risepro | 39fd3005f0c5f03ea66f377e4c302f6de9085917bf44d4f605a6f237744eed30

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
Size

4.3MB
MD5

6a74ff4bc1fd5c753f80b39b166a62c0
SHA1

fcc591f7dfc63d5002ea470d7cd01f640c529c9d
SHA256

39fd3005f0c5f03ea66f377e4c302f6de9085917bf44d4f605a6f237744eed30
SHA512

e922d132df4b283c73ae61dfa142995d55ce40fe11b11af8a8753a3ae296f9649a37a204438ca07e4374b2ff444853d66c5d4bb8b1f3452187f111a09ecdb4ff
SSDEEP

98304:DaAXHxuC1SjE17FRCgDx21C3R83Jd/IZ2v:DaZbE17Hj21C3R859v

Score

10^/10

risepro discovery spyware stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Executes dropped EXE 22 IoCs

pid	Process
1932	alg.exe
2708	DiagnosticsHub.StandardCollector.Service.exe
5036	fxssvc.exe
928	elevation_service.exe
1996	elevation_service.exe
3040	maintenanceservice.exe
1988	msdtc.exe
4504	OSE.EXE
4328	PerceptionSimulationService.exe
444	perfhost.exe
4496	locator.exe
4896	SensorDataService.exe
2672	snmptrap.exe
4104	spectrum.exe
3032	ssh-agent.exe
2264	TieringEngineService.exe
2788	AgentService.exe
512	vds.exe
4764	vssvc.exe
2156	wbengine.exe
4964	WmiApSrv.exe
5112	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ac378e781ed82f9f.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b81e21544c6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006543cb1744c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089381d1744c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005011701544c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008274531544c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a947c81544c6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0ac8c1544c6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a49b5a1544c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
2708	DiagnosticsHub.StandardCollector.Service.exe
2708	DiagnosticsHub.StandardCollector.Service.exe
2708	DiagnosticsHub.StandardCollector.Service.exe
2708	DiagnosticsHub.StandardCollector.Service.exe
2708	DiagnosticsHub.StandardCollector.Service.exe
2708	DiagnosticsHub.StandardCollector.Service.exe
2708	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
Token: SeAuditPrivilege	5036	fxssvc.exe
Token: SeRestorePrivilege	2264	TieringEngineService.exe
Token: SeManageVolumePrivilege	2264	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2788	AgentService.exe
Token: SeBackupPrivilege	4764	vssvc.exe
Token: SeRestorePrivilege	4764	vssvc.exe
Token: SeAuditPrivilege	4764	vssvc.exe
Token: SeBackupPrivilege	2156	wbengine.exe
Token: SeRestorePrivilege	2156	wbengine.exe
Token: SeSecurityPrivilege	2156	wbengine.exe
Token: 33	5112	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5112	SearchIndexer.exe
Token: SeDebugPrivilege	3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
Token: SeDebugPrivilege	3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
Token: SeDebugPrivilege	3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
Token: SeDebugPrivilege	3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
Token: SeDebugPrivilege	3128	2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
Token: SeDebugPrivilege	2708	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 4924	5112	SearchIndexer.exe	106
PID 5112 wrote to memory of 4924	5112	SearchIndexer.exe	106
PID 5112 wrote to memory of 3304	5112	SearchIndexer.exe	107
PID 5112 wrote to memory of 3304	5112	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_6a74ff4bc1fd5c753f80b39b166a62c0_magniber_revil.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2252

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:928

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1996

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1988

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4504

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4328

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:444

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4496

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4896

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2672

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4104

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4564

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4924
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1ef039578fb4af3b1e3b2855859760d5

SHA1
930a46ed680e0cbf42f379369eae374aa78e2d13

SHA256
a2b88762edb41e73b333226cb619bd00d31c123eaee369b42cd61bf16d76be73

SHA512
a62683a884c82f39f09e8f40150110a1bdd2b2fd4406c29c321c5cbd33df56f76b2d71d3b63ea8ea2bc12470aba68e18f3e14d1d47087d8003a69e5bb1fe6c83

