risepro | 80412098f395d5d768285c3c533719dd1aa718979b54981b1a9c6c248fb42b5e

Analysis

max time kernel
153s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/06/2024, 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
Size

4.3MB
MD5

eae69c6bb38ebbea9b5340b3dd92541c
SHA1

de67f519de2d54b48652552ab53c64077952f133
SHA256

80412098f395d5d768285c3c533719dd1aa718979b54981b1a9c6c248fb42b5e
SHA512

e4765d0ada9101ed5e866a628acced1b9cbcb7d811443c75a4a58d16813f6ea1eadaa0a24e7e7c4471ac10034e90659776078f4d563416e9347375561a146be9
SSDEEP

49152:naRGf+GDHxuS1vKjxa1CPsFRuk3wwlgZKUxT2WHHF6c9OtutTttHXVquqB:naAXHxuS1SjE17FRflgDx2WlXi

Score

10^/10

risepro discovery spyware stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Executes dropped EXE 22 IoCs

pid	Process
4572	alg.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2160	fxssvc.exe
4552	elevation_service.exe
1248	elevation_service.exe
748	maintenanceservice.exe
2900	msdtc.exe
2652	OSE.EXE
1640	PerceptionSimulationService.exe
2220	perfhost.exe
1568	locator.exe
3916	SensorDataService.exe
4296	snmptrap.exe
676	spectrum.exe
2492	ssh-agent.exe
2160	TieringEngineService.exe
2440	AgentService.exe
4964	vds.exe
2424	vssvc.exe
2728	wbengine.exe
3580	WmiApSrv.exe
3592	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6184e19fb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fbc199b3dc2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d8ceb9b3dc2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e363a99d3dc2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9efb29d3dc2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ead2e09f3dc2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bf7ba9c3dc2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd50969d3dc2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006de0239d3dc2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
Token: SeAuditPrivilege	2160	fxssvc.exe
Token: SeRestorePrivilege	2160	TieringEngineService.exe
Token: SeManageVolumePrivilege	2160	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2440	AgentService.exe
Token: SeBackupPrivilege	2424	vssvc.exe
Token: SeRestorePrivilege	2424	vssvc.exe
Token: SeAuditPrivilege	2424	vssvc.exe
Token: SeBackupPrivilege	2728	wbengine.exe
Token: SeRestorePrivilege	2728	wbengine.exe
Token: SeSecurityPrivilege	2728	wbengine.exe
Token: 33	3592	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3592	SearchIndexer.exe
Token: SeDebugPrivilege	648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
Token: SeDebugPrivilege	648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
Token: SeDebugPrivilege	648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
Token: SeDebugPrivilege	648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
Token: SeDebugPrivilege	648	2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
Token: SeDebugPrivilege	4572	alg.exe
Token: SeDebugPrivilege	4572	alg.exe
Token: SeDebugPrivilege	4572	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 2872	3592	SearchIndexer.exe	116
PID 3592 wrote to memory of 2872	3592	SearchIndexer.exe	116
PID 3592 wrote to memory of 4216	3592	SearchIndexer.exe	117
PID 3592 wrote to memory of 4216	3592	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-19_eae69c6bb38ebbea9b5340b3dd92541c_magniber_revil.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3232

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1248

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:748

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2900

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3916

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4296

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:676

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3852

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3580

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2872
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:5920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
8bce8378785a9a2e6a7852433a42df27

SHA1
c228ec2d66c8dee51e7e527c5b95efb17a677d1a

SHA256
5a337b60f1245be15d148c7ce4ceb78666e8f06df1f8263c1fa41d21943f1aeb

SHA512
890f79e64d3f57d2b6c3f6f4e68a596eb8e22d5751cfccad9ce7d4f98ffcb15859a861886e19d27eb7fa8b7a0bea77cf5a0d9b9574277039a7712e3afb80d5ad

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
54eca42357fde7d1bcd0d16a3becbb41

SHA1
92f614ba67d753d8264e731ab8852373e3c1cced

SHA256
82c5e751df8281e1243a28cabacd94aec74757a8b996f6933687d444a3cbefca

SHA512
3a056ec56d6c02b5b55f7e2073345fe99fd770331d014d6f7c6607983431381921ba4ddb6261266868a195658904d0cb1fead6e67fddd4df7cd0b391bc9650f5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
e14a791cae2c9157fd9deca370512698

