1798ee4ddf4e2862defd2c1043abfd965aaaea575a1b5fd99a64dc8786499ba6

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
Size

3.0MB
MD5

835f25e5458402b4d7e00795cf6b6e58
SHA1

937640131229536d07e30f43d085ced747ca77d5
SHA256

1798ee4ddf4e2862defd2c1043abfd965aaaea575a1b5fd99a64dc8786499ba6
SHA512

8390ef0ca472a4af263a390d8e26b5e9bbcfea4619b6eeeb1bf4111bc5bdb35bd61acc890dfe7bac53541817efdb387512b1ea961de17a23586411880ca0539a
SSDEEP

49152:Ft6AAgKY65kU9sQpqqgxztFG4/ipNi6OEvbT5LXTqLn9KMDS8E8HcwosO+OQUKj4:fc3YVQpCRipNVOabsc4iwoKMK

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4556	alg.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
3988	fxssvc.exe
1360	elevation_service.exe
2156	elevation_service.exe
212	maintenanceservice.exe
4864	msdtc.exe
3500	OSE.EXE
2972	PerceptionSimulationService.exe
4328	perfhost.exe
4956	locator.exe
4004	SensorDataService.exe
3772	snmptrap.exe
3388	spectrum.exe
1456	ssh-agent.exe
1132	TieringEngineService.exe
4016	AgentService.exe
1604	vds.exe
4880	vssvc.exe
1796	wbengine.exe
3976	WmiApSrv.exe
1732	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\92aed5f54ba38143.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b3067322bc0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e628972f2bc0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000587c292f2bc0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009901902f2bc0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000503364302bc0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072f31f2f2bc0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048a2f5302bc0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4a24f2f2bc0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000868072302bc0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
Token: SeAuditPrivilege	3988	fxssvc.exe
Token: SeRestorePrivilege	1132	TieringEngineService.exe
Token: SeManageVolumePrivilege	1132	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4016	AgentService.exe
Token: SeBackupPrivilege	4880	vssvc.exe
Token: SeRestorePrivilege	4880	vssvc.exe
Token: SeAuditPrivilege	4880	vssvc.exe
Token: SeBackupPrivilege	1796	wbengine.exe
Token: SeRestorePrivilege	1796	wbengine.exe
Token: SeSecurityPrivilege	1796	wbengine.exe
Token: 33	1732	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1732	SearchIndexer.exe
Token: SeDebugPrivilege	1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
Token: SeDebugPrivilege	1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
Token: SeDebugPrivilege	1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
Token: SeDebugPrivilege	1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
Token: SeDebugPrivilege	1136	2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
Token: SeDebugPrivilege	5020	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2776	1732	SearchIndexer.exe	111
PID 1732 wrote to memory of 2776	1732	SearchIndexer.exe	111
PID 1732 wrote to memory of 864	1732	SearchIndexer.exe	112
PID 1732 wrote to memory of 864	1732	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-16_835f25e5458402b4d7e00795cf6b6e58_magniber.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2720

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2156

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:212

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4864

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2972

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4328

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4004

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3772

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5068

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1456

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3976

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2776
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ab37d4026e30afbfdfa2f0843a527217

SHA1
faea2b593931a641c93030b8f8771f80653a8ecc

SHA256
b509e4b4e3e51abe52947861fd8e11f17f3bd3f70200e1448ca0cecf41ef304b

SHA512
cf8874be9019974c8c1acf1658ba6fc2ce3f3f6af542b14782c05866fee3f69719e61d829660cf27022bda2b593fd9c608da3fb2d95fe8e2bc9a20448c1f144d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e3f8993df7cc359960a92ddf5b885ae2

SHA1
2abea0bc405964c120102a3820aa8df6d8bcc494

SHA256
21d56a77fa2af9eecd88f68ca183cb9b47c541264b77fcb7e1fd8e787cdb5b58

SHA512
60be51b813910063820ced953d56e5b926025529acb82edacc4878ceeea178fbefe260cfe358a020c048eb408d9e2a75ea955f1f67f06335626fbc1d30bbe925

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
3479f8541cc0f1d41716355e6fcf96cf

