risepro | e182839ee03de3c76a8ba51dfb4831059931c7f3351117de3cfc571d0b8c0953

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
Size

4.3MB
MD5

be97bfd26b62e2b799f670800fb48736
SHA1

43db76f76afcb4d09d8bdd5bacfbc9dc8ed2ae8e
SHA256

e182839ee03de3c76a8ba51dfb4831059931c7f3351117de3cfc571d0b8c0953
SHA512

2dd5fdbf2563ecc6b1ea0d946515cfe10dd0407412ece9f6625960c0b082e984518fa86cf1935ed19b75013eb18db65d10b838bd96a39a9efee05a729d26a900
SSDEEP

49152:T5PigeXnpHEh1zKhYOPCP1/j283IwlgZKUxT2FHF6c9Otut0LPekZiMvIViyOQQ:TUpHG1+hDPS/jPlgDx227QMvI

Score

10^/10

risepro discovery spyware stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
696	alg.exe
3668	DiagnosticsHub.StandardCollector.Service.exe
4520	fxssvc.exe
2284	elevation_service.exe
1056	elevation_service.exe
4948	maintenanceservice.exe
2688	msdtc.exe
1548	OSE.EXE
2580	PerceptionSimulationService.exe
2120	perfhost.exe
4328	locator.exe
1572	SensorDataService.exe
5008	snmptrap.exe
4052	spectrum.exe
4400	ssh-agent.exe
4632	TieringEngineService.exe
3092	AgentService.exe
4776	vds.exe
3992	vssvc.exe
4436	wbengine.exe
3660	WmiApSrv.exe
4132	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cdd90226b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000764a64e1adadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063790bdfadadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b798c9d5adadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063881ed7adadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5083fe0adadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c7c19e2adadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd142be1adadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe

pid	process
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
Token: SeAuditPrivilege	4520	fxssvc.exe
Token: SeRestorePrivilege	4632	TieringEngineService.exe
Token: SeManageVolumePrivilege	4632	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3092	AgentService.exe
Token: SeBackupPrivilege	3992	vssvc.exe
Token: SeRestorePrivilege	3992	vssvc.exe
Token: SeAuditPrivilege	3992	vssvc.exe
Token: SeBackupPrivilege	4436	wbengine.exe
Token: SeRestorePrivilege	4436	wbengine.exe
Token: SeSecurityPrivilege	4436	wbengine.exe
Token: 33	4132	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4132	SearchIndexer.exe
Token: SeDebugPrivilege	332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
Token: SeDebugPrivilege	332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
Token: SeDebugPrivilege	332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
Token: SeDebugPrivilege	332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
Token: SeDebugPrivilege	332	2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
Token: SeDebugPrivilege	696	alg.exe
Token: SeDebugPrivilege	696	alg.exe
Token: SeDebugPrivilege	696	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4132 wrote to memory of 5180	4132	SearchIndexer.exe	SearchProtocolHost.exe
PID 4132 wrote to memory of 5180	4132	SearchIndexer.exe	SearchProtocolHost.exe
PID 4132 wrote to memory of 5216	4132	SearchIndexer.exe	SearchFilterHost.exe
PID 4132 wrote to memory of 5216	4132	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_be97bfd26b62e2b799f670800fb48736_magniber_revil.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3860

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1056

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2688

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2580

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2120

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4328

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1572

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4052

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2668

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3660

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5180

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4000 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:6092

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
Filesize
2.2MB

MD5
9059d24dcc754542c5d1c2a0f03eda81

SHA1
f3ec9b50160614f40170574c472fbdc26d58dfaf

SHA256
087433e409cf5755f8039896ee0c05cb372cee4590f06e3cbc98748a72312d61

SHA512
bb2b17973cb43336a41f0c1db18ac28449dc96989f0c754676cb90f0bcf0b2455bc689460bf694f297fabc744800b8facf9d3c23214a89620e537a3a4275f87f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
2619a1a3193d476ca4579661436c59a3

SHA1
a9b7889f806db173138fa33ddaf59f27293d93dd

SHA256
ad3a98592fbd38c0f5934881a1b5f9bf7019ec2caad2ee096e970d0926d8e7bd

SHA512
811c0aa58c55b06acac639186de29ae1f41dbe3fd938a731590cc6df2a92f0db26518f129865961ac270823b50ff7c7c7e249e7a0909e2582e9e834735263ca0