SHA1
5be11d8ffb3f5110985239d53e88c0eb81c78a6b

SHA256
dd3c27612af40ac61b9045eec0208bbe52a01ad05ed85bf72832784fa342e73b

SHA512
c599257fa519c530e51f4687e99eeb741f8653123e467deb555245bcec612cf6f881b4f694719629da203576710d3e476dd582322653c75e3ce37cbae4b47cf5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
829d8c27834236db08570978d1e0eacf

SHA1
d8cde5b48224c57581a16353ca5a2113456531c2

SHA256
9a2b7dc6aae1223649d2f3c7ef710debdab2e9105db3ecfeee8344e232a7f977

SHA512
51f1d0c1d9d7c2302c59b3b18b8ae2851ad747a53c3c94104d73b5d674e55d44d69eb26179ca8814914bf53a16bdc574aef41d4344e65b22de53fb6504c25dae

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a8b3797b5be18fa94850ca5e4df4126e

SHA1
a0cd29bee6ba51ab4144e939473c3ba0e8ac509a

SHA256
511545e77b5d4c5ce739f78608d6776e439a2822fcf3feb3c8b0cb6cc5a02320

SHA512
a9fea74c760fc8a103a8067d32c238783612c6e10e65b8c30d6d13c3bcb369238260faa81827506e1a4c2c0f98a5e73e2bc890d8aa98c361c3a4cfe6b225eb94

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
bf6f8d9ce1f78621e1ce71072f7aca63

SHA1
e762d36d3dbf0c9d11f18ee9b14333dec10ee1e0

SHA256
14d3498a82f7d97a242d3a0e0fed5a636f2118aa068ed8bd49cf32307b7d47df

SHA512
93122283e561935654a40f76b9696c25cf03ae5c05904f163be9424b895f567472d40b9744e7eef51a5be51f5d8dc1f62d4e53a3fa1aba09bf201fde74426a17

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
3b50808bfdd35bf774339775387ed6bb

SHA1
c7bcd76e2d567b1fb4d1c2fc940af289ebec4e87

SHA256
5e1e172b53a56294bb7ed039f3f924fb624f1e694061263724a335feb4ad5177

SHA512
ce356e80e68471b451df9c5b6f876fec9c3f08767700b8f19ed7554ce5b970a3498294f0c49db4f9082ca7be8495666ca86a9782ee94901ea259f3f5d70c6e2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fbb18265b5dbeda339df69562a237256

SHA1
cdf34a7475cefb4ebf6a1ee0c38936c0f1634a51

SHA256
d0e59c2205c0c085419dddb9d18af29002de005a4e5ee1bc49b362fe98f0f362

SHA512
8380d376b14a487a1ead6a6de46fa63dd71186751e4e5c3080ca9bf45d24967687b3b5d7cc84fba41c4f0fe9e4464513c15df895f661f4a6721ffd35281defd3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
ef058db4aaac05d4956c1fc05e4c692b

SHA1
a73e543a8646af9d1ef7cc9f1655b7b75359def1

SHA256
1b7a422498edba67050d4ee27342f8d96d19dae8f3b8baec17e7326c3e184b08

SHA512
e35daceaffaff20bc79c9a85e33d4b80aea49b1fcf61d5706ecf8b68cdded3cc76df03127af6aafbf74bcf0d3c9c962883c3631cf578b76c2b38e4f4237c6ef1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c03f2cf6cfb43a50ae575d4322a7f715

SHA1
0010570a3ebaa0c636337d2df267e46f5d23312f

SHA256
74b316aebe03899325590605d06c7e0110f109e1814fa32dd6c77a3671e44c36

SHA512
34d92270ba95c372b1a8358994e985cd84248446893c2946324f7f18000916cf17a7a512b9e3a429057dbda2825ac29d38695f6813c7fce5f7c9de1132818b02

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8991885eda6d63404a6d15f255621b7c