SHA1
9e58d5a660df7840bb87250be466866fb12520c4

SHA256
9bc1d063c0c8e2c2b2af77e2b348f51bc9b6f9dea084bb2235c92c901a4dca63

SHA512
75f0ce1915672764a5d00c42f9603b4cbd0c633e1932c46ab74e341f2b863264e77e20834733999a9cf2ff9fd2a09c9a4856340f1f0c5e46c53d532eed0af00f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9ceb3d05d2d8c9d8adb7e2baff3ca725

SHA1
75b109c420c64ee2683a54d7052c4b76a5085b54

SHA256
85ee46a1af30bcd24e0ae6c932d8033698756360e685b2d59841f9f6b79f2927

SHA512
76b6f130acc0ed01a4c817817145fe60af19575fd9035f6a9f3eee11d47a49a475a563a5d43b30532d28b9ee8a04d13c73b900ef0c4c358201481dac61c77628

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7e81bd1b21af9da50fdeabd68819e681

SHA1
399e9b6b610a8cf9d1f9b4f46eb9ee8b2dcfda92

SHA256
484f20cd5aa9ffabd82a2e9ea52484f3164a7a348f42db6132213f741a26f429

SHA512
4bbacf3c1867a0ca7fca3a4fd66e6b2d4fedb5ac9106d8c63ae3b141594f469667cbc72d95e87eb22bd10f62f6737d4c2ee3f26eedd1d9908da8dffecf1be611

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
eb654095872a482c6d51f9f355cadbf3

SHA1
9c58addddad841eb5327c2e87eae7d309cee581d

SHA256
abd454e96c6c1577bfc151e12855d3928fbe3348be81c0e697ed6a99bf683dd3

SHA512
99deb94fabf9f40716f10b4b844dfba76128e67965725e8594ab2ce3b6b29f390b8fa9635551e4f637f391c57c7fc5f0735afee3091488bde27f5e0a089d0193

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
32ffe7a085d0c7b04ce1c91b75a51b96

SHA1
ccf41e57b1693ff8f9414d0d7ac87bbcedb745fb

SHA256
50ad59ce97c3cd991cade819865f4215a48c203f049085186ad16f904655666d

SHA512
cde29fe10869971d400fb16abcae8e9775fa0fda32f54e72c0f60de2391cdc31d1e12b02063e65da50e7104de650d6012fd47106d426ecf2d0d6f09103ea71fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
812e66475c60fdc6b6bb5046a4f5191b

SHA1
68ffe3bc5a2b09bf9c5d674362c8e3df7807d39f

SHA256
692e60b404ca0ee6149f335f6d31f4337e8a3c75382daddf365691cd41f10ac1

SHA512
f0f85998b2b48922cae3d0bfc62c392f442925ac49a8d944401add6a0438d8a075a3284a7eb303043d898bb779172ce6278c7586e3fdd44d8fdcca027dde5de8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
55386907215736a346c6e50e576da200

SHA1
6814d0758f552234338759603155bbe2cbc47894

SHA256
d8a46885c36fbd776a4512e63a4418e75ade4391d58778d5e8338cdbcf5fc135

SHA512
d16ccc53de64a105d46c1ca140355df955f6904e955b9b2e9c251724a9a606ccf3eb3f55ca0b056e24572bce9a038fdd36b6d380cb89b11724ae7da5fdf4b5ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4477c9bf048616b96746fce0f55c8ea5

SHA1
33750e2a9fa4796a32afff22d17142e7c526b9a3

SHA256
37707743bc50c14bc194fe38775e55e5e3b9fc37fa0f7e75ad9488e406731583

SHA512
e5435a90e8335bc33758b55fd82003190ed77b3ccc872bf959a12db0d62ef9d6511526b253f936ee7cb937c00a3bbfc110fbafcff1d14884f0f04ec785d1809c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7462b81e3d0ae04be98d4f07fd1ba5bf

SHA1
83e03049f0f626be0a64303767302c1c16fd1b07

SHA256
d82bfc20d879bbb80355a550cc64ce208d517ff99961fde45fbec2dd740d6991

SHA512
7e262745f3de7ab971b6182e5c6262b4bec916eb2bde1462bf2fed11b6f902168f817ff74864b06cac4f5717a53eee929fe9880edc785d2214ba3c3fe86933bb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
03e804532637e796cd886210beea977f

