e667dc17b03ccd526955680093513d53119

SHA256
a6b25a9b519b0f7c73e48d5dcc30a9e222a9acbf2c0d035fd0c9a288e13f3d95

SHA512
ae78a804b1d57a8d901191f6bcf7bf29ad0e4faa9dbe8c44ebf3c54283e484e150ba331e786da1b2d6112aa9a2a46cbff3a7e3fd72e00a5284d689ba018c8164

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
67e40c7f15d897774ab9e3672752b7b1

SHA1
251a3184e7e3d9bd07bd715d7ffc57ea7cf93fef

SHA256
b7a861396045a50c644e9fb330311273ca92ec887159f6215e2cb75bc14bee43

SHA512
47060fec5640362da2074d2efd85d8d82257a637acdb28f5660605b472292bba3ef87afc323a356ca7a96a5e12e698e3dddc7cf9e88dd707e65018a80652b1df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
5f98088856e69084c3df0114d28828d3

SHA1
40826378ffb8898a814b8e15f000f1dbfde5045d

SHA256
97678d088a12eda68aba49a120defd4f5042950f0a2621ba05c6fab2f0105924

SHA512
d3ab9d01d912842087e7f68982a8d711b9d3d3e77674327dbb4bc6a4c62873990be3442e592624d4c0319b89e229e0aefc7b6cdc54f87af4cdfca63be8498677

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
1.2MB

MD5
04a081c6cb18c87159cd538ce28575f6

SHA1
25e02fba492ccb9ea607cc1b7ed58a966c9d768b

SHA256
c8ef67ac6c1acbf93446f2f3bd9da4e230013eb5f25928b725c507c5b948061d

SHA512
6ab8139e4ffe4871204e02ee1ecabf116a875b24813e2accd49044e78ba6b6428417bf4ea192b24db0748cf5ea623a599b89e56c57fb568801b3eda38069adde

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
312KB

MD5
098430cce9762977c129c15d528f8819

SHA1
cf6b1c6f7b19ee9b6e6738212da9cf3e5e057e0e

SHA256
b56a7a601c8453d31d1e8894c9797591122f6c14e4ed5c4a864858719c340bdf

SHA512
6a5a4a484891ddca2a337059d957ca4d08246d3c1a8c3f6731fd893f2e8f0a6640e18c4f52c985515c8d85da521255a3969ab4d19b4d094bf16a5dd4511c6b83

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
28aec0269fc730c1a4a3c7d1bf29d097

SHA1
65737366b2aedbad881c575f678d951fe6519eb6

SHA256
8be93557ac88cd44f9b1319e40d1340dfe1baa503a8da9140577225162767863

SHA512
dcd29d50830ff4b9dd62199cb57e18ca989ba6d320c65ed3996fd5cf7cf50bb104ae73100a0887a7161596ac6074919132340738ce113e7e24110dde682c1ec0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
381KB

MD5
79c6d700362ca56e7befdc0aa53cb748

SHA1
e25ce47d0a6fc0cdd4c6a727a23a20f4151a7cc5

SHA256
228e553100b6d1432438d6af7b5f36150c476a0d286018a10777cc2c8ff7037c

SHA512
0f537010d4f4bceea2dd318f239169298da83ca83ab843c880ae3fe6649b0fe96f1536405cf711f213e967b90fa7d539bd6464797602be3a8be7b128d3d8fd59

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
7279bac5183171ca8ae61b8ad41fa430

SHA1
dbacdb92afe119e2520e72a526a2de00ec508a13

SHA256
e2bf522ff3e471ec26f9f6f16c6d92f5622846dbdf105446b29ef447f16c3c96

SHA512
b7114788fc3cf104d90acb8c623a7228384cc7a7120ed7ea63b12e5e02faa7ff7d2201803d7784004de1c2bcc35e613587d0769157d1535e6a7aaaa8e036188d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
3.3MB