SHA1
0ff8e70946966b04cdc3f27db83ae184e25dc0ae

SHA256
166a7c8658f427d7cda75dcf31ce1b843fef59b0daad09e1d517b028158456c3

SHA512
88ba64a1f4cfe711329aa7bf98aa1d47f2bfc74ec1dbc92812e0c28b2ccf03e5b55af0aa4dfd71615219ef1e7cc975415932693d59809ed617342f15fbc35c7e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9486c78202b2d93efb7212971c4fa8f5

SHA1
9e2d9c21244c0d41e6ca1a838ae7e3678a0789f2

SHA256
0fed4e9d460848d5d6ced55db9693354610595b5ee2081f6407e749370a4a8b3

SHA512
91ed69d7a3f15e097f414842507bc504e6b7e0387520a2fff7fc3c922ed76992ad69eaa1433d7dca7df00fd2af6c46cffe11e6018ee60e48139dfe2a19e85bcb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
2a2b3b672592c10cdae1b5cad4515716

SHA1
00c6f6970cecf0d47452eb2fe99eea956254d6e8

SHA256
2fa13b5f172cc369b4c4ea99179c8d896e424cf742bd69cc0f1f5b7455bfa51a

SHA512
90931f95876392b878cf4454351585db73ea23011f4e0c047841118bf501e2a2f21dccef7d095d916b3228c750b8d7a83ee2775b9697ce986db060021ee6b68d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
2028b239c367dd7445b7be318c4f7120

SHA1
813a7af297e5b5cf5919f5914293c53b09245e11

SHA256
1c65e3579ae20cbbe46bde75309755d00e7493f78ed73990498370ba73cb542f

SHA512
435f96a50f38b55e3cb74524e22cb1f37a48ac8f7f14a001fc0c4e5c272091b12db16c0aa00bffb58467912331cdc9b5c87f4f32ad14175b6a3848298d6239cc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
8f97466a3ebfa7f9c4e295f75243a08d

SHA1
bf61f1d620de90ed7db7934fc8013993ca43db9e

SHA256
14b46f2164b8f77b160666b1fc607c40ab597d432ec1cba375f2387d51eb2cac

SHA512
cd284149cc0fd53358b127d5ef433877f4aaed5422dde0af3efbb589205e3042434aa3ee142cbabe57f2c3c4776b43da2fdea08931a597a45d0f17ce22c639fe

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
f0968cd73005e2dad0ce317259f3a6ce

SHA1
78ab0d9921bbc682b7b009d94ca1ba41a53b9559

SHA256
5ae06d975115093390c306ac5f9eacaba65b03028e093edcb57c4d40fd47b190

SHA512
bf8b9cf0d880ac80f8d1a16ddb709d118064a1c66a5e6d9ccefa9fa9b3b117e11fcb339b40b905ca74593a54c965a333bde0074337be551fac491d310a6a60b9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
a91689e868111394f25cc998b1612b10

SHA1
e0a531523311a12273f7b6494dcd1ed8757c8e4c

SHA256
f0aeb04b7d40f3787048005b4afb7bc7cb2a75c6da579fc7f1ed2d58ace1b391

SHA512
8925885b434b5285c237e9736f0fee83fd9efd7b1cc283d8666a43c1d79da995d7dc69bddb34b116b05122721a224c7b81be7c0300686ec0415e82a577a43502

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a3465293895d12cc0d1b17f42c02abf4

SHA1
48def54cc7628cac3cc4dae79c95cb0211db3542

SHA256
65cd2d50587dab5ac3159663845df4fc769d995ece49882b598097d973bc0a96

SHA512
2d0d05e602088d50f956648c3f7c5ff857137a981ee772190d849f6fcc9f5563a3a17c9e68e5675433abf87f95013bf31368cbf8d066de0aee6c04a956f17631

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
3e7d64ef5c4102c62ac037cbb8c1808b

SHA1
25ecc5dd182088aa07a143582da101e6656a6341

SHA256
4978e42ad5a623b22f6906f2bc5ae7867445ddf63d9d9f89b6d08c5b3353bcce

SHA512
289b9784d5a2fb2b00bd624fb59a19740309d73e7e3ba68cd98c00be5896bd8f4210cbd7d98db6418db82fb431ae7332bcbd62433624b1e5f42aa2b91c28d8a6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
21f681185ee58251b71e019d78f84491