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7ff9395ce6df9c90b780e68a361d76ea

SHA1
17277d5b63c2c9473c244e1855e77b445507dce0

SHA256
9318f1d0c509c08ba2edb0eb0392edbf0f854fffa14ae120e091b0568ce66710

SHA512
b4b3333cdae581a13b3b9352075649c57b97bdb230db08167464e7e4b47a60484989d6c27272912e2bd8d68a4c3847d030ed7f42439e506076baa5384ae1c688

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
7bb228f4e86cb45b2024058e31473f1e

SHA1
9657fe0e2ceecf37c315ff5ab173f8e25fb76b8e

SHA256
9aa523c3083679d5281ee408cf3ec6298936e27dc6660704245baf044911fedf

SHA512
e05ea15d3df57f87e90a037fae68beec4c367c57dc929dba0dfb0376f3fdae8c207adfc370077eb56a71c47314e51c263aa06e173239baef56bdae1d983c6e7d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1e7e7c2504288bd16bd67802741209fb

SHA1
e593a667d4bbe4ff9ec2f0cfd50342c4acd71f18

SHA256
0d4ce78a5cee569cd14fda46c36cc1d65e5948e2081df69de31d3f72d3208dce

SHA512
0f163455b3023b9084001833722b02345d09526ed96bd9523b2c7afaa3515cb59effaf18076127b11026c5dddb4fe375f9a11fb529882270b489ecd973722fe8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cf544ee1c8f3bed07639d79a46cbe368

SHA1
5b9058594763315aadc4f937e14144c6699cb22f

SHA256
e9eb0f825804dd685ae396ff0e1414f9b6cc5ce3ce327902bd065d18eed13d6e

SHA512
ee624749ca6c3afea8dcd5161c13dbbf1daf075b95fffefdcdf1be669dbafc542fc3b2bcc7509e03242fa115aef14d7f7becd7ebb57032123218f434f04dc122

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
b57491bea02813fc97193bbf942899fe

SHA1
75649c3039cc68b085cd464fb60bee4dd77263c9

SHA256
d35954350cfd2269bc492b820cf31db98c3a14f5b11cf2ab917c000eb783a615

SHA512
acf3f031f7a0cac389110309ce62463cd1cbbce8821a932972f445c9fa96d8e810b62974d246e1337447903da71b8d8ca6919139aad7e5e17246aa7752c7723b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
9beed3c12277d934cf96de96bcf3e9b9

SHA1
f8eaa44526689320acf4c53882ad8e75c20e6bfb

SHA256
3854d84f2b40c98247311877dbc4bcb26f23e8b9ae7e1698a9a1dd273b8ba73a

SHA512
c2e1a4e4d2634451637daa09576446b62932a720040c6cbcf0712db66cad27f7e76e4b35397f2684918486244b3ad92b64a5ef5164dfaa7e949bfbe9bffa357e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bcead914bd7b2f561b66e686cd72b499

SHA1
c50e30b01c98ce467877e6976109d006c57dbcde

SHA256
c2ec1806abf9dcc18d4bd9235c10cba699508c8cc78d26e8cdbc303be4ba1fab

SHA512
7bf370d009a71c9599f67f8ec9d9c2a025e899a005b9ea1c937ed08de312d556f7767c54ea26230369fb18b8ae09b7d6b07ee803d532989fc0cfaab61ac3e7db

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
cf1aa30c8842836d1cf9317d8ef4152a

SHA1
7dd20e7295b3f18ef68ac5d62285cbab0668ccef

SHA256
be203d84e36bb3c6aec67d3a7faa1b0be5fb253733421bada26f7b37f74bf019

SHA512
b2865736e47021ddc5142516de6482f96bdc1e096c624ccdb697386d7a5d839ab775f2f155263096b0e61188788acef26fb0c86c3aa19118d31f9d3ef319e58c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8ddee42644b25d44e0b03efb2f2f237a