MD5
9bba1af7531e1d43371ac286e696ff04

SHA1
8b3c2cb4add830e435d2ecea7006b2800f3fcd32

SHA256
092e23ef8374b3c7048ec78484323cf107002b2aabbc35d20762dee4e107f71b

SHA512
5bf0ce2bc92075d1f8eee03ab0bbf79223e86df2946b94ff5ada134435a44f30b8f5c3675ce75bade7141b5703040e578511edff3ec00849935553c0e2a13cff

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
2.5MB

MD5
4b4cacff38d3ae4b80fdca4aa8ca2c0f

SHA1
eaf25c37d35a48fa23c15241dff2fd91d6dc15e7

SHA256
468c353f8b42ecb1ddb3293e636f8d97d99015c95bbd12d4604ac62d98a1a13f

SHA512
4d13e591bb1d5039fc6abfaedd8943a670fed1d63640d17ed303c76aa615adae1f4c79f82ef47a5a25703d7b088af9e8e0b06bad3c8d9b7f673f0e2146e6be4f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
3823d0a21de1b54e310e2fec7b483db1

SHA1
67dd32b52ef1f1679540c82cbb6a306407fe684b

SHA256
334ea659f09935d819c8e6d4083087e06b7228fd734c6c1c167c568e83530265

SHA512
a7b47a7f3514362a0a6d373aeb0913502e526a55aba09c95bab5eb7bc6610ca7f5d8d08a58c8771c0cfd7a0b88566d67e0ee26155c1f3d403e0781d9b95fd683

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.0MB

MD5
a48406e7dbf6921533302c56862d14ef

SHA1
4080fa9d66a8b50116aa7b6e96f0f3ce181a474f

SHA256
d50a3aae96f4864d7ed35214e8b5a4fe5fde418ebf0d2d730c7142b5a48f4a63

SHA512
c5ad74a555aaf468e6a1dc805280ae1ed1667bfc2ccd493a59233f791e5f64a4cf42e18258256fdea49ffa027c26a5e789fa3a094c9069ce729888885eb5eee3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
21a781113caba3e591ddbc0d840d7b61

SHA1
de509f1a7f10700fbda7f3f6fcc4245f0c42e1be

SHA256
5d104afd934fe0eadc445844c68aa5d29e019b6aa4dffac583fa9700eb1ea968

SHA512
af29e926f1cf6ba22fbeca88107f20d5b8fda296f3da08c802a653ae233f0713a072a316b2705f098982cc46182b8f01d2d73a254171f13c97c9e3e53aa6c216

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
02ab682089014044a02bdc582a54fd8c

SHA1
adbcf8783ec9783fcbbde5e20c539dcb945184a4

SHA256
5a9d662d2b7b2d74ac5d55da1ea9a3ac1ba50e9b9d76fafa2398e73e20afad1b

SHA512
c6e0e088458b5c2c5e786b5673b6ff56ff2e34850828476e98300e657b2788980e208e781318e5bf89ae601b454b7d2ccbe377ad4c2d2ba81004d3d5731cc5df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
c2c0fab014a56ac5cdff36dd8f52dce6

SHA1
55149f7d56fb2d29dd28e926ab32d8c22b54231d

SHA256
c7c40e05fd48ede4be62270902199c2b32bdfb725767837bb0b052605efa9ae9

SHA512
45b73b0eae7ee51ae3288118107242dc5d91ea4b9d1c5623ce000ce54b3e725c444e8a330f9a0f53d353e45fcb6193a84bfa8c0276a31eace4aa0f9d84a4aeb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
abd42dc0cb6965c35793a40c842862ce

SHA1
ea419b16b9be3023fb0305704e058e1cbb665b0a

SHA256
166b45e620d70009f428b5db3f3ef887ab32e9d7c76f31484071bb9151a6fd51

SHA512
ba63305a198ff1ae2a391202ded0ab43e40542cb615b075cdbbe27ba012a1eacefd7e8e15e171113bfffc12810842ec4e2ef87f7f224d57f7a0af72ce958c318

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
8422ad5f94bc4ff5580db5bba411d648

SHA1
64025bf951622188efc9f8ef8dbfc8285467d1c7

SHA256
f264d3ae78a33cba9df8bf3b0017c97192413dcdeb4b09061222536e6974c3d7

SHA512
a4b30690996c6a49c67673edfa31a94fe91c8bb0050925beb264bfe78ce63d62867c08427e5fbf58043462161e97bdf64308c10076c30cb395b7953f6f67de98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
52252a738d7fb7c222d4acfb34b24ab1