SHA1
0453dbda094c7f3800755c88244adcda77dbe554

SHA256
d8871c3fd7c064d2c9b9b8b3f9f37587a4e977cdd66640902779bac5a8f8351a

SHA512
d7960bc616be053ef0504c8dcccaf1a94b7a8b1c7e56468a7f6ea6f3b1dac25944af686edcfd89237a0ba77ac38d5fd3f3208f3681e031a5dccb4cf6adc7d969

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
00a8046320ff9c44d9b1d09d1ce0f094

SHA1
d04ff4e6614c17f3a81e7a206aa2ae415dd2113c

SHA256
3ea23b34d759c03186c5fe7e1e0b7b71fa53f63ba158231495ac22d72b8aaf5e

SHA512
31b69c345de2e436022c4317df43d2ff72005ce2d3bea681c4f556c633f43ac82280d22b861237eb7e7a8888f8340a0781925ddd014beaa1b5910bf3ee7c00a8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
b19fde11b7cf9b8fbfe8d10663d4cb26

SHA1
9f912d69aab4f74ca7c2384c68b97efacb144b23

SHA256
1d95bbe40b7461fe1d8bdb5a362a549fefdebc4f30c7f58308da237963dd904a

SHA512
095e67bd30bc043133232a3b7a55003df4eabb72d6b7d0728bdb8e32c3687f59cec3b442a5b8250a148d6e0d4605c702978245a54e55b23e6ae5664ee8e9f695

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
552dd3e7295b4998cf4a0697c2222a0e

SHA1
71caf0261907d5cdfb13d27ec74245da41983b1d

SHA256
447fe42745fdff0044d7df8ec9945589949ff96a6988323153c611c66dba980f

SHA512
3f1334409658c0eeeef985b0c0406637c140a708f99422145c2078dd3298930dcf5f870a0825b7b3e456d753fb88afd34a9be4731b3e57b04e32d9a76ca7b56c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
4459212e360de422ea5f7644acea74f5

SHA1
4ac8f6eb9c294b73cfd1a3f0dbe26ef8ea493d22

SHA256
795543b60acad1e6040e5cd546e9e02e75b7ece203e2fb0a2da2132aacafb1f0

SHA512
784987bb9a0bd03afc43793ed57f1d771aee78f757cefaaef9b7079b1bb6ae02f7a59c3ac3fdf2a524481fa16fd07aff4e67a3e3f530a09cab8c48e79ef96b0b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a4a04f3a497ec6c0685e56b5f1ead79b

SHA1
bf7e185ab432d3bfb1dbf154a29b9fc9d9d97e9d

SHA256
2439c6168c13016edda8ddc6762cfa5cd6a6cab47d2bdcb5bbd5e40bd12377bb

SHA512
a16ce267c594a2f5778e5f1f83f509f7a6bb2caed7c0ed54d32bd85aac3c5f58a67c5ad344bc3f664b66541203aab1ceb739c7d82fc3198d6ab30aa7bbdab82b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
db1bd2d6d366c9606b5dc131bdaabe0b

SHA1
0a9dd5845a627c1414357f77933d22e9d09ef085

SHA256
706acd8dc615988e5deb31125059970c41662337a0358871be7ab51240065f3c

SHA512
f688e3b7699ad7ea2b2ac88f721b43607330c9da7dea0ca2b6f04dc4dad8db808950d5bf76933dc7ac2cac72e055ca75c386e433dd6e10f3e4769773ead9eb36

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
85bbd8be7d284ba6d15911f903ea5f72

SHA1
619b45f68a861a7fc6c673384197b0b12a707b53

SHA256
d872d47a2932e563c5e2d1e5576621e709fd6682a58b75ac41f9dfcfab3140df

SHA512
b44cb93d0ea8d755cc628d841f0ce8343acb212f8cc7f6839c314932d7a4bc295a8e1a05c44392b6f4fed6dc7dd413267f5e9bb97f8d7cfb3a3b91995a65d1aa

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
6ae2b208ce374774566c3828da6481ad