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
c87b9bca763e779d53dd18b7924b0ada

SHA1
dd3ac759119d22895589763310fefbbcd602525d

SHA256
8335353a47750eed12c50ab2fab195ac60ad98de47c164d4d55071d9a354b8bb

SHA512
960f428b0fdbeecd080232f2304a7c73f5385517b900f2c2b83ea0f940c245843551104505aec30c828cdef81b6d70f613423ef22ccb7fbcd5d4fbf2a855d06e

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
84085eba1c189f3cd1fec5eafa6e3e13

SHA1
469ccc1d5bbdde3d1ae35f33d9a4df33835e3b44

SHA256
8295f8100d7a2c5aef1e5ecaac064bfdf1f1bf5f4484876447b0a99689e92800

SHA512
bf6fac516354bcd80ffec0f6648bd92c93c9989c3d1842fd496c02a437d098670d5b306d2c9ce75a4b42a4bce96f1acc6ea4c2857ee0ce325f1ab9f9dcdad44b

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
eb30ecdbbddeb03ed4ea85b77cd82e16

SHA1
29b6f47ec22cd480510b80c6710cf037bb67546b

SHA256
d3a4f51fcf6e0e97cf0d3e7e43c55358c77fa5d15bd6edcc979b6f4b13a4ff99

SHA512
1e1782fffbf43893f76b7aebe0c508203d81b2542003bc4363ec6b8f668c9181bc16597031a4c078f6438aec40d0dab289f3771e6f9be20d5a38f8fbcd104079

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
2c2b4ce0091f91f68d4e10d2e69b0ad5

SHA1
c3df2cee0a32747837d2d3965ba292996f4a5e77

SHA256
c250db76dc779ea93bd3e9e5fff4457624c376e12c18d406282a26bc47079081

SHA512
0d7f2066e2d6411b48a3c8bb4e03b0276aac40dae512236f24498d65da6b7b2138e668fb118c512ca60a5c686f57ad7d790d78bd690308aff5cae0e7c9bc62d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
5ab3cbdde7f4409f284d97df201559f1

SHA1
86d29d1cf0ae494ef71a32ba756e11d54f5ae199

SHA256
21b21524101daefda990db5ede20509a597f7d6f63d228c6a307224bdc829849

SHA512
0a75b930b4233bd2f1e737bce23d2de07728f03a10d86fd33d0da6897222f42c6303e739cf82ae5e60d74dda73e297a3ebf6584517923a32c2ba0966d73958c6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
974d373612db5464e689c56fa984708d

SHA1
dc605b7bf95a5fb408d7890e1508c7a158931751

SHA256
12c38e4e9ecbf6c4c7e2d2ead56756060d9a9412d6a6b5550f13e42a30891583

SHA512
da0069854006a90e567a7c458a1c99bb873578bd3f05998ba5094de4b06c1c4b7bb9188cf09c15b04ccbb9cf020d3011d2945c914ee25f96c2eb2c8d6daa9d91

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
0566a50f9fc4c21d569cbc56b6df0f44

SHA1
ee0a21419007330c3093ec4f4eea9ed058d7033d

SHA256
a7bfabceaf74e1dbca66838e76988424c47f56240525df21ef8fab7ca32b6c0c

SHA512
dcf500746b7b4d804916addb0eaa092c86b592a4f99e7725a805d99c10586b0464f20e0456065141c7d8ab0bcb25a93af2661a860ea1c7b5bae80d0bc34c6cef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
fe7f6b615e69ba95c39b211a0c5a6acb

SHA1
a1a0743eaf95885317b1bd0a53f3f78fc767ebdd

SHA256
cd386276adf0d4dd28f00a473a4f326a7064e365fb69a72d975bf4033f9b1d91

SHA512
f889665eff178f8159f5768b01eddfe2fed41a9dc95f826b69afae14f71c7fd3f25420a15c5974572e01bdba8c08519c63d253fbfda934bb92050fd12abdb665

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
4995eaa25814ab02545ea172f489d5f5