SHA1
0ebf542fa81e56e6883fc6db4211fe23f3820aac

SHA256
01a14e98e704cf7909238f8139674157721e8b1007fd56f3b011d33a4b98be04

SHA512
8e21f1231c4de4bc22d62d36b592d96c81446fb874f00561422b5d5dbf6e8991fd2cfd2e25577f85c120be83a301c0d9c622fb8e64c3e50b93f29a036c4287a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
9009e10b49b3099b957331fb07c72a6b

SHA1
f09dcb34e83751195a4fde721cc0ee659ed9daba

SHA256
15e36d92bff1e293055a9d5049af5a45e90efa7cc58766fc411103132b807ecc

SHA512
1d818d10bae21e1b75c32cbca0fe13ebb2d5cd4637a69e5e858f6c78bbea16229d500ec10dce1d0a5daf9ffd76ecc5db79fa383c0c77a5829811237aa4fc1059

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
80d2d5a65731cec7d097b5c6e7899551

SHA1
2f9f5775aa3bd98ab8c3e4eecc56bc83e75d0565

SHA256
6bd705b31873c5d294e901e1d60fafe0615b1f7d314c72b790e11878c44caf12

SHA512
b07ea56eefa15821a78237bc6ae04acc37452312f4336755cfd044bea1b53e53e7b80938212bcfbcf326eedef57f67c9d5baecae88b43d9bb51dd56446fb96ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
1341192b38c4dfa424ca4648614dc49b

SHA1
19b14f5d54086a189482853c951cda2658fe8f61

SHA256
50d192fbcff5afd6417c301038f7d0e3d94098bd17c2d949367ad554c3b67949

SHA512
daf00adedac2c9415a04d8c2ac0671c5f8b340baffdee97991be8ebfe3eb7ccc6711f55d68db1f7692a0414ef02bed51235414c4115fc13edf9eb2af260d5c5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
e346ae6ad0c3e6847d98df3c66bbac87

SHA1
fbc68756ee052b5299a05b05bd915a4288f89269

SHA256
485e58576e94ed346de3d9ceb2d8357c02d73b9213d4e02981c61e2975821ce6

SHA512
5e20bdc3bedf21d7aee50c1c23e391c9ade4c91b9e89227a5645f430590ed7292d9cc13fff7e8ef9f2e7f7cd5565fe8fd3ec794ad18eeee29fefcb6bfd706219

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
697a3017936286f2fe470b2c1b3bcf7d

SHA1
d4aaa27ebac84a7a52c7a9686afca549690cf6bd

SHA256
0eea552f33d55892b34e991583df528a0f498f9dc606fea2218f23f2b8eda31e

SHA512
3a96c6010617ff5604285d8a83df4baf248b97740cc970abab38010b7f35deb11054f28cc9e8323c1ae03c5103031d1db0204b31f3af05a8f10b23c2910ebe94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
6e27bc2b739d0301c5b5fa934e543a0e

SHA1
87ea93503180905f5f9b0c3ae980dfe9270934ba

SHA256
bfbdec1acdb35f1d032cfca3b67d9520041cdecb48a5f1ffed92d704363a7dfe

SHA512
7a263ac6e784d50a89ccbc9ee46452ec48cd8758d259a040f09de0f78eea2e44ad71402e8ec34edbf97507f5ad378ec3d1e88ccb1f6210e7d7edef26613cb960

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
283KB

MD5
9e05b8ab3596f6630747bfddd4c8d58f

SHA1
1da5f98268e52da8c738903d10d9c29ed3c2d364

SHA256
d0e04bae533ca704f2a0edb7f6ee59981c6c391aa37daeebc89cb1765db4807a

SHA512
1836665c3a37b80a1d1d1e1dfa68ec21f0d0a8827f87372cdc4d7747a25557711f9bb0db6362209deecd110e9ac1655624d105b63043f3b3228fb723c8da9932