SHA1
4c401f1a6e5f4704551986873696c0b9dc26e7c0

SHA256
fc0926cbcd793879ff0a1c3981ee04efe1da88dc4de53267b4f8d2367b49b432

SHA512
b205d62757935cbef151429e0092d29eb18a6cba03f39fa89016640965c36d4a555be2bd33dffff9d85f42189fc7f3a299e471db0d3d385612b5040e731f835f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
6c2b17afbbed30f4a4ee436a63e056d5

SHA1
57ec924b0c8ea663052fa1d3d7de8abb6c4db49d

SHA256
584a4ac6aca3a2b1e334c74f35eb88efb225b0130d0b092fc856595bb70e37f0

SHA512
c8c8e8be1549409a90d5dd27a8ee9df569123039ac9681e9084306fcaa98d00e16994967dd482f5cdb8d8090afb1c6c0aecd0cedc9fe627cc20708c6e88b3ada

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
03d039feae3f08ccafb05b9cbf4d2b57

SHA1
e452df1fdf36165ce2de2adb47186636ce55dd41

SHA256
7abb30fea619bb6c074d42c411262d8ac420ce3d6daaa870dd638711ffe42c5a

SHA512
704511e96ed90a9b5deaa482573dae3dc17addc1eb9cebb6286a884b5de845d70107d5471853c338192e0a72350dcba380fe6f838fcc34e72c2e83656c652e5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
ec7ccd4f889e2f7bc60a9f82c9b96f41

SHA1
c1eb211a08c42eda2df99b9915edb4167855a481

SHA256
be1340065076c3dd79d4d138066b376063603a496f02013ca8d9a6a35da588cd

SHA512
15bad425b947b41edd645c163c92e0254dddbd0f809246936ef11a89be65d0d24e03fe7457c957488889d2ed338c144dbe97e1d583cbb384941a256ada6c9abe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
a8e1eeddcbd116c94b544cafdaa3a8fc

SHA1
ca62cc51da3d4dd6f4623c8b71c75c01cf1f6da4

SHA256
560581878060f6f3b469e3996e887017e6837c6bcacc0ed7e41c282f596dd189

SHA512
da0d910b54155eb100218340db8985a035d8bcc539bb8d04964154e8bf3ed31691f073645f834197d032b721df7aae12096c190c9e22c84464b525296eaaa3cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
a9ed77faf91b59ca0b3067d142835d59

SHA1
0fcf02a989cdf3b82231bb1750bb0fe330309025

SHA256
791bbaf90694754160de27478a43813cd9d19dfac79972263758fb922610dbfa

SHA512
0284a680733eeff5bdd9241583d01fcc43d1972368a50954a64a4f5ce7df8e2e63a6abd8f48687856e1399d6e7561bb917c84c49a358eee85f6d500c9c4ba10c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
41006eef79bfe1eb4eb051fd65f30049

SHA1
651d8de1428b005fa055eede24d108381f5393bc

SHA256
81579b2fe0e287f538ed0bae5fa3127683334b8c619a1819a84073c7e6f9b1cc

SHA512
68053de82f2a4d3268802065d4944a285790f5a1dbc31e34f3e943447faaaeea5c9e77e7b70df86915e299e86765461249c0300abeaa620ad3dbd51ef115282f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
a32f6116f2dbda12de8bc21a4a366de1

SHA1
a94007aefbc933fd44d8480332626adaa3fd0dcd

SHA256
9ecf29c776ec4305b8e5569644da8a2d1da66327d144ee5a49803e98df2e61a7

SHA512
f3f151d6eda71fd83041b302cdb73a9246853c8f3b8216c2dbe10f74a45adffcac82bd54275f4ab0b7cbc298b9d24eb1129f4c149770a6d57c0079e744b70068

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
3f0d4750f97502cd3b48067cbe71f787

SHA1
e33e068632bb97701c7ad52016bfaa808fbfdceb

SHA256
c0c0d5b457c29e28e9fa398a1cce7071288c929bc96e786696aa6f405af952d1

SHA512
a7c43d4ddfe9e2c0cd4e727bdbf4ee176c0614cfbf2e10a004111c29dce83d98642ac7be826eaf6758156c4f63fe9b5cd86d0fab393325e0b52ff1a29cdddb3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
42cd8c94075c1b82331c1779629cd6c1