SHA1
88f58cdf2250d808623d78287513c0eac196b4f7

SHA256
ca2985f69c6b6c079b66ada3ad46ad2c84f2b5485eff88083f82f2f67528edc7

SHA512
0833fcf653dd4fe67a34bc88ba11c1b39395e7ede092a1640764d1488e2ed7dde9e594f678afb8d4a9d368ea45b2123127e4ff78bec809f0d0c59604a9219eb2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
c274dbe64c26dc23640ba3778d4f3dad

SHA1
d90f585cde7ac8b903a594e776e822a93630cb3a

SHA256
d5f7a47ac4f83cd023c0acb26ca116263aec0cf6e9684ca45e5791a75a724b02

SHA512
03be5addbc91de827d080ec47a0e91e23e2218c248e63a90408c3d51d86b53e6991adc295d387517185aab38d57d95175894be566bc2f22a8c5d7b5578cbe372

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
b71cbe4a40e2c441e214238815cb08d8

SHA1
ebc6088e953de1bfd8d4e24bf329da7ac655f067

SHA256
04cc3ffae4484ebf91a37d1cf06d179f08b5a2f5c4768bd75c57c1091de6e4ea

SHA512
3f06b0ddfba48ccbb6c227184e16c776ae1f8cbf3d89125f26d71631c13f56963203d9c069bae9b7c812aa8f320fa7973a888661fe100ecbda380900e6bdcfa4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
74e10fc0c9849ad89c635be73b45c3d5

SHA1
314fa5f1810d5f7e7a54070ab2418e08198b463e

SHA256
fe1b8d39b2f2449b81dada4ddb5a4dd4aadd041036416b22b64b1295a3453362

SHA512
b05b0bdc8da5184943a40adbc53ea15939c5b42c1e221f3fcbdaec1663886fb04184aa1cd57bba85d13ab335ac9792128e8ccaf606d9091af71353e6ef7e3952

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
4.8MB

MD5
1e4602ed6df95aca8cd9835d7584071d

SHA1
c8f48e8296f60bd003a4c72ebc57d2dab77a88b0

SHA256
1bc28e3d5cd0f934add77ded0e483f7ea8999d7a3a89890f84b48f9f060548e5

SHA512
7682fad964f455da741b926e913a0d56fb4a97102dc3922de1a3b4cf2dc392872300fc850b024a02ba7ba4ffcab3fad71bfc25238ac24622c934d682d3980032

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
4.8MB

MD5
bba3082ec53c54d5ce9c0c8dbf0498c4

SHA1
554c796a138415cec87588f6965477bb2185663e

SHA256
e61f6c41891595eb6190680883a2d999c28b00fe50a6c24022af37483f53068a

SHA512
3225be17751fff6d3894e0b091eed56c92361559e34c69ddcea9cbf2051bcbf8850262ece9c9bfd10c3d5a19ed1f063e7a0ed6d00caadffea19399d6be89094b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
2.2MB

MD5
27e8528aca4cf1df5d3e9cb5a4fc3d1e

SHA1
7ca25e6e8b402700e8bfb4aa061fdecba76c9112

SHA256
1cb8e57cd3b830ae573ca75066e52a60d46c3a3ded9bc05317f6b738eb6559ec

SHA512
35448f7156a724cfef163faea8df472d52057d53122c323ddd6ee72b2642dae6818b5d0920d2a91a588058db69980949912d3ec09df07046851e61842239da5a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
2285ecc78ae49ad8d23d9ae24019fef6

SHA1
140e33a118e62a7ca1cbfceb1de79bce3b1f103c

SHA256
5bc8f985b74da216e87df2ee08f43e2bbfde39f9ddfb9a7b0d354ea7eca468e9

SHA512
0cf162291362f4f6f0e6ce5c76894a198715552ec93beaaf11f8f0a257ede03f7816e54ac731cdc1672311a93523823c7cc6309f05fd8115917a7df7f4d67e82