SHA1
5f783520fb8a43eb1e3bc944ee5711204a5a698b

SHA256
596b175e4a0b4a08abb0c3f325ef0fbf3476d3fbaefbcc618e949b1ae6d860c9

SHA512
30688efb3e3809ae653429d401bfc00b1c9eb60f38e81a5d0f270e0ef5fe7740d727393534e63a384212a1e0a1779facd557cc029ac727c4bc3c462090bf51bc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d9679a763b8b5770a36f88349bb8efd6

SHA1
f7e28bcebc187003fc098d96825a139e94db0fe9

SHA256
8159767038acb0330f7812fc4ba697d66ed7477ffe4cae6a94e99fb0022e287a

SHA512
c05fbade645311e7faeb41d514cdb2cf68d11707db179d81ef3c95130f490f9c35a69d70389319e97d52e69cadbde0d0003f6877d5401890958d62982a685488

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e5a8740acb02ffc3fd92d27663ee6fba

SHA1
7562d698def1fe33a7871042ae7a9b9126369745

SHA256
4bedcedc8ac1734c317afe9852c4c850ad0aa25d88a72ae6c92a17806614d0ec

SHA512
d00599e525564d4da157946d66bc7f2ac5f4ed6c6d2c99a83598eac7ef0b543dfc00aa898825cc09bb668c7e0eb9934076cad723a475755c1abc6201dc57356b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
bee8a894e9bbea67a5c87747144898ce

SHA1
7f8c0ca1d8ce0ee1e944aad1d4a8b870173bcf01

SHA256
8ad7d8a51cd7761539f17300adb52832ea977f8e29104efd6a26385a73a85fa6

SHA512
4f0e50927e4f16d10f77beb3dff1dcb55f580edb2e3564d1ec8eaaa08ff3b2807825d77bc44d66d7d97c2b76e28c6685325525a9b49885e6a77563446761db31

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
f41cc0e3b95740ba4a98e7ddc1b45b48

SHA1
4a6a81872fd9d3bfd655e97972cde5237330e17d

SHA256
922fb91ace8faee25fe44d6e73848e0ea046d21d967fe755c61ddc6c4feaccc5

SHA512
940f9caa6330eabce7b17a1b9ab191501de7d653a399c2e6b986e27e81a8e488b41086263cbc110494b67fc09a0d5d0b1ef94cdbdea8a44f081c458391207795

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2db2300abbc0f5ed36b1ad145c42675c

SHA1
da6a840c0f97abf503cdb5b51581e17d33d31240

SHA256
45feb354af804dbaea3dc0cfb10171ffdb651163f198688169f3e1cfb5fdd509

SHA512
eb66b88ab6d76e2c8f811b60064c45a866c10475f4358abc276c446151be0cb701dd354c508b64b472dfe809e88b6e2c3e9f50f7c6bf93dc334d6163e232c002

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e4645db19530708b16ecf95e34534074

SHA1
caf2cb0b06bfb24c7627869fe00fa3e4c017f67e

SHA256
e9ac99422892ef756dc47321e85bab4f306470ee0c34d359d48305b522a1b70e

SHA512
11ba9f74d7358017323ad9b32a6d15a0dca7f8c778572e4043fc843007124f13b02f36fccc494b3c6a462d4eecc7ec8eb446fe0a39080333748f5334996321a6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
29b2f267d04907a1069e22fa3ad7060e

SHA1
03995afcc3fab6ba751abbf744dd372eef979180

SHA256
c4f1abdaa4d1325b101e408e590ff7143963b6afd73d9dad544405d1d243552c

SHA512
96cb4eeccad92bceb78293bd230c0de18630fb2b7d18ffd2db1a49165cc73c88c62b0aed25da272550d5d65c2b9e0a684b5499db4baee5088e0e14ab8a32ef57

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8cc62cde6df2334a04204d6813d5b6e6