SHA1
607696676b27d5bd946a05e03c72c8f7257d5092

SHA256
58d17061dd6ef11d94a20d22687f9d27dc5c853b04898135de7fb14bbbac7d87

SHA512
ef7615bcb9a7b14c3ee93e4183a51ed1f1b9984417a3d5140b20c47abde5f78d7846c8aaf2e8c28000e1706ff4309614872e2ed3ba5dedb708a7027534ba60af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
56780368e107001074a09ea969650ccf

SHA1
e87d966912def7db2dc45cb07d75307aba3f5994

SHA256
e3a89da85e166f9c58cf9187524aee2cc4418c82355afc73aaf1fc8cd0949e1a

SHA512
6e7546ff5b99cf493dae2a112ffb88a6cee08774f89bf7ab9534931f59ad84ae8de119cb0dbcb0b123db11e046d3d78b65f4080647c96b6f9434f1d0ad477a2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
ba06dd39c20c735ddaa68ee641952c8e

SHA1
9f5fd48e90f887d384af84898ca4df299a0fa30a

SHA256
fee1dd869e295e99157a55b606f925e309c1f3302f111cee6c0c13c9a52d03ba

SHA512
65a5d69161446ef5a895338618505e9131440c53119244428ef00b73aeebbcbbb82e2b2e63490284127cfad519c53655527fa719bc8cb0bd2a6be5e07a4833dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
903e4304361d90e0eff15717736288f4

SHA1
b599b795b617e7d79a106cbfc8a310a8f150b215

SHA256
e9b8aaa6cbbc34252151b67022af12cef85040df08f827ef2e518b3fd59faf87

SHA512
09244dd402c0b71604fdc91c7fc0dbc3ac557ffc17a9dcb4873e0b508f2d5d99fe3d897b92cdc766a0560931fc65b9eff0311d914cf6f6ceebfe22829b7f96dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
16c015902bba53f91b04f1374d7912f9

SHA1
23d486d32286fed0e45e67e53f4c4ccb198b0445

SHA256
9e2409ac176c67f6438f42203a4cb00328dbb6c592ea9d0f25c8d750c1778c40

SHA512
90c4556acaaf70e5c89f88ce820abd812681e3bf48b7ebaa9e0a9da9a7c46c4c8eae2763f686aa3b00d1857e9b266f8dadc566a591ec814c3a104e52f8378e6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
b3170334fa2656854d34fe05caea9f01

SHA1
cd3f79a82e949a389cc60b1c4146246be1b99d37

SHA256
52b2306af715205c6b3489c316a5606e1e1706ab086b8d835ac0c6ce43367639

SHA512
98affb98fe13e024166f760e87b56d82ec45ef56c6095108e603ec7accd8024bd2c717d8630ef17d133e8944478c2e366a5d9ffef87ce00440603f8732e62a3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
5455d5af9ce0ec58aef9816d989a5c8c

SHA1
f056fa3472a0d46480d4441cb7f58b1dce8b3d0c

SHA256
bb416f91c0c76c0be0809fd70d120b35533d6dcb601ea904468cbfaa2a6ac036

SHA512
45e4a8faa51ba6181bc32773d6aab6f69b78b25af0bac25c6a7fd387dbb127e33970ed4bcf6ab44514e063e985683f35c4a0bca93bc74345d2a9b22a4481cbd4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
30cfc0eb2956bd71d98117afb695f035

SHA1
a2dd3d3d2a946fae67ac1eb5862b1a27251ba24b

SHA256
f04583db06296f3da253c64f48941667fc69611e5558c92f512da8c032268c20

SHA512
0e787ddc25451629069d0b3fa1b9872bf3c8d7e0c8cf6822f372f8c3f628e8c2449ddc6ed1ea0eb248555e0d0d61d27e63f1a049a47c084e9872d79d8616239c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
7ccf6be2b4dc68f7408b372fea373ba6