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.1MB

MD5
6d0e0255993650d5a7cbc830eaed2a23

SHA1
04cf7d32332b0db137e9376f3765e0ab2e72f2c4

SHA256
4ee9cdda781f9e624e0399f18d9aebf5717af43115ad39960f99228f7618f8f2

SHA512
0ed0efb1d9899c9d6dc5419dfdc3caee02371bef1ccef9a722cf1fe2fee2d3282092144759379ef74b560596069a39c9211ff7283e8ddc64220e21f35f7ba58a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
c72660f6e7ce9103ea02f54c13dc2d19

SHA1
edb93076d708370a68dde1d2eeaddb22a8cd0cc6

SHA256
224a9d5d37d0b54963ce24e47609facff96e9f79ac644941371292970f0cf035

SHA512
028ad4af1ce6ad9c468b3ea1d9c5148c0c904fc11e4c3d878ddb43ba805988b4ef2827c0999da7a06ce08bb244e55366be68e7a2253a83ae3a4caae8f8a4b40d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
f64d52f132beed480665166b195a8e5f

SHA1
07487f6765f9c3d4220a0ebfb8d0a2384c7dd78b

SHA256
4999f248b55f5cc82f126142eca13b5a3a5d38feaa1c69948dfdecb642f7839b

SHA512
3aaf9e9ecd2f2019f7a511aa102786453f1b4f29d42e63cb7bd5b08a14a1c1faeb3ba6e13093c1c36c45e4bd501964297f3cfb43ff4dfa7a4768bba0d2971b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\77838353-3042-4377-80e9-f16726563d27\SodaPDFDesktop14_14.0.241.2517.exe

Filesize
322KB

MD5
705041d3ef08c166e03816e6c3e58d94

SHA1
712b71a0ca11dabd72150e57f46d23d5ebdfdd50

SHA256
0a0bd177604da167452e7dd68736d0414ecf48956b6196a6e792527e15b0d07e

SHA512
b9265a155b03e65661fcb1be842994397710abcd8f6f9ec84b8c9c889c13c92a6d39cd31b51ad84b336b7f5dd6702fbc8d9bd36654ae6f0a9b814e616e87348f

Download Submit
C:\Users\Admin\AppData\Local\Temp\77838353-3042-4377-80e9-f16726563d27\SodaPDFDesktop14_14.0.241.2517.exe

Filesize
661KB

MD5
12b451b9e44807e1b9a1ee1444593e31

SHA1
4eec1082b2a1f18ea6126ba67d1c960185857448

SHA256
f0c70dfa8f83225b5a98811f1fae9550b9b2282978f6c9244f9137e172a4254b

SHA512
a1beac6597c1e6d06f1ad6a9d087eee456a2486824a8d1e89463265ba99da95b69532cccd64e80c72c94874cf1416e23df15336cbe666b780dd19e55ea182090

Download Submit
C:\Users\Admin\AppData\Roaming\2b01dd98999e850a.bin

Filesize
12KB

MD5
74cf90154cd9b3459ebed5204cbadc57

SHA1
563fabbe897d06d57b99381b486abe39d85974c1

SHA256
9c982e254ec94639ed8a01d9aa6f4174257e734cb15c6ccadbbce17e1905a43b

SHA512
ecdab74a5e35f1137c5e0a0ad3d2348a0b5ec6f4dbb9fa6f1eef7b9ee43db605b2e7082e15448f52124c3991425fee98265ed33e2f78e91e595171f5fd2a0c34

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
710KB

MD5
872343cb449ac3e31d621d9f08b884a5

SHA1
81948c1a431bac8d6d6b18b985ab38bffd06d711

SHA256
e1b007606d1a8d34758d7fc7625e44f8fb091d75e4015dec2cacdd300a52af72

SHA512
b6285f9adaffb9b4908ecc5f19dfce2c181f5a07ad687985af3b4f968e66694c8e774ca73cd3b6c9d619bbaad2fee5bb324b3f0457a98c244dcbea869190414f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
226KB