SHA1
6525a362c26428b413116fe5871c3fb27db63450

SHA256
b2baabb74bded5207cd2db634ef1b2ec18e05f430b1a4ec2ffe3ed7cf5853caf

SHA512
845a787a41e80d6f57e1b05b82d44c9d8eb0e8c62c67b992e731baaa3f5f38849ee598809de74e779389500068fd9886f98ab4bd093757c6f20440979ff035b3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
fd7c439595f56500bca5786446aea560

SHA1
ad817c26a72e7832233946f43fafd66dac8b4fa8

SHA256
8bf775697abe2f092274f2ea89f2e3a9a6c21552749fd657b9fbc791d8469844

SHA512
e45933a0947082c989ee820e947f30205808d3fe566e971f74ccf5306527dc379968efabb42798ea75580708560d82e638f86cd02601378bfbe2f7f300a3fda1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
768db728d1ef610018ea46a5de6d49c9

SHA1
9102ec2f50d1bf55c555d2ba34602f7fdc333dbe

SHA256
0cd1e7845f0d3239e7896ebd02c864d072896f350c33147024a5ac3fafdd819f

SHA512
9b96900808fe7ccbba215049f51a8aa786d2bee458b7f9b639de86309621afd42d6da737104740d0cfb679124313ecf24f9e44a31be86b560b41a793fd3c6684

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
e9cd2d57951665a2ae6c6ba0043e178e

SHA1
267f7a5bd135462de493c3062d654a1770456e8c

SHA256
94a83deffd0ca1bff91c3a502582097c6f4b1e32d54e8bae6ef03ebcaa17a232

SHA512
7de8ee74d03f4dced6f3436b09ec25a427d6492a50490b27464c850d01ace4b3a18e09fd019ebcad29213b3fabef8ed5639f046e3d84e659cc4587a261225e8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
be0b119b7f5a28a37c02a096628bf851

SHA1
7e45375e105b0c15f3eedd816cdaa475b5ca6abb

SHA256
54523f3e7b6cd92d036caa4436dc2d08df8c6b6cef88b3166506589606e4bba3

SHA512
7b8978afbb1d1783ff46ba2c002910085f78513ece84b0b11158412e49d88ce4a6ecdb13b255ddeb552940eb32cc01c8faa24970dd3d850da8a8743eaadcde1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
ea445c6326cf1420c69e2c1d8a1f8792

SHA1
3b0589827f04c7df877296a39be50b09ceff0bf2

SHA256
0c742ffca49772f0ea0713e0000e871fee4a3f6d7a0bfb8670234cebeda996e3

SHA512
f76f5f5332c7d13cc3da87b8babd04f15594bb1b5111f700bcddf5fbd2e41438dddc4d35d7d3e76268e4826acea3e89b1198672e76e36c82b8197ea55315c340

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
f1b5b0e4bce7d145cf7b4fd324d2efbc

SHA1
d72b520a72386d12b27ebfd7c8a4955547e24b6e

SHA256
b0ec3e8d9a00811cd0d457cc8cca1a4d300ac74cecb96619e304460c90a2bae3

SHA512
eba3abed5e21e5bc350bc79e6944674c5523d0ae2537f8ace430f443dd7b47a0e16d79abc285dd8a5d4e9bd42b800307a2b049019370235bf9c9953429610813

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
575f8f921d924bd32c9fafab92009d06

SHA1
0821bc4e00a9dd202abe092d034dfcb06d3afc71

SHA256
aeef93009f198db42e7c30d282c949156718b4733f8e959ab62cbec68b7b91d9

SHA512
e818c64c5a3b07a42207e78127c7ea670dc890c3228496cf4ac5b535108cd512363fac10e2eab7ce8c055ed63a92ad8bf39262abe2da4a16b055cbda0bfcd3ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
c188540739c48dc0b91c4bdbf0aa1450

SHA1
9cb41dd9319bb7c1244728ef7de0e283bbe8f9e6

SHA256
264f6440401edee18eb5cd6f86b2aa76d07f5022612191322e862a19befabdd7

SHA512
f1d64aa00416b40cc9c2fa21c47782ff5e6f7fd1413da762920c799d06e31c44f82488b1dd48589f2169b64de2df67524ba467e81c28f1d542c7db478ff21d15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
91505836d7df7a268cd1c61eeb59e853