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
Filesize
1.8MB

MD5
82e4de4e85d9f2619813751a2e67a2e8

SHA1
c0dcfe89941064ff6eb8bbcc7bdcd04a34e32e89

SHA256
ccb10b2922f3357af02f9cb3c421c8606ddbe78d372ac5216e52683f1a132049

SHA512
d004eb26d48003ee67104d412020bcf910b4ed2642ff7058a7f0dd3326e755798dd2bf343ec578de0a92815578c7d76ba2eb95a153624047f39ff50f5e813dd0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.5MB

MD5
a4368de454af9b3ef8c1763ed347ecf0

SHA1
f2a7bf1b1421a61e91a75aafc028406dd97789cb

SHA256
41694f994197083e0c877b22ba77ab3feee9645fade9ebdc118da7250ce3914d

SHA512
6bbce009cbc8866706904a2766d203a0b1062a76661ece90d426fc9a7f7ede9132f5e334f73ef2a9577ed428d37d0cbeb2bec0381d185b2ed135e88d61c8ebe4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
850025104bd2ba0f4198fee779b2a1da

SHA1
fc0d6bb32f6a23ab2b234d8bc11d4d23c9ef6a9b

SHA256
903354444e0ce595175cebde0bfd0f3db35d5c2e318f4a4741a5d54ac63c74d9

SHA512
d41bd850fd570471aeb4762b3c1ccae75cec52d36032dbee725c69838ffa63ac48cf060669b43c9224ec5a34c801a20c6759d9d231d3e97dd51d36aebd5dfe62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
43d2163daa4304e24d7560c9c1ba0606

SHA1
6b1ea442f4c04cb9d450620bd22cbbc20897ace8

SHA256
589c8617e5532db041a989dc9b7a40b62dd6db5bc886d11db381d0e161f35eb4

SHA512
d9964961523e9e6fcc214b2fb9f44a657eed771f05344d1a12306fbc64aad97cf553e82c95633e8fc6e258d314913cf35a2aefccc2201be0b79c144595860496

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
b9f1f27f65714d07728c55b40c18bc18

SHA1
eebe287f759314a76a7be893b03f1706ec262099

SHA256
0db530ec18dcf863c375dc60f07561f56413c847bb3a50ce038434fc154159f2

SHA512
c520ceee7ba569567f7571a7e090ea9f3b8bf82d7ef0c5d79b14d2cf2b423f8b2b8a73a1102307b53ff5dccda0fdab4db125f01b871dd992a7dce61399b0c462

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
c0aa30c9c7b8370c8745a725cf0b7464

SHA1
fc2ab997c88917c2df2d431d3e229de13e2093ea

SHA256
b5aeefd06e2777a1f1334137a827af4af6715c67fedf030bdce375796d1350e7

SHA512
1eafffa3e1f13928629674dfccf2c118084607b803dd5dc04a0f1530aeb52eb3116251671064fea17d1717304940da0908e8603f2717eb882c58061014963a5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
530223ea3e5c3e885dec6cda53fa8023

SHA1
863a1d07471ba17bf384e137ed44465a3e4a6cdf

SHA256
e2f28059210e21900d80d8ac799b2b0c6f8dce3c793694778fa546adfcc07ea5

SHA512
1a35fc753231c79bd03f6e3152a3556c9d7b81ac08c46083ff8d6ac6d4235cb3a9bd19f4385fdb9cf16005feae43db2eb84aa88414c38e2b3c8fb6a074ae3eee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
0c6fc56c15e447e8bd1ad5fcfcd1be57

SHA1
024efd59877e372b960378ed28df9aae886a01f8

SHA256
a0d02b068301f515fe1c05bfba845da34331372eb21998613808f3323a10e49e

SHA512
2a530dfe9dbccaead2a68cc3e02f2b8b7865133cba6d7cfde8422573636464630842bc2f37eb2322f04ab935195c06477e5801dfa53560080f94de592ec55de8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
578f5e089a18be455502f243918b7f1f

SHA1
d219ea9b3b1a0387a8ac219b8a1e342250be578c

SHA256
ab2a6500e90ce4dd16c1154ec3e542b72488482ca8538fbb724fcbdf76931421

SHA512
f0bc94bc29954af4b22b93b0328a0ff9bebf48c3d12a14ed906e5158ca99990298f0580c90980978e4aac452cb812485804fd45a24b90fa8e9cd531572cb5633

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
7e4da9dbfc8089e855d41e40ad567475