SHA1
1bf2067d888d8c138e6d8589ca7c0db6fc50857a

SHA256
909bfa972a52af3bf87f179260775e8cce8777bf0f083b2dc6807e0b0bfe309f

SHA512
eec59e60c15e8275e463bdfa60ed469173786f9eb092fe94fc07d423fd899b7b3ef0d51bf6aa358dedf0de36fd170ec5ff2d0c9bee3f2ef4cd4cef27e32b373c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
35c2d917612411f9330ffb10adde3516

SHA1
989e4b26c25c373eb51d87b4ed6cb18c52ab6898

SHA256
0bcc9e556c400951e185d134e32a16384c38adeacb5b195cfcdeceba50e03b12

SHA512
0bbe5ca56f51868cae0c004a1c0ed4fa710c16f65dbb685340ef953bfa2cb5b5f27ba23544fea1251883c2874414cbc5cb1dfce8ba321e3c34afb65da005af55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
cc661e15ed62eef5e87fc518c811b002

SHA1
cc7e1f2e5f5a5da3e868d48ef6ec6c219bda6db0

SHA256
f8de06ec15b1c067394d7613d81c947d835ee1044bd721a4bda4487d5132d898

SHA512
dd153d003dee29ec31026344c2e189fdaefddeb4fd7d6987353376bff3c6b436617b3152871c086e5e9881ad4c89dba5170b0a64a832d72d080c43d1bf5a654e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
6f8003f023b840bc5afe8d9f67774aba

SHA1
0967989bcd06d9309dfe2afe2d19189f87436de6

SHA256
090493a992fd9d42f1b4d78395a1d2bb99c75def50e975ac448a6e788699f6b6

SHA512
332a6af930296e76141b7fd2f20900232eba5c37a1def91dc8675fbb5efd62212b1dcdfb0097d509fb5eaca25ed09d97105c5fdc1f90cc9146af4e3013ca13c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
a0fd6c9088f99eba21d0cdab6024b56d

SHA1
49e4d2a0944f9c02d1ae36c0467778980b5474be

SHA256
129f681d2403d2a382ffab6bd11ab8a64dc45da41b8be9ec3754445bc8a9dacc

SHA512
6ed35e855239b6f73eb7599c20ebdc66a9773282890da8d49aa02aa3c37bed19b9de26b4c53f5feb19b342bb7f80012034e23508b1064f13db4e2afd8dbbdee3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
d5d98be5068ef7ee5c929c5158b0cef9

SHA1
412614045026f620c53e36d3a31544b132c44558

SHA256
5c920d66552446a7dbd98141b4680eb509f36aede95e4d3b45f169e5078838e9

SHA512
0cccdf85a3824ab6f863cdd827d8b2e737897c28f9e2f1529726b7c9dc32a2c18ae7ed34a5458380fe5d8394d0ff6049003715c7f2a2a48e5ac2632cdce0abca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
67531bcecae7cd984b28c141bf4f3ff2

SHA1
400cd3d3ffd2306a50ff91a052085e7c6807657d

SHA256
a956455a6e4d07302a87946c349ba2cc10728875013208713dfc5f55c4f00d5f

SHA512
78e4a70b6fc2487e1bffbcc5101a6ade04625b056beaf9c2c2290d2c89948fc0b4a0b472409d70d6bb2f4cf0880472314e49da55661875c64801c60d15accc0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
92a518d3dc63c4cf23d998171df7202a

SHA1
e89ba38075a2e2a45d6fcce4f98d3ce6936ec1d4

SHA256
e14b20adb4a006b8a855843ab2d614c4aa68b2479a57906fc92a7563caa119c8

SHA512
6253cbbc345b93c03bf4c454f1c123df29bf5efc4fc03be34d9a01b7c05f2d1622dd60008636a36452e0c3ea4c5584df8dd73276fd039fa74526381f9be09d2d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e482f6722f14f61c65545d2490383bfc

SHA1
f404f993ec7dc39da572798f0efaf6e901ac598f

SHA256
0301eb226495afa8f93c19478eec7961e8f1eb1880cf494489244a2308093c2d

SHA512
0f4717380c0c697e3b880284b41b3cac0c6822af2875d2c5f671900ca8d5c2a5bdb0e0fd2e00bfe3527b373c71a2bcb32c9d489b6024addd149fae14b50a3fdc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
746ddb7cdc1c8b5bed56b53ff1ae58d2