SHA1
f7b6467e31f05147eda90135a27edd36c1af17bb

SHA256
4c97a6e106c182c30c703ac58afa5d0e142cd8e5986383acb045825dcea9edc8

SHA512
abc68135bd83099c2ae72d4d900bd3eb91b332d250f661744c255206134f10c76a5674210d7460f95f58d0c3a9c83abe9b037335ca8aac4e4629bc730eab198c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
5bfc6165b45da1ec39a0e5874ec1491f

SHA1
3236812d8e2fe917c445692fa6ae4a1d8ed671dd

SHA256
9f37202ca692927ace9ffe16e1d0e44e34969985326441d93f7324aeda0f3162

SHA512
21fd7e63e89a6a716a94585eed81adbd9ab99d1ad4266ea1adc1a8656e20b04136bccc4e7e620326b01a5587a2f99adb39ad5d3e1317f8991fa6107d81508491

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
160a46cf2e26721a85fc522c2dcf3899

SHA1
93c1d32fa829c8e46b7e098b952394522575b248

SHA256
cc7f71cfcbd7919135a010253fe63c884a9fb1e89cf3249858a2f7b980e9862e

SHA512
3f0a245f3563ac6e9dd9369eee3c6b0f591a0c18808f62f3d2a7de557c2177ad590f99aeb8a6b64c0fd5013110b48872fbcf8c5f4a70864f4e0b863b979747a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
36e8e1e80c9c325f59241f830602cfe8

SHA1
80ee62e83c9e8e6d148402026adf909ee51bbe10

SHA256
611543ec4401dbab09ce700d5e03c011658532f0fbd928efec9f395783adb673

SHA512
7ec6ae5bd7fc476fe8f4a3998f6acb15bb0177e659e1a0385f959481dd5bd604ac92c1d75e8b05b9948ea0024f5623d37a696ce7f648905b2332c7f5dfa73bb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
bf11b033623a40371c947272220ecbc9

SHA1
2870b89ba1a772d22358e93d01514db91e246064

SHA256
b5e5fa74829944910657d440c0cdd592e0c290a351eeba04926acd7a6ba4ffee

SHA512
f78818b5cef82439393c8ce1ab915f62d7b87d66927346d5d5d149ec295ad54a29f190b3d571da18ad7814a07300ccc39b44f7a3ed137cbfc77201bfcc2eaa99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
4112faeb3f8970acefbc877a97d89e3b

SHA1
cb3cc20866f92b4289604fc5bef89d4edb939aab

SHA256
d2ce8a64c3c8bdfbb770d8c51af021657801194353772b8f413ee3fbb5a0aa00

SHA512
ef09f89cb6a293fb1083317c2dd690602d87037b2dffa44192bfd62b5639b594c1ab39c6e67348bb9785ead96c296e4a2b0d78985f1d57e0c43863b98240dbf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
ac6a9c428a79d1e9e85b2e6c53c2873d

SHA1
0e870b88d261f68817e6595e34b064cd51d91826

SHA256
2191e36f18335a7a0f734afb27e783c43c2118a5361cfac110de63b707a624e4

SHA512
8c5ed6ada721ab3a85c5a402e1ac81b9e68125a5dc83638a9789a9200307592fbe09939f4e27f11e1c350478585115a6d092b593829b307c39e47f18c8c6047c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
c17d9689b934d73fae989d8d2eee5874

SHA1
c09535d46cc3538fa85776b0312e5a40fc782225

SHA256
feb56208d1534cbf23e566fbee4a094b1e08ed432b1d346e08082766d0b10cc4

SHA512
7d7b2d011803f7291fe4884f6135022c440660e8ee8aae80b5ac1148b57adfa33424488453e3bd1254c0b6a3a37f09f1feaacc9f55a4e051e6b18cf01839948e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
5dbe6db6045dd9685ba6467d31c2607d