MD5
a73a48ad11e698c0670a4a92f89f41ee

SHA1
1cbd7c350cd4fd897b5281c319517c6f5b5b8c00

SHA256
314787cd30e52352c12b90594c07c5379780833421767a4ea91d03934332e297

SHA512
34597e6b51c7c91cbffb9875cacf245e4283e5db2b9faf03dfeb5483480cf4a5bf18f97f4278f3b9bbdb5b78f277785cee203db89290890435ce1328196104ec

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
6f25dc1482a683a9791f0604872a78b4

SHA1
c089da03bf40c93fac8b90d851f393e1d1980fe5

SHA256
bd5397504b605531ec88892a79dd351d03b71e3899927d6aea9ccc5d66e7ec8c

SHA512
0e7d57ecf2b22ae2272a4ba5dc49963165dc989508580db6c69ccb76a5dbe6aaf8a92251c2c85b566beb581a3260bc547710fef684a2d295793c73ce2a1b6dcb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1016KB

MD5
146826605a669b8ed94362bf627b4e3a

SHA1
99288ed82fd0b6129e2d5e332f87ecfb79405ff9

SHA256
6d275094c0986cb48ac950db408fb3cfd6f3a84348a310bfb1be1ea89c436041

SHA512
bb1652634bcf62709afe8d37e2c7bef2cea75cb424409d4cf60e322a8a7cea3e4a0779d56d25a9c00c86a32a8d91bac05f7c724f8cda5ae9bec666619ecf4cc3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
945KB

MD5
8f32bab3237a7b0cff6f20ede22e7740

SHA1
bab9a8d019dea1726a6b884601be5358f45f8b19

SHA256
29b6abbf0711541f9aa46222f30bf14e8ae975f2aff95bb956d13cff6478795c

SHA512
7a15079c50f34a58e9eb980e6bcfcc64f3299a2f4a58cde7c2c8a6c9ba3c5a51f6ab61dcdf95183aaec9e7461cda2798b6b6514e9bce24eb587ba8cb3935c5b7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
393KB

MD5
04dcf7b8ccfba5f27896e42512a535e6

SHA1
00940bbe35b2ec7feaee2c9a463ff1860325590a

SHA256
971db096979af8100a504fd2f18dab16f1382f96c24a3461d76ad9ff0f272a42

SHA512
0e0d807710dcc4e72476103b3ad279d4fa2dc4b126f8cbcc901c686383955f3fbfcce45ea5f02267ba1ed9c4960d53b08fd5960b67e2ac5db446e986d8525ed2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
246KB

MD5
02783e47ea08d721ec8b924c9759452a

SHA1
5737f214b39e16537bd8cd8a4f2ab0b7f99c84ce

SHA256
acbced77eea1b3bfe3a8a69ce7866a31b86db75113362987bd814e9a9e17cbba

SHA512
5be56a0bb0056f055b5bf30354b56daf8333bab16668e4caf683ccac9e592307aa4cae2e6b7c4ed7fb44b5f2636a0010877806511c86020734ba3399ed28fc27

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
57KB

MD5
33cae3d2ba38bc67e0486c795c68ccc8

SHA1
e961b8282a100e5376898f0fa4860d9f73c43043

SHA256
9ecd4c946bc7aa02ca4b69b59585d5196882629ed46a02cc2b3eca798dea53c7

SHA512
f3d42605dd494bd39032b43a10162f7a93d0474a41dbadf91ca01b3755ff93027d9f7b20a8ab48f47496fe765d5ac7a455e2ba4a2ba88b4ea0059dcb41517d1d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
640KB

MD5
7cab624aea6ed5df8b1b88a35cc1b325

SHA1
c8dfe7b7131decb4ad247ae9a08f8a4ae08e06f8

SHA256
aa058ab988dcae2c20e4df6b4364d5f34e2c8c9fa165cb7f8933b0fac6e64af0

SHA512
f4378a215af44fde3a0da9394e09a69a0d7be72c587a303af5cb5dfd128d680bb1bdda2c22dd51c94834c36d4dd98c642dbdcd2d3af0511c40ebbbed86932367