SHA1
52914d903e1fccdde88f49cdada15e8b5c0c5e1f

SHA256
c6817b418f3603832d8b18abff40a493f3d5a252fb3cdd99e1525dc6c6fac7e6

SHA512
65a60b532191455cdfb979a69062a13a2a378d38cb8cbac36d891b0822b129ac07c4d1f2844f31c514fd3479a2f41966a2397319b7e9c663dce5f1fdff4ef2f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
ba9c6a75d6de2be8298200755dbf11f2

SHA1
c5adaa82e3b5918c9eee5bfdc2c65ec94fd03e58

SHA256
71d5d93eef557c988e5c9f2019b2f862c55ab977a7674ef5b6e981a5a0857aff

SHA512
aa76213b925e3547e7bd7c738c0674aa76c18869f326debe928af4c7627093073f4ff52baa571c96651e43299cb383130102a3190c4fed04c4d1394d4e7ebaca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
a06cb122555674c14e17e4ce6aab8b2f

SHA1
380f70197739fe8885adc248f279bf6526023222

SHA256
3ce959314d54b0eec330337894167b4f3437c153821b0cefc20c8aaacbeb3dc2

SHA512
1c2ae1beedc6a5a58c196333f4f45b7d70e425d256fc9c7b32175d044bc159a7b8a9b01c334a913b10de1498ace5a6389f3831f5619e233262e87492ed0c2622

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
57c64d8b343e87828262d26e7e59cfec

SHA1
4d49b8bc9b25d09ff4b134b3ad5672196f9f71ef

SHA256
4cf82dccdbc83ea629fa96ddfe8f08ae2c698a4dcec06b7631d47d858da4de76

SHA512
bf211547ca67c3176761899ebe75105d68fc342a83b8f9a635a0a4de69c66da268c96029de26c15808afb26717901536925c911f23fb02f895e0c5bde0c17843

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
d29c88e0b2462a578d7f62d2da3fd99a

SHA1
17dfa90101e241803904539ea386ea6c89afac06

SHA256
e64f68a8e089bc8b5e1b5bba67578b2835ca11a31332080ffd1b38624417d26c

SHA512
dcfe04ca0e2f86b502f5596a7fbe228b15de13395928e3fbdfd4559cd3aa9870c846a6356fc4fe88187b63b2bae8844df1683a3512db8c9a8e0957fc9cfada83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
6c56bdaa403c58206cc0c5b36c4b8ad7

SHA1
d63674bc463d598dcdd03f7c84a998d4233a4b29

SHA256
020b396f5b41ea75067b24b3eaaacbe8bb80e768052c6cfbcf0d6e61284bf3ce

SHA512
4419a5746b9cbf5cd1a97d8a5d066e5ff900f57513b7d998cacbf69d9b22c8649cce4574d0da0fb0b6ee00897cd57317c34a684dfb37511ae3bc8997641d626b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
ae5bdd33f5115821180e6b4ff2cffc68

SHA1
8828559cc2dbc867c9371dde11f2bc5e0596ea12

SHA256
51be8ab01c9e7a97375ee4b99fea3e74dc1535cac5513325d3ed4bdf3e1332be

SHA512
bb55ddcfe81d334f6ce204d419423120c12e770c5524d9608c40a8fa21d7ce1f258b24c3166a722a280fece30f1e441fc4fd8b8642e34ced5b3a6f5f86d22ddc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
eb2f971c77d2b329d611379b7294deb1

SHA1
ed36154962e26295274200813a7719f46796f410

SHA256
85b0144e731ebe3a0244d95a175c7a1ab32314ed86a4ea5fe5218f3a6d4fc4a0

SHA512
4baa1ee477b8078662347aafcaf1f1aa43c579bb9a21dfc95aa74262fe870118a02c87e30b365dd3fe114b26a64b092f6468ab24f216e5b81787dd76bd23ee80

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9f2b6860314f9b109e5812ecdfffd33f

SHA1
cbba03f9b5cfc2b9b862a54be2be697cc9a53614

SHA256
01a99f0d2fde693f78eb20f87b398790e15e03f38cc429eb463e6c29ddeac2fc

SHA512
269b4166b81fd7ee1ee216c8fb6c0ecb7040caf83527d6e74e0ec11d2b7499452e1f104e27da0bf05cd259dd6d75ca04dcbf827d88ca909d1c467768c6a008bb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
7abaa1b3822738681397859df93ea5e2