SHA1
4f508c95c528aaa8e8825216fed3376c3a77c353

SHA256
b132c2dfb27835d072cb8140cc2409569fce74a5b9dfa6b0d1603a0fd45fdca8

SHA512
9ca1af47ea201f968a3970d8320960a54321d9154bc59de4483b0bf02e3f489ff7d32eab2d5db0907283ff5791efb750299a7243c02be4d1d2cc4e5e6d5da70f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
07011099639928ad7cdd10f9edd1d673

SHA1
cca8dc06242bb97d8f30caf3cc7428fda9803e26

SHA256
b1d90cca775c1ee97ba20f21c17a33e1c0423f4df1192cab5799f2d15b7ca406

SHA512
94e656b0133c4bb1fb907b7738c3acc7183c4d6abf0a74c1f2a74a44944dbcfd34f03d46ddc56906e1ee2a62727e65ca14b972def455df1a3b96f376525bac02

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
814ba4d821d133450b441c499deb1eb5

SHA1
9cad2256d3cc1cde74ceb89015dc9509c0469f67

SHA256
787fa7fcd4d84913eb9641e2890289492976b128f6028e4c39e3ba4e4ce9fb0e

SHA512
06d8932deb71de39437e539251173e77d2b469b45f938b6a1850d1e098955a7e7e4904a509e27db481af028bd955feaaaa7f7e18192c70ed100a4549db8bea4a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
6f2fee11756d1a0a1733022cf7b70080

SHA1
c8fc13ed9e7c824df640af213688744dc72b58e5

SHA256
d1138cba8060f91f63d054207d7f7362e705fd9847fe74fab5725e891b277f98

SHA512
f5c7421e7a12c3e931b8ce68643883bb1b706fb3a22afed55d256ae833a462d8638ceec669fe38cc65fc7cccbf82170022eb08f6ed980d1aba24326f9356e207

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
b5b4545355821ff0848515b267378519

SHA1
33fcf44d2b0c501d6f4ad7d1a84c921cff1b2ed0

SHA256
3471c6ec8ca68e942a8bde99ee4bd6617a08db7edd946f67660aaab1b926cb6f

SHA512
3594d9e63b75fc955836e987c89b2564fcf1f1cf6e607e56b928c84ccd465e7e92d7905563881be746f9b9612cf9c0439d40e4d103cb8ad26b105e97bb270c86

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
72ef2fccf275da786fbc4c406d364b14

SHA1
d16be5ab11deda5f2f314b9fc61376472c1b4ca4

SHA256
d526fa1a5002d1a215123201661a4e263e6976f253a74423430168bf6cb42ba7

SHA512
cc6854af6eb62b40b08edd54e20a8c92ad3d922dd476d9902cc6cdd62e3dea48bcc15132c3b8457b33e0c4d7b1f71c07ec91939cc4e3b4916d26179f77c5c2a4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
a701e861b2ccbe19db3d2166e6d0c4c4

SHA1
a198e962d47ae0ff062bf2ad4569c928e94296b5

SHA256
30789f4eb57d168f66117a66ee519c0c71505c6b1344e1b8d9c5ef2bdc24bc60

SHA512
a841fdd0ae743d7961ab8475aa3e27258dc1a4d3ce73a5a2f58474e7f4f04d1183f072b0119aeb572a7b5166a2814770b157447f872e3f4a648bbd1e4fb78a6c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f876df56c0db700130f502441ce831db

SHA1
d6945410d440348cba59e1ac963d81520aca6911

SHA256
7c98de2ec8c212467e1d99a9f41bb191aa553ae47152605226e56a0679b5e716

SHA512
de2705062c707729074ee1216f0da54b4dbede3683ec73c457b4615361fd17f6f603463b4a72a0bdb1f5ae17cff246744546d5e504fb8f251a129dba996d81e6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
24b1eaeb0355a98574f1df14568f485a