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
446KB

MD5
a40c7163c4bdee06843cff9a681ef40f

SHA1
e5f1fc39421ffe8ecd9d3750c55b532b6e71c7a6

SHA256
68c27434868932c1a5cd347785d7f3818e598f7039b451c9d87c240a3fb89376

SHA512
ef8a72a4dfd895c0e163bf2fecd9969b9f08da33439da411397977f2b3d436cc11ea875dabf5896677eb6a5b72601cfa0c203bb70ceb91566388fbc624eb7881

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7a954f82114f76bbe02cce1273c21c0b

SHA1
2dedd85d73790b6b8b6201dcc2c4ce87895bbed9

SHA256
0f9826945f9a07326a7dff20e8fbac5dbc4aa7ca28cf32bb9282251f0d7a0ebc

SHA512
c991a5db318a1b7d3b4d4eeff8a76b1964a31e90c3d19e3013805f36c1fd6e6f4fa8a65e0e7f397bb5b3500b673d3e4688bcbe74e14fa938809bea4dc413f12b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
653KB

MD5
e17531fdddaf7ed316098a6e92cb024a

SHA1
21772a4cccf27be725cd5edd285af5958abfb810

SHA256
5f569d894c209974eadfefb1e54a84d333ab0e2e90f7d5bca002a11ceebd343f

SHA512
d05ded13574034d448de408d27f831c5f2164b7847476f69e016168f83011a4a44c7132f3a87c29c0868276de5d085d92a6b63df55e9c2896f2f64bf60110b20

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
249KB

MD5
176dc6b533ed0707aa976e5e439d6f0e

SHA1
d141b85a577dfca746721ff2438f07d173ac1c09

SHA256
9a1129a57f30ee675eb1f2c38f58e48a2eb0fda5310ef51c9de74b2eea36eba5

SHA512
0e1b65b640ce87ad8c79cd4bf6b57543214f7c9ef5135d72bb4e48a1d573a263447f00be1a602c589cdbb77a296859827d431b02404dcdbb55878fd6af810cd9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
158KB

MD5
866c7a6fb9306594668acdda2ee0d849

SHA1
71fd2a1ecf20857d3a6b482dc2164d1f6ae84c8c

SHA256
de3b88c0cf0d59959713347109a9ffab9fcb7cdf25dcaf8ae7f4be9d39439e87

SHA512
713c4f6904a7eb11ec9e5a87f7b1e17638409fe09e8da4ac8b846fc23492195489456cf2967339ffb08e083dbde7e4df09405725eb10b7132a7a37614a7b4d13

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
6ee048daaa53a3626f0a9a3bfc8abc22

SHA1
e435ef50993fb7e90c57e0c7c9975e24c238ef78

SHA256
ff924f1701d76023b834e903d24f8f1803693af8b7bff8c5edf0855581032adb

SHA512
c23e638bee38a78ffa2b6e87ba659e7f4cfe252b53474873799003494abe8a8e87e45f7f6c41af3a514f3a1e13d0b17c24f450f506ac475751fa0597b36a5aa7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
423KB

MD5
e0d26074022087331de559e2eb863fe5

SHA1
14e54aff89517ecc97b8b219e8c2cbb3246c1bbf

SHA256
390b51327cdf50afb82d5b021453db44304ca182e09c3b77fd9d3ce9c787d06d

SHA512
361b0a05ad74e8fdd174ff52e8f1ebee40e2b575e328ed70fbe2f1644b670b99a166eaca9dd66823075898277e1a3a3e5307a52c8eaf0e003ac3a7f50d30b91c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
437KB

MD5
c6efdb43d90d4a4da3b8596ff1be150b

SHA1
3d990af2dc51099ae4e5fdae37ec73e00f15ee7c

SHA256
1573739dd4f965ca9f5a23f7182155a896be9e29f86ff569bc36bef99c74ad99

SHA512
8f3ebe3568049d51e16966cec7a8d6fb309569e4ff89eb2d2ca92fb10b1a63117735f3a6ee584c6f22c245abc15ca74d914591703227d19c22a830ddea8746fb