SHA1
148e6baa1679cbd373e722e8c37c359a662528a8

SHA256
06c0fa8124b214d88d9f8bad3a9207330c993cfa34dd1b5aacea12bb875be4ca

SHA512
5df5f5d9e2114cafa5afc213282ca4fe00c9214debeadaaf38799ba33a96960b6e843b21b2fae011b90b4afa9b9e635a3894b9558411a90716877d50c3b0ee70

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
bcbfdecb37f567895fa4c368128e7640

SHA1
83ecc8349f511af995c8c7c1d013954901ca8d13

SHA256
db92026c320cf8f5f14958b3202d3558565896a69ff6409635eca340a3360cd4

SHA512
5ec59aaaf7570dba7b1360467d65c09f96b1c50f423c3d592f64e4846896f6d022ccb30cc312bfaee59f9616e7eaf4b591d9f561f9bf94918bef1b07c314a241

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8e5dffa63fcea82699507df4632849ec

SHA1
e3fc016aefe24c61ddb1b04476c0c7b4191d7fce

SHA256
f153671bb02082fa7d1009711aacddbe387911d73f30546ad2e54d2a729c0dab

SHA512
8252f48c5f5d73e7fffab7acdf5f98d30e429dd2fe0f2314deb3e83d0454e5fb1c57840fcedfb67d378ec15e9cab1f41e006d08baef0cabefe38724fbb30aecb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
53ec8c5233d1c4a37c77ab216256049f

SHA1
eb7a8b552594341fc0db9ac4156ea8730c16ae60

SHA256
eca79e5a94c57deaad2af67ca4bb7b2e6b0d7b5a9abb9ea33c7d0d1f1bdb987f

SHA512
0b89df56c67b4dcc3537555fd3a7da44c2fedc7baaa40246fbd8597b1059d5c52d3c8edf8c0e13a4905fd0a30dd848c87dccb838ee5a8fea7ceb8db48db3f6f3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
52e823424ac6985a8775265414cd8ac6

SHA1
205a9bce60c4cbe722690f4426360fb9fe92682e

SHA256
32f1d51dd7d42a64213d3b2ec0576cef4dae5f7724f4e73b03b20799df9659fb

SHA512
9bf314ec472caffda8a696536a3ea8dc980e3127ee12f91ff58b465e40f4e921ba0b05c75d3dd9b6cff0b690060acedead7cb61fb6dbf0467e93d2e6538c6ac2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
eb488172f7edcef620fa888354ed136d

SHA1
978c479d5f855428a9892bdd2915819efd4e93c2

SHA256
c5459e63d5fc0f28cb34ea63b734741f227b5e857c0f0b57e1b64d1b8f833fd5

SHA512
c2f8ed078326774cf08072a2d841bde941079eaf78ca7f344d8807bcfb826ffdb5dafda8bf36e196c1eb55354dd0630dc846997ff4ac4c9994aecad66ae2ca70

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
c2cfada75d89939566f032c4c287eeae

SHA1
c4612317033c0a86a4812e46d8f6312b972ac82d

SHA256
27146747b4bf693270817a4ee81b28a11e05d818f443b08be1325ccba79df222

SHA512
f37285cdcf7d12b1cadba6838a51ca9993b47eb2cc3c39207166b1b3bc437e7e25d1cf359bd7e911c5c5c07f17e8c987b1a6ee88e56d07b05b30c485046015ee

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
6e83283a1683477cef10b37904a6884d

SHA1
77ca735ad5257273c5f9c43805c3c64b10c9f747

SHA256
d2c409664f422218fe4c340d6a6254e37cf68eaef5fce3117e4d918e29310540

SHA512
14c39de983fc331130840ec111f43192252658c1a0f31290fc44322e6ac215b6f71e92de25392abce6e9041c8e73b32b5c0fc7207805731722e72cb3f5fab36b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e4515759344c2b03b76fd39c4370bd30