SHA1
ec9785515bf8420a2e34babf7382052d4e60e75c

SHA256
9e37b5f1700f7751a83d3375710fe89b74cbcaeca8fa509e6bbe6b89d4fec96b

SHA512
c8274de417f2ea4d4c57168005df7bcc65028f73f782630c239e20d23e4e5c82e80489afdf4a4fc20b2f2aae8181111a6ddff20db84005f06e4d043b991a879d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
18f6a2f7038b6143d69fb759b3a9be32

SHA1
e76646f6ea4ffcc60e3a18d7c06860f45f9de77b

SHA256
73f675b8fdc4725e5e9a90afc1ef1ef4924fa9f4e909916ad40bdca8f6ed74f9

SHA512
43e0a5686aed50c08ff42c57ad6172c5fafe307acc849a6f0296837b681e5815b99b80231da1fc0be3653285514f64fdf52d09af865eb1978e1240ae8d8de55d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b55d6ebd4a2aae1fae45c2e0f480f7a4

SHA1
6aab69471b293a3cb5e234f580b5a05eb342bf8e

SHA256
8dcc723f0cdad17edc9e21212d71fccf29ef3b73bab510079789dbd8d2eefb78

SHA512
2d9cf9ad2daf44e945684652ae4f0381ab524fb068fa0e6a40ce5a20f86755dc51d1842285aa253584b030c3fbbc9c7b32e5a57a5b90fb743e92152b03ad4597

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c5ff36e61f77a745af8064662e2cf8d2

SHA1
40ba4b027734e7bc56044100ac28bbe9e8804c9a

SHA256
fe907a0c28adcf67c7cd875b9f25c98bfcf509930562d112c7e2c6a99085e97e

SHA512
6ac4ffa9f4df62cc91b5fadb34f130bc47e743f6f7423fb2224608cfda4e427d2d097b8c6696ee761ef705b1b626b2d07dc3d2d06474304755cc099c62c4f94c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d1c914b10f71792b4b1ff811e06c765d

SHA1
1f26fbc6324ba00b99657b66ae446d23b01c8296

SHA256
7b9610e8504d05d05b5dd7edaa9fbc12fd63aefcdba6e2927c460050bd34d99d

SHA512
b0d2796c97e46b3d5bfe859bfcd5916956408bbde00de46e821c5817d237afb4d590adfc553d121994a06f998081179396a5ba78a4a2ad0c926f89eaf4a402b3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
11d90251caa7d8dd1390609def4e8da1

SHA1
af14234be59c4ba35b0878f8915c487430d7e095

SHA256
681a7694fbbafd359dfb4b6516b9ff488b15b19918e2eeef647f9ef88a3e0e02

SHA512
2424895c797f5facd45c1ea04a1dc5a6d6ad24817e406fd99dd9a4559970f99fc9c18b8cd5e6e3c882cc40c45acc1b5d5f60ecbf4b62791c80449b8000755775

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
004fa0b4cc487566c40e08aab5a605c2

SHA1
9e86c9da341f4533ac13f4eee9c237e140cc7449

SHA256
b0134b78d719d894a67bc2126e404da4bbb8b94dd26faeb22c0dd1b1fc0d481b

SHA512
40df41eef1eb728facb3aac497a221217ee51521a9198f756aeaf7a97a88aa102d960cdc0aab801e16325633de6e1eff7d78b591755f3774cdb6bbbf6c1d3d5b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
da9ab37ac9818433063b964ea2c5d7a2

SHA1
d8efe708ee71e3ef55d936f096916b76d3ea064e

SHA256
6d733c3443f4cb613cb2f7b29f92efdc84192074d6e2cd2909b478fa31b68ba0

SHA512
4b049aef7617bc47afa70c236eff1dd7f09c1df54bb57003c341ce62b223b61851f47b272916c794adb6fac9e035119ac386e0e036435b4093216ff9a6f2bb1e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b6835ad6a8db6907365e5f30dcc7a6fb