SHA1
73c59e38f0f6644ec5dfc0ef89a96a449bf664c0

SHA256
debe205eda607369f963c2bf8f60ba74638d0fa5ed80a28468dc4608b2398e2c

SHA512
7d33153fedca8a3445a1be30ad1128635977c73e5fb51e47a99b8666aea40993df63cb9ef68f83c9ad52b5f0cc73976de00065b5a93b531343d7061ac8c9572b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a0b1894c7f07f77bd265df2d0950b97d

SHA1
cba8e8b876b6caa42fcb4fbd12a075b5799bead6

SHA256
fd01c320ea376ae2d868171784c74f7f340c541ab7a9f4b72d4d7a9e0a1a8bcc

SHA512
2ff564048aec9a2a1fbcdb5b71c3a144c4fda64eee1bb06889f3c7b4b8db38137e418efe5f521ddd00eb91377b60f274997924875a5d11a38dd050de30c7f120

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ef62673d57a8354f1a5b6164afa125c8

SHA1
d5c5f8620a29534a3261f4e586e937ca31a4d8f7

SHA256
617620bcdcb69eb2a1c2eb00f62e5bf4a405761eb011e8d5341673af0711445c

SHA512
f3157a2e0782150c27bfc68e0f64c2d9499a5d4e8e0d3575acfe51fb936f81e2cded46b84da49981ebc1f6f2a81f89f67e6320edd390a8e73f7b719a7c15f9b4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
f33fce0bcd817616171337451c9cccf0

SHA1
dcba08d6c819751dbf8e2f7193afe64733263853

SHA256
67a6049d12b7ab3d23c2c5480f6357cb420a6e0165011cb4f1446667d4d9bf29

SHA512
6f27b30e4a38fd635a2b2224dd479d61cbf34e7c60a1fe28e60aeb9cf51df4a57799cb059e18e2f1147f4c56897ce6f30bcdbcb508ecba41aa3afb8b5850a44c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1d29d3994ccae1e8e58970ffc2a91881

SHA1
8c19e36c660a1af82cc216b10fa16dc5f3144c3e

SHA256
9ad78d28b061a67f3d0dfdc3b064aa19fa2ca98cf7a206fa16911caaa0a47ffa

SHA512
bc0c0f022f42e224db4cc6eeae19d436633c96f318c29f0ad503ddf4f4d9714bf21b88b2ff95d7572076af344b3ed8d4c977af8875fdf3e46204ea9c8cca666b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
17a8bf161f776fbd81db5831d8a2b70d

SHA1
a2fd4a766436bee5ab6e2cd9a449d04f813a37ef

SHA256
0302ca7e5cb21a520cf4ad5e9d277ec091329c186b3fb931a4a186a49af46fdb

SHA512
5a78bc221242060b95dc4ba60de3bd31e926a56cc758d60bdd7877e1397f4e63ea7d8520dad9ac398d54175f0445ba6af9d3d07a89472879172aa8c5663bfdb1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
905109212b9d5280e988d1a9191bef20

SHA1
f5aabda1bb2ec68bf76718d7edc3eeaf12b738e1

SHA256
c0067c7325be2f4348dee11df6bdec7de68a2303ec9272c590a3b88bfdce7ccc

SHA512
4abff06c9b6a8298974e4a24df09a2d09a311da723e520aa1f7e7efa48dc5094280fe90d7748f0c3a7c499921d17c837af250613189f4d5411d7b0e143ad60f8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
2500d5f7e83738243b0f1c71f5803346

SHA1
0f8d0d83a54fa392265d32f070bf7aec45f1d529

SHA256
a191eb7e6eb051cc07b8cc4277805c2387a1661947bdd955fdedd31fcaf8478c

SHA512
766356ae80bd86a8535b9bb8560197c0bc5f14b0da0f67ab2dba6c3c86e4de45ef8cc0fda49445c3b01b656385ce772e6609b474213dac665ff6f992ee4f6113

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
40474dfe76aa8298899cdeaa7ca35002