SHA1
7dfa99d8a93937e610835025508c5e9cae20c3e6

SHA256
6c7152094479b128f95151f86749a9d78bc8b020bfa31f896cb34f8ea62954d3

SHA512
be117005878e76d8886dbf4050aca8f215fd3e43ac52fbbf351400b87c59295622d45d00b3a8a46d1dec612fe3bbd27136b84e5a263682b5d6b868e16738b6af

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
affbb8c5e876b79001a642830eafe17e

SHA1
5e2e6b9dbce68bbfb5e297de9f3dd868f7885b9a

SHA256
e5156b681f3a32a79730098e81bcc4b2ad022b19bfdf4ee990ae677d101f2565

SHA512
c0ccc0fa5d6924325f65299219a225fcd5b12c245dcefd667e18ef5176a87e3c8683b5d96f8e2760c475595e2b2c6f1afbb337c6aec16b289f2d63f254df8c97

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
83714adc0fa0f2267bddac510c673ae9

SHA1
b8d3bc8823e491dee31a49b24ce535c01850eaa8

SHA256
bb7b46abb82431795d39eae8d4272ed365d3efa41de561837514fdd8cd6e187c

SHA512
01aae8d58e19626d9328a64619e619ab171b2f2d989886709d6e8450276514c75280f425e5194c801b591b53ccbf38eadd8815d4bf34110d02787c07b932e0ac

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
2ccfc9ec6e74ff06b1356c7042418d73

SHA1
91e5826bedf99eaede20a68857e98094af10044d

SHA256
e6a5812ff033cc4b5e809d41e5ba6beb19e6e08a2fe3e28c7f327e4df5962a6b

SHA512
ca62ce1fbeade373aa0497376253f16fa0de652abff95bdb5dc385d7bd8e3200c4c1f16765ddb91d6e717537cfbcafdcc472edcc4a176170d51dcc768d937b09

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9dd989d9010e4df5ea0a8008ceae51e6

SHA1
e5ab131d1519e8dc47a7cf8f7547611040444df2

SHA256
a9c499b2c53f06b9a6a570429e319c6c18cc45fb8a5fa709b98893ca2f21dad5

SHA512
c72d3b7e5649179b18710dbf11e81b343a871b7275c2fef916dccbd6fd4d472998ab0bebeb7cb347c583a27112996b9d2874628f16ac0898ea5e5b57a8c22c32

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4690bfe88cde042b137463085a101a8b

SHA1
e80e8943a7ab4b71b6c80a50b6ed850dd5d57ba5

SHA256
2aac8994c9e5c9b96c6c533820537912a260fb213f38107ef702a57b5edbaec3

SHA512
707fc3f3b0c1e970aedf1206556cbe9519de4da339b16231f83ead2f8d62422890ec7edbd71f9e8a9fb45b0b32ac9151bd1609f0d8c0a3795b1fb6867a966089

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
f647ce4b72ea07bc7e11e5b2cf9683dd

SHA1
ac13e3b06382cc7b6d9e47bbf34318e4a01e0272

SHA256
fc59abedc2c831808d012b827cbb5b12fd6421dc0b69c5976eb6f1de8307dc6d

SHA512
2f3bde4d17ba263fec7d25e65291662606bb1cc8cdef6634c48ad1e2793bd25f9db22190878306ac7f35c948374248c312c7ec4c285c77152fd756235eb802c9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
6312aa03905a26b82887e0916808f477

SHA1
ae6615d2485bfcd31ae0af4cb0dc2a0307027628

SHA256
fba1e3fb7ebaeca1ed3a916b7557542d742ca066c774140628c7dcd0186ed5b5

SHA512
bb5eb2c903c2f3602552b68ca5a66ad0f9d33df126f6809f3d7150f888ee38f2a0ae9a026889d4dc007531be7c052d5e9a671de6f0ad49faa4a339570786c8a0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d5444b6aa0e423bd68bf28409a2edb3a

SHA1
fe7d00854aca929a9b860650699a48888f53c98d

SHA256
b4a474e319f07c1a4fcb83575a16babfe4531f9b594d5bb4b42fe30b3742dccb

SHA512
e714552c793bd91663690aeb6daf65eb6df8383531a152fe8b3fdfd0260ba0da8f24e5b023b7f869c57afd54bae0e7495fd18cb8c5f13fa6e242975c02843ae9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
22a44345026f1cf42b00ca729c87c3dc