SHA1
e6b5d9c60e398ec7d31e366f6e409958c5727b06

SHA256
86f37dc107aea3e2736a71c81e9e3618075e7e03689bf4d50e52faa58cb3c673

SHA512
be98ed0d08e0f81a1fe149196442128621ae31022c985719996f4ef154a4a0177b0b2e67244a7cbdcf4d388899e667df10fb75300090a62f12e2447291b4fd4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
be2dca4f243d780f0c0c9a18d38b4795

SHA1
f46220ad0f2301ee38a12ae9e3b72dda4218b98d

SHA256
3c6cff4b22a21e7ea6b8a013efd0d8f626272ed8fbc6f09f4d0610b446825f55

SHA512
a50025922b18c7c4f5387ae08a1b49ff355e7552c1a17535bd4599a2342f78324a5ee5dacdc74f1e1908031be906612116f5f058ceb7da3876d30afd0d3da706

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
2b9c621c9eb89fea9e384a4f8af6b17c

SHA1
709c64d016e51c7c0778bcf44f7bcdb4d58cb42f

SHA256
f7490d17f20bb073b2249df9bbf6990ee10188bf4dea72a8e1306ed8c2764b36

SHA512
6e9bb1126994321eff0b10afe2ebb50ada69f374f5b0a5ff50a30d9c6a3e5063460749968a13001ff0aaa141b2e6ee673ca8fb9d1c2acf83740204d799c9f73a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
6f3b1b42220ae715e112b641b59b8921

SHA1
8c58792af334151b0c131a27023ae669dac5b7b8

SHA256
194a59b90eaa2fd2b4a0f9612587ec502f42b4a8f92a20a4c2d0fa3ec34fae77

SHA512
34944c0f15abc3e2733ce4a82deca34f1fc7639155c6a80891f2ad3fc7a175c7ae3473375d5c641c4306900fa5f9cab52a53ad58a245b44e917c290d3f03975e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
312d5788685eda532dbfa7b7e975ca00

SHA1
a7fd5b6860599f5c7fa4d7a22b4e0e265a8b7bc8

SHA256
804b76e42de7c237fcfb64aa90da87487a0610d32e0781dbca23cac412b35c31

SHA512
258a03d7907c3d097e27ebd042f02f5d4e822e80ab78b8810f7b1355670c5f55305405f3b93e42ab2c4888bcd5a224234c45fdd5e343c9be59786dd253082fed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
75027bf3c3137ff58c378ece2da18f43

SHA1
2da9c80067c47f57729de3a72010433e437d7cce

SHA256
0d51da355d5899241773e75ba43a55624ffafaf890dd2066b7040edbda9c7b43

SHA512
b0b7133fc31e91eaf0b498d7cb545b013766ddd37118573bc27d6c6d12aa6807ce64e20275fcaa18ab035abd60122d59205fbfe921a572ffaec5b0d96eee92f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
c256e0a5c64fa2d35bb4daee64642484

SHA1
10a0b26db0c6874d40c257b9fe80a1cef8d4781e

SHA256
e8277e347e4159ced4dc5a77faf77bcf80b3520d38890287f92988bb694ee423

SHA512
d214e4abdf9f8719e8067cf260bdea4d26ff4d35abd8bdbddaeec087ddeef1f9422b863bb8311d9743c2544eff91fcc599a9fc47e78234b61e28782e306781f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
99191365b14a520e3c3ed56cfddafb9a

SHA1
1f8af07c9617e509213c2d9bd81fdff9cdb413ae

SHA256
419ce8b5ed7ba1c2a52a1a4f2b5a4d83caeed61625a7e60b6c0347c54221686a

SHA512
4e4d47e1322bf5aa4e95e7e50d05d4b1fce91ec2c7d78dc3b54e575e513ae1a9592dea25054f866e07419e3c2c34b4eb3664124f88cbce995d530b703448fdb6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
d9971277a90c655515e20c4a3bf71443

SHA1
bec1deeff12a3bdc43aa4c80888c540d883eacd0

SHA256
20a1aaa3519b5f0635d2541aaf78e2ac2c8c8bc8e2fa23bed45d743c213bca2b

SHA512
749fcdfc1afbc19aa75eda80578fd2f76a7a38376408170519512cba24e5d7b833dc176e5e31f6746c5a0c52144508f5c21dd24859d9fcc380d2a09c2777aa77