SHA1
8c4ba544922bf57d9793e5d06c1e30f3d390a252

SHA256
4be8861fd249171201a0b81b4740a79c50cafa8c1d0aa1b6cc66111a15b8e5c6

SHA512
9bcb259e2e63bc1c1188cd53ff4a944ae86f058f4769251d3479240963fe45627c7d077dc0b67af0488dfde91544976672173d7c57920e58e3f2da8c8211452a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7ac034ad7d063083ef926a94f9dc901e

SHA1
b9ef5094ff6987196062775db23421f5e4492941

SHA256
4bb71613656dc1f61438425c5537dc95b15d049150e74a43f4069abd82afb647

SHA512
fae163a14f0321e90d75688d2e5cc9a6cef02a257cd5e2352616cdd6af7f4063d5259706597885542b4671bcae7e66a72fcb19f232085ffbe922bf86c2e723c6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0df0080184ca702b260f2b3758e795e2

SHA1
43bd6f7201b4509661a06be934c5462d68868218

SHA256
3bd063f280e3b8c32170f75f645ec51186ab1c9c33e5356659254d44b552440d

SHA512
1bc2ea97cbb0349dc5e397aa05b58f7222a0c263871cf0e1a88c37fdb7e0e2f91513e2a17ea37309a0041663afb4716b681df1e5a9b4ddac24be7eedeb8d9501

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
40c9d23ac1e25ea59d954a3ad5685ae8

SHA1
fcdd7162b9b7f7be3df703b495593e30f006bbcf

SHA256
add440e995908808522df400adc94b73197ffcd58a0698f05a77de94ce37d114

SHA512
0a0318a0a53ac8242c28bc307aafb4d0665cb1ce2131e828f8d245479beb75b43ba38546e3c2d305ea382a602252670abc7b1e48b51b65b0cfcf3960dcabf7c2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ad8da19d2b333124fc8b13abca7c194a

SHA1
bcdec0ba27384af60e77822edf7e1bf3a6d0686c

SHA256
124ac1a122373365e433ef0b7adfa0326c5a1e4fcd5276fe41c88ff4f35d3462

SHA512
8ac754fb51d91871e334d8c607d9b5fc7103c4a48e2c2590e55862df4331ddc2254f38b203c1723d9a667e02c14d7d2296ad034d19fc7187dfb885b98ca9975b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e64871b8f0ae1a4864ec9bfe0e9a13d0

SHA1
f72b669a08982511cf91bb1438c694f59c3ad172

SHA256
ba8974db12a77b09b404a3498ab8df78f5be61eec24b5e2e41224a8ec46b550d

SHA512
bd28a779ccc01ab0e440ba2244baefdd64eeffc6a6ad9d95a3dd23a619a623e5a51aa24e85a94cfac2145ede852568f6e60f39ffa36141b29aef256c1167a2a2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
0954d17d37e007c69b74ef20df0f6434

SHA1
5c055a5afb2da81b3abd688a40a72fff021e99ab

SHA256
c1e6d38c3a9198621ea219b2ee3c4b8df5d1cc2893039946c44d721c1a9443a8

SHA512
71cc9bbf300a77ddc1afd1bd4387b50fb18eb42965ea2e561cb96d0f995892f9ba2e62afa0d798440cad57d23571adf5a5c9adf7c4a053ac9c0510698807d9dd

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
45633bde8c66ca64b6f909c517cbafc6

SHA1
e07c3f2d81fc1a5b00ee92dddc2a0870132c8d3f

SHA256
04aa30150baaa82a0caeeacbbad3dc96d1ff6f26b15cc0550dd07c3bce32a27b

SHA512
4d18185cb05aa294de16a5e52eb771c7713207184a4c4522e68d9a6b88cd10fa9d1b46dd26553dcb609aa91a3683b406769f2341f601fc8450d9d1d9431a138e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
54914bce0dc67b5e06273be2b49b136a

SHA1
15aa6d893e2e1b488f6f90046b4ff5aa6c97bd67

SHA256
a4e58b45221aaf6c682f987c1ff69d2c4d7eed001f38e7629f81be40f2ac4b9c

SHA512
4f9b8fb812896a121727a0e93bd589f532260c02d75b75487fa97fdcdc71ad1d12615ace05e73e04d2137c19fb223967de169eb737ff0460969d389b6647abc4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
f3d67f119059142c45c36218d833b743