SHA1
82aae25335c4b1ae4c4b574166c56347b79704f3

SHA256
8b023176e1a5453c88c88954865fb076231438622cc46f3d9a8aa0b3994b3455

SHA512
d02b4f44511c2ee3be310b5b7111d92fab04df981763066a53bb0e95646087eb59b6a2e3901ef637a09d8f02ddaffdbd1ef1afbc4f3ceb79d27527a3c28a4303

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
93257f0de4a643861c361f7623ef5d45

SHA1
0adcd93bd3203e4a5c858138be4adae56545c0c5

SHA256
0c53add518e65c164032bef86943de398d3beb1be798e7eee79fd72330b3b0a3

SHA512
6b985fe1fe6836f4ee34af093ca0cbf16171ae157d1743fec40e47bc912d155b23ef06700a435da1b1e0d6dabfefa4c534b066754e51a0e22b20a3b3c5e8c52c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
abfe5e6bf3d1d9886507664314e7a25e

SHA1
b317c9b6cd6e285663c869d36a08176311732558

SHA256
18ecc017cd5ddb0e0cd6dede140a5faef64387d2818b2c493735054c21ef2757

SHA512
d5f64fb569063ef159347e9b3164ac69c7ccba0565d8c81ada3c3921a80128c7b71e15f5e8824de9ed96cf9dc38ccaaea91db6643c6f99ab06e0b2d3e959b446

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
79854f6118a1d7843a640733fab025d7

SHA1
4822f4ea9a945a5a6a1d099efcf6e73d106bad7b

SHA256
821d076233cc238226bd600cbfed407da561ad863695b03ac4055b66bc5b489a

SHA512
517d32aa2219df18a9f86e7c7556e090d4fea9609bd87ff2465cd1842f1ab765a6276f0bbf8d69028fca0c3abed96a846b569e874136791763a37a46e30b0401

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
93c4fd776f306296a2367a2c0ff41441

SHA1
f3edc91940aef6871afb153f39c39e5035ed7be8

SHA256
b18a4393b089dea0bddab33b8cd61504361f09ea460b26bef7982f3d69bace18

SHA512
30f9feaf9810047a02688bb31ffcb4da352e7529f70fcdbc268b099a39645233ce15169cf87ab1db09590c0b1ecef98441db5609b86176d45e2afdbcd0ebaa0a

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
1e1bb738a28003315044bc205bbea655

SHA1
404f0582e614ca106f36aa96d84533633d8dc57a

SHA256
a85f89653963dde1137d9cadf28c962004dadd9a2ac1f780c7e528d426e4c72b

SHA512
9bd25d86a357bf870d2deaa262c7934be873c593c0153b0b5ce19d25efdbc1518b7ba5b9d2849ba2efa9f1a9526101362729070f7a66694c38ae284b3361e99c

Download Submit
memory/648-82-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/648-6-0x00000000026C0000-0x0000000002726000-memory.dmp

Filesize
408KB

Download
memory/648-7-0x00000000026C0000-0x0000000002726000-memory.dmp

Filesize
408KB

Download
memory/648-0-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/648-1-0x00000000026C0000-0x0000000002726000-memory.dmp

Filesize
408KB

Download
memory/676-353-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/676-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/748-86-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/748-74-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/748-88-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/748-83-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/748-80-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1248-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1248-179-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1248-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1248-71-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1568-140-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1568-253-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1640-229-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1640-126-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2160-46-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2160-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2160-431-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2160-38-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2160-200-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2160-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2160-58-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2220-130-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2220-241-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2424-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2424-454-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2440-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2440-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2492-188-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2492-409-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2652-217-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2652-109-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2728-455-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2728-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2876-33-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2876-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2876-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2876-117-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2900-91-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2900-202-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2900-92-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3580-475-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3580-262-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3592-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3592-478-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3916-329-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3916-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3916-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4296-319-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4296-156-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4552-55-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4552-57-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4552-49-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4552-166-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4572-90-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4572-12-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4572-20-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4572-18-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4964-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4964-453-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download