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
b3b99c97f68849c6e2f05114ef3180e9

SHA1
b717177095140c63472475366c68aed79b17041a

SHA256
f2c2c6c88bdd79862b81683d43f50f202ba6adc55771aa95bf43577b35ddcc5c

SHA512
719cb94e7c2eba2f3cd7564130bc08768aa429e2b8696588a341360580f51d3182243a75f9d466dc69f72f3a296b2727a2e6ca7ca73c1f3131d993f3ba08c306

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
8cca2df496f8b304f640ae1983376c55

SHA1
d8b2f153a239da0181847324bc8321d4c1611bc6

SHA256
9cb52f01e265454b33725cebe9ddd2ef6c89117c58604bdb04adde81359fb467

SHA512
855b99970ef31704b37f0ce0810a4749b922d30c6a7cfc05f31695d5f8ae94fe48d2d4d811c5f2782d3f0906a773aea02a2382149601b8e814bd883729c15d85

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
32c1242d0d8935991c143250ef953ed9

SHA1
5dd3715ba1141f7fcdef1ae6f8b41ce246f33a95

SHA256
1bc5792bd9c69f026890390547193633f1b0eb47bd906fa625bf2d90493ea0fd

SHA512
b0d011abe76855db6ff311b3506ce63cd50b4eb65f718385c59d57e35f9277a83ddf6554d651039989df5c3c17842bc5ca49a9e44a91375fa894440b01cb6b47

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
7984ee5cf646c50bb6470239b5c14657

SHA1
0c33a8c2b8788012636f26c5722e738de9355399

SHA256
222439fd9698fa2e80ceb79f98aa5fd0800a25fdbaa9ecd9021a6768b5f980b2

SHA512
756ddc6873e637ca1ee97bc614306ace2f8bf191a693ad601b4d6c5f5fe6093d6faf924ff3a6e6fe7cc6f8092a07cd02602bab6ce271012830f4c5f2da8d9711

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
e514933f53ac545552780862cb3a0937

SHA1
8de43ca050d9037753cb168ac2a6af33d421f765

SHA256
4d9e1e10a495335908f2a72deafe3714cc5d7f04aca418d58712ad23fc56dce6

SHA512
5023c309055ecf4aab34fc4227ece1cae7e4548718ff96835585dd335c71af73761359cd0d7a228988ccd1bb158dc3c7e5e8a65db9edc02e29bf5e9a269a4fd9

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
bcaff8f809f352d3ce32de33da0ddd7b

SHA1
36e9ff0849cf90ecb4145ef244c08cde806efa72

SHA256
50b3ec2d844646545dfeb3df1443828c90364f0247d5a40b1c4e29967efa865c

SHA512
e338cc7250dada42c758c122de548f888fe70c96f4124f6586894438a863ca4afc720df164b5bc31b37a3c035ecf1285106777fe7d0435c50b8406c273b0bed5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
4768b1297d9f71b698197d2fc8217d66

SHA1
b579885823d273d8e4e601548bd23b3334f300bb

SHA256
4e49e377c78b1acb75030f948c0836e210969078b78c0b6fcb29737503c47d97

SHA512
87707cd7340e6c2ec11a6a8e1b112ef4b1d7d0102eff98b6f9f9d7cf87c954d4819a3266d00e7f01a219c3549c1111a9b01e7e5903e844bcf7266b461813a161

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
d01219df005120fa00f4ec7a56c57125

SHA1
2d08009068ea8aa5404e2ad57a965f7a720117fa

SHA256
1cf1581b6af6e1728ea5832932537aa2b67bf31db3d3ee1441cae347119861e4

SHA512
460ec7edb97585f1b8a04f8abe87e8c90290c8ecb5b85bca664b8a27c7ad64659b04bcd39ef841808a4563321cd9f24e633fcef015c6bfa79bd5789f11079347

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
4185748798c222140f31b71169544faa