Download Submit
C:\Windows\System32\vds.exe

Filesize
191KB

MD5
a0df7b2539cbf7d3ad011655d8af6e16

SHA1
504cf5d22c29185f7aa989f4d14609e9bdcb701a

SHA256
ee2310b50103677eb2fdf55a324ec25f9e2f50d4a4d713e95e3bd95ac29ccb7c

SHA512
eda58e556f7d15cfbb4387e4bb140def612385b4502f7c469449f872c22c49784e723b9c4a8fe74bf3abb33c634db0b1bcd10dfe52e0b2d2ee0c0e4624e81f6c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
532KB

MD5
6a81f0d85eea47129e2c5516f1afe644

SHA1
1fc299ef40ceea709c882ace01601b7217443b67

SHA256
4dbac464ec1acfa4cfc66959e37f382ea876844652fcef8b76c4f08843eaf338

SHA512
969128bb3a25a7ab32835ff29591f4c890df580d4eacb6cb5fabfbc8e67a2b5604aa6d4b371b3c9cd7f3dc08a00e08f7030f0a41be3231ca2a36305032a35e1d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
1.3MB

MD5
1974e13519108d5140721d74742763e2

SHA1
6c6274506317e45d122457a22d3ae5cb9751f19f

SHA256
06e9b61bbcc311f7826d55c3a87ee2f8534206106255c761a9fb0edd2c11e40b

SHA512
33744a9471f8dcfd4f8d6dbfdb87c286bd77e4ac84fb576a575ad86a0377afb96ecb8845c993816ec2f7cdcf5819cf897184af5cbc4a420b04250cef9a65b40f

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
325KB

MD5
dcc4c512d6a7caa46ca1dc09938df82c

SHA1
5a79de4cfb73935fb500a400635585a2b4c74305

SHA256
c3a0b6f0c6d46dd36c68a41e71ef2b3bca22adee6f3780badb4aa38b91341b63

SHA512
ff1a1406f967dfcb9bab29aae2afe7fd63fa28f5d06bee68af6367d7a692c565e5cfcc10c66ad7f9784a0dd9a9d44427e0db2127785aba45512235dac82e31e0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
359KB

MD5
e5523df7cc568c71a099b146bd13ecf6

SHA1
b83e0580ebea2169517a8c589a08da1d9304bda1

SHA256
d75851aaf14c3322d9f7c1260bb3db30c2906f67222861f7f8b3acfae1b2c295

SHA512
013693d7c984ffb38d92f802807c45fa20db6ef0078d502b73298ab1cb09959a09a96a2ed350d4114ac7f67e1e1aa155900c0f717947656115ef9c9eeefa3fae

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
198KB

MD5
d7fa07e250053ab736745ed3ea1bdd25

SHA1
e32a64f7f6cd4a892e1c927042575df04b51acf6

SHA256
f1d5d815c788c8e2a1fb01075863a032e858bbfc5d82f5cd15477bd2e8be9e48

SHA512
1d9bffbe4aad863201840b353dea500f912cafe84499c23c135462b15cbdf13f9ca4c4c0a4513f5d926228d5ee6edf523e4fbc6a046d5882192fc95540c8e3da

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
262KB

MD5
2ab2ebabd11fdce34bd4bc8133278ff4

SHA1
2c4717736c4bf806c7454ebe412ba13a526a33f3

SHA256
f1154ef144c155c4eddd87a4fdf798d7bff3ac32ec23e58e05c66731daf155da

SHA512
1df3c24807823ef173007c11890a21d00be330118481074dc1a53fd102808c69c8017e3e03d886bb80383e34d9a8c048556d18f7d18f30e04bf89091f9bde242

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
359KB

MD5
67bc26e4e2142ab765baaa0329cb9106

SHA1
b2ace6081630dc6a1946df5f20b9536b9d952632

SHA256
888dd9e0e3f4afa91d1e64c555efdb55559aae569ad1802ebd42c9c92a0e190b

SHA512
76f1ec125f15757c5d00bff169178844d650b126526d926f705bc4978590669475062a1e8f1e8c32cf1a116349a79d9bf81cb5af8ada23a0b3a9c2c5109f7e7f