SHA1
ca64b3b7a41bfbb053aa4ffa4253afbe3b56daf8

SHA256
40503bba094bdab9ecd88928fa3b5b28e4367ec2b79083f1bc2fae76589b600c

SHA512
127b8f40e861e8e56e98494643f4a6bb3880dc3c4443a924a388f758bcea8b1319aa53610823321d3df5be1417192290bebf7a8934d6caffe67d3b346654fda2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a006a85de6b086ae6eacb473f7ff755d

SHA1
ce4888157ce84024f60cef34918484b630c57450

SHA256
594571bfe792249eb6361aceca6e25ffe7a9c6647c0e51a0553a5ca5f6233644

SHA512
e580e9b5d19643f2de3c5aa9013d51465769a8024a9ea74fa51e72b4defe775aaf9780c0330a9003122434ff6ddf8cf359488500a91bca582c3c54c1eb623e15

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a2c92587747f3cdb81a53f8c0ab69e4b

SHA1
af89ed90e58236c82acb6b0e59eebdecf9d5975d

SHA256
18c7ad53fcfca57ae942ce2d91ad0cb2661aa285e51a633e10d777c7ade5017e

SHA512
9641226e558475771ef881a80d09b961c0f2dc6eb931fe9bb3dc81746fc20e527f4b241145e12973a4ac27621ab5ed47a6864af7dcc3babcfe53cd978acc78b7

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
bf1953b5ab0145c620ff16529793cda0

SHA1
b0177e0f100c4c9d66ef3635a995cdadf520834a

SHA256
dfd2f134106b925cfcc8c611db50c6d092e64dea4b04efe9c8ae7ab6a43945fd

SHA512
622207ade651940f01902226beababfadb4c22e5ed4c864a2777b8ea5e965689d9a3d4073255a7e98767632a6ba342dd2bb9d935d131493ecee0f022e47071f1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
0f42453187c2cb4298090ff4255c34e3

SHA1
fff1fa4e997cc35922998d4cca75356f227f5a98

SHA256
6bae611eb48fbd0ef1e453b4b611a1df1a8ab4b0089e9fd66d0449e7bd90d749

SHA512
28f68c1a2eab6fdd1b0b48d07d46c77cac353eb354fd558c0a42f4dc7fe002b2a4141aa12966e4e7476869f0b4b47e809811cbbdc11d3ef562a05c757129d0a3

Download Submit
memory/212-54-0x0000000001830000-0x0000000001890000-memory.dmp

Filesize
384KB

Download
memory/212-65-0x0000000001830000-0x0000000001890000-memory.dmp

Filesize
384KB

Download
memory/212-61-0x0000000001830000-0x0000000001890000-memory.dmp

Filesize
384KB

Download
memory/212-62-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/212-67-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1132-482-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1132-147-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1136-0-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download
memory/1136-8-0x0000000002470000-0x00000000024D7000-memory.dmp

Filesize
412KB

Download
memory/1136-1-0x0000000002470000-0x00000000024D7000-memory.dmp

Filesize
412KB

Download
memory/1136-96-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download
memory/1360-30-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1360-129-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1360-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1360-36-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1456-429-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1456-144-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1604-154-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1604-484-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1732-169-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1732-490-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1796-486-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1796-161-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2156-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2156-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2156-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2156-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2972-87-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2972-93-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2972-97-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3388-358-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3388-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3500-84-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3500-153-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3500-76-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3500-82-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3772-119-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3772-293-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3976-165-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3976-489-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3988-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3988-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4004-117-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4004-164-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4004-410-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4016-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4016-483-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4328-99-0x00000000008C0000-0x0000000000927000-memory.dmp

Filesize
412KB

Download
memory/4328-106-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4328-160-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4328-104-0x00000000008C0000-0x0000000000927000-memory.dmp

Filesize
412KB

Download
memory/4556-110-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4556-13-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4864-69-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4864-149-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4880-157-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4880-485-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4956-112-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5020-111-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/5020-16-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5020-25-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/5020-22-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download