SHA1
cfd650d905f5051769f4b58dac50d4b39fa2fb63

SHA256
d534a4bf97dca311d32e77eabc789dae7760fc69a67488b77ecca8fa99d4277c

SHA512
aab8c299cc8ac4976b53a67b634cc6ef1ca6d1a3d31a313c00fcfa6175633b70c565b9e2b1dc97df1f21bf5bf17c8759a0a0d70512a403443c0270be2fe8d630

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
108d91f9f17f82a61e38099fcb00bc32

SHA1
94fbf76267c641656771614249ea9cd63f3ead00

SHA256
6001ca2e2bf60c34dfc0c6f6b989322f634d607f12bf516324e4fedad43e5c7d

SHA512
33599911a4fe57aa5e800ab65402786dd94bffd03c026e120f31462fbf2c494f4f2643222ef7941b1065f34e3d042f45764f9ddb8caca53e897b0c25aa1b6525

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
2979342b886b45518fef36c11e574fe9

SHA1
df02584320bd2d8c9911c37ee0767df1c7a2769b

SHA256
5f2199299684c15e6ee36166fecffeac5de69d9907b16259d542bac7388e37d8

SHA512
e14cf0ff6357b805bbcd566079cd660d49a6eb02b3d812cdf5a6b66645969146ffb0f4c574a875ab88a902440c654a236d63aa12d044d883a312251f927ffe1f

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
12f03c569512a6836731617c918d7c56

SHA1
6eae1f6bdc3fca168cf5fe819b6c64c4826c01be

SHA256
7e9236ba9821f0f72b541a71ef335fc55cc12ae1750c82117b1bfcdeca3fc53f

SHA512
3353c4307c2b14695816b6634ddf0c46ee6d461ab15efb4be949182ce970777299f6a315f63f3e661dede708be254c55e2a4d78e2155e775cc79693a50eadeaa

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
adbfde3f4a0d0745c5c61521cb01edb1

SHA1
06553ee71ce95fa6ddf86a9c5ba8178274ee95fc

SHA256
39f249b2913028603524f705ab65496501b8777df0afd0789272548ba9dcb806

SHA512
b454af87d3c40cd09e1d5cdba2a1e155cf1777f5d9c4ae59d0a9833b345f90526c964671954689988f4ec57f3d06876e6cad6014473f8b148fa7150cae83301a

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
f53dec7691672af364c3a3a4e95d75a8

SHA1
0b74ae5183903017e2a66ba52b91cec0ae730c31

SHA256
c584547081f5eb71ef7e12352fb34d054aa5bb37f3e8963a9072e4e756be1af3

SHA512
747d687785371a3cfcaecff9558cbb3ae8d45569dbac4c1840436c98d905c99658ff9c0e0ffc0160c30300df971f75dd54fe6b1b6668b020b888fde914339f78

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
bb27efa61769b9e81db1268aa44b1e1b

SHA1
bc85e3f0d1ddf72d20a95ed28ac419f3ed2e1f1c

SHA256
3c3c3c229c8216c25a6d78b657bdfa67048262b486ec902d6fa4f15e61216734

SHA512
9d757765288ef057f129d88cabbda67ddb4eb22b0164d07ec4181d25d18821e733b988c565b133eded953d1c60cc629eb23bae165b49eb0981c216481f89404d

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
2b60b37703ee9dc51e966645489545db

SHA1
5b295fe974d9c16311e6f4337a1689e6b48a60ba

SHA256
a3bea91765d79d1f272618113d7cdf1b7f3c296f3d1300d23089b7e3f0fae6b5

SHA512
420ac163a627b478fd8e827ab7da2fe94dd6d6822b8382424c6ee8f1f9fab5b36badb4ef49d8e2f00a28f37e33cffc533b17722c86de5f754813270ab6b6979d

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
7904b722926a3434c65606a953e76751

SHA1
a8d22ae054392fbddb159e92e8fe9d1efa16b71b

SHA256
31cbe168bcca68c423581b6d540440d8a382851d5d2f89b59052740f808f05d0

SHA512
f63e2f39a64f279d0cd125151dd0d9a1f927d4605df238fca79f4bd65e8adf892c8dcce12bea56ebe56fab0000428e3993556e5a0ec6d0899f9fb0ce3640f706