Download Submit
C:\odt\office2016setup.exe

Filesize
187KB

MD5
b78853e3e22e7698379cb8faf74b6952

SHA1
479ff3644107b41bf592c9714badedc7c0c38d3d

SHA256
7cc2f52ba343984405d73bfc0babf8f8e85b42460e1a99f43efbe1f0bc601297

SHA512
f727bcc7d9cd3e0e6415c029031a1113fbd442e627cdcc946be0f5a41d0f43a7be5021d9dc91ccd128fb901dba2e0dfcb3855d734435cf7322048480f6355755

Download Submit
memory/628-221-0x0000000000400000-0x00000000013D9000-memory.dmp

Filesize
15.8MB

Download
memory/628-6-0x0000000001A00000-0x0000000001A67000-memory.dmp

Filesize
412KB

Download
memory/628-54-0x0000000000400000-0x00000000013D9000-memory.dmp

Filesize
15.8MB

Download
memory/628-0-0x0000000001A00000-0x0000000001A67000-memory.dmp

Filesize
412KB

Download
memory/628-5-0x0000000000400000-0x00000000013D9000-memory.dmp

Filesize
15.8MB

Download
memory/880-178-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/900-114-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1032-32-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1032-31-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1032-100-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1032-39-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1384-227-0x0000000001650000-0x00000000016B7000-memory.dmp

Filesize
412KB

Download
memory/1384-220-0x0000000000400000-0x00000000013D9000-memory.dmp

Filesize
15.8MB

Download
memory/1984-92-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1984-148-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1984-91-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1984-98-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/2020-160-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2280-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2280-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2316-175-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2388-72-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2388-126-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2524-172-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2524-121-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2816-80-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2816-81-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2816-134-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2816-87-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2908-150-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2908-139-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2908-230-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3040-109-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3040-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3040-44-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3040-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3200-416-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3200-155-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3384-104-0x00000000007C0000-0x0000000000827000-memory.dmp

Filesize
412KB

Download
memory/3384-158-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3384-110-0x00000000007C0000-0x0000000000827000-memory.dmp

Filesize
412KB

Download
memory/3384-103-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3756-79-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3756-15-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3756-23-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3756-16-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4072-162-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4072-438-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4116-65-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4116-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4272-465-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4272-169-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4308-165-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4308-452-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4580-117-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4580-168-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4864-128-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4864-177-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4864-135-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4900-429-0x00000254C6710000-0x00000254C6720000-memory.dmp

Filesize
64KB

Download
memory/4900-439-0x00000254C6710000-0x00000254C6720000-memory.dmp

Filesize
64KB

Download
memory/4900-440-0x00000254C6750000-0x00000254C6760000-memory.dmp

Filesize
64KB

Download
memory/4900-468-0x00000254C6750000-0x00000254C6760000-memory.dmp

Filesize
64KB

Download
memory/4900-470-0x00000254C6710000-0x00000254C6720000-memory.dmp

Filesize
64KB

Download
memory/4900-469-0x00000254C6750000-0x00000254C6760000-memory.dmp

Filesize
64KB

Download
memory/4900-466-0x00000254C6710000-0x00000254C6720000-memory.dmp

Filesize
64KB

Download
memory/4900-453-0x00000254C6710000-0x00000254C6720000-memory.dmp

Filesize
64KB

Download
memory/4900-70-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4900-69-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4900-62-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4900-55-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4900-57-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4900-454-0x00000254C6750000-0x00000254C6760000-memory.dmp

Filesize
64KB

Download
memory/4900-455-0x00000254C6750000-0x00000254C6760000-memory.dmp

Filesize
64KB

Download
memory/4900-441-0x00000254C6750000-0x00000254C6760000-memory.dmp

Filesize
64KB

Download
memory/4900-430-0x00000254C6750000-0x00000254C6760000-memory.dmp

Filesize
64KB

Download
memory/4900-431-0x00000254C6750000-0x00000254C6760000-memory.dmp

Filesize
64KB

Download
memory/4900-418-0x00000254C6740000-0x00000254C6750000-memory.dmp

Filesize
64KB

Download
memory/4900-417-0x00000254C6710000-0x00000254C6720000-memory.dmp

Filesize
64KB

Download