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
6cbc5592bf4b0485b28464aa441db7f5

SHA1
a5069196ca74a5f782cc4c753a6858aa27251b4b

SHA256
6d83a931b236040be729bd5dae3f569569ca23c38f6c3b000a53da157409b673

SHA512
5693b488fc1d06112f9384ca9d9b381892073b60ea88b8a3edfe63fc7b633abc8ed6a0b3cdd35f99b2656d70aa7147374230ede56b830de922864e2d5b9bba4e

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
b106f1c77fcca955d2d54624b95f5730

SHA1
46d2b1a959fc84cd32f34315da613b0032c89988

SHA256
65041d69919ecf7dbf64e5bb8f9da786561ce2513ba24b015ef03edc7430a8fa

SHA512
c5822cac217ebd58e2e54257d9ebfeaf124af67c31ac961e8f4f2b2bdf71be0c6f83a8ea23191a806128dd99d3bae9c76790908d8568c5f3ae17c75f23864992

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
74a32975b57764bd13466368878953e4

SHA1
234b74b78b9c2d3f470a7f25897dfc8f375347fc

SHA256
eea97450d744550ff28e8239d300c39d60c6861d8ac2bcafcd435c997c13b72b

SHA512
c92810d10ae83db697a07a68d8420782f92c3d04707612912d2c50a0a1b8cf1a82714956c0c53e17a0251b2468fb012aeba51e05d2a8708891f616d294252c3d

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
2cca73e236f08033484e8030b44daf35

SHA1
02a8366f9cbc54f2e3ac62af4230fa00d958e1af

SHA256
19d9e5ec9d5150d72daebbf21e3c8ba853e1eed481530b07097aa3ef55b38400

SHA512
9710c36504c5254d72c11450d5420ce57ebd84f5a988f3fc2eaefec2362826f46f24fb63c3c84664fd7da40e6ed726aedbd50ec3abe24752e110d3a73b417b17

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
a8211bd5f598870d276ebdeb298f5f61

SHA1
76795d26ec27caa51747818d1305f66bcfa41378

SHA256
67cf52e4066d7263ad334ce178a2634726c761d56f8dd05470d01e9735c40aa3

SHA512
28611799bb3e465806ab0ded1e431ce89641d4fddf1f10a6fc2e30fa17fb2052aaaf50b5d2dae5bc318f8e6cc905ff76789bf72576bf2574d6921a6b047103f5

Download Submit
C:\odt\office2016setup.exe
Filesize
5.6MB

MD5
cbbac727cc49ecd39591b4f9d9575c2f

SHA1
43032983c455f279737f379e7a79a9b838ba6473

SHA256
feb7730582c6b1ea938c93b45060533ecb8a83e50516848f4a938bd941243d18

SHA512
e083aaaab364768a0c3223b2f1e2827c2344205067212ec4169a23be9c33c08961693e9ca25ca2d47fbcc1f174512eda6ce89d73eadd71cbb661188489eec189

Download Submit
memory/332-6-0x0000000000B20000-0x0000000000B87000-memory.dmp

Filesize
412KB

Download
memory/332-72-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/332-7-0x0000000000B20000-0x0000000000B87000-memory.dmp

Filesize
412KB

Download
memory/332-1-0x0000000000B20000-0x0000000000B87000-memory.dmp

Filesize
412KB

Download
memory/332-0-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/696-21-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/696-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/696-13-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/696-111-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1056-187-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1056-73-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1056-64-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1056-70-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1548-225-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1548-112-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1572-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1572-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1572-341-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2120-137-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2120-249-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2284-59-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2284-53-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2284-61-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2284-174-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2580-237-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2580-126-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2688-210-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2688-91-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2688-92-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3092-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3092-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3660-467-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3660-262-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3668-35-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3668-129-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3668-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3668-26-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3992-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3992-448-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4052-362-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4052-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4132-470-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4132-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4328-261-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4328-146-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4400-396-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4400-188-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4436-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4436-463-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4520-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4520-48-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4520-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4520-39-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4520-47-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4632-207-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4632-432-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4776-445-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4776-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4948-82-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4948-89-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4948-87-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4948-84-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4948-76-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/5008-328-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5008-171-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download