SHA1
b957a217bb47b3b89b1d9722dbcdf39470e429ef

SHA256
869257df177fe8861e0f784538a3e29f4c615839747e3ebcbbe40c4b8b9d7639

SHA512
adaf3d057f6082031aa20a6b9ec2d38b47b811cfe793161d9c0f5c1ba4ae1a98b91f338d5c727ef806a0ffde8403e0cdd7a7e873bf6761fe836da9778fd6f7de

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
081a4672c87513cb3611077ea1b31187

SHA1
7a23c0930aa349378c1ff174fc96b0461089644a

SHA256
f50b4fe0e379f81eb1597c194fff41909b2c344a4aba622f08d631c9c25ebd04

SHA512
18cbd051791b9098e04a045df339a792eecd4ce32dee299937bcee0460521c1cb16f777afc597975a4a2bbc6fb9871900808244890172f5de52b047e6c690d61

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
19c27fd2360c3e3fdea3b39fc4009957

SHA1
2ca277231be94aebcc67b2843abf08e2afb4ee61

SHA256
4ee563dbdc079ae8b007a59eaa9d7bc0bb977f4dea839175ea060288ad72741d

SHA512
20ddbd25e866af31cd8dd089d5ca2d8865ea439c33555d72230df583eeb86c8e73017082bc78c013e73f7d00e0c08ac2ccb6fab038a31e7563b229739caf237b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
05d884c17dbefe10b01e81418b781d4e

SHA1
6d53ad3b283f4d5e89faa200612e19d9eb103f5d

SHA256
20a380d1d11bf556475b4dbb2ee16cdbaceff575925ff14e4e918628307a478f

SHA512
769f938fda72cf91d449521f92ef77ca28ce89a1ea21ad4fc0157738ad7c433847e0a3a15d91d33cdd5748eadbb9da8dfc2821a03deee4e612d5581fe290cc45

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
27a6cffa6a00ea220b50c4c2bfd5fe8b

SHA1
595a5309f147dabad7a43936e44610622df9d6d7

SHA256
9d9e7e98f09c019a0e9e0a2f5b00b8975f27cefa9c001349e364d8ad3fd243f7

SHA512
91c9c58124c766dca747a978718fae25757ae8360704ea0c9611a622d1e4f8220b9eff541f555db4d7a20bd2216fc9410ec3bb2426c91641be5f17135536432b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c41ff1dee1a594914fe779c709f30687

SHA1
1bd12ee1277201234ceecb3cf5c14279962fa30d

SHA256
c0d7dcb3f442ccff7aad0a839f8d9260db5da09da9d72c1e1708500f4c9f4038

SHA512
692d28d7a257af1be2d8d1106751265c2ded4f47967fdae0286fecaca1e6db3d0bfae62e9f5d3c6a9e8db4cbd13d62049f16f5b935c32eb24ebfe41668acf58e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
920f9b8df95f2e598d0913e032ee1234

SHA1
2f0d0d64f163569a54d43ca6b01c3beb48654099

SHA256
5ccb9deb2357537d6f2d42cd03397a565078de7eb19952457cc032a93e13ad86

SHA512
a23bd13a7ee246df1d5d93be6cb5e5c812b3f5521ea8f1637ce2c842f453573dd5609223d9cd523b885589ae1af3b608fe8307b29b3b7b2f5806c9321671b779

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
29c07b6e9cd4cd1777184a21b4c22789

SHA1
f1a08df671c9097884799631469e06af567cec43

SHA256
dd2a3be60eb30d5c0c392862a63a6e5ee3d24e463c34ab9747bc1ed3b003bccf

SHA512
5a49f0c78930da13ae17e718382ff80a376ecadb3beb6ab10fa5864d1be2dc98c577c6f2600b861a4f644beae272b1f76a629070ba6dede5a789ccdf54aa94b5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
becdd8a10c2043b6506e672207059c88

SHA1
01b5e9aaf077928a6379b55720bf78c8dcc0abe5

SHA256
1322c5b39d06dc1efcfe79d174e365882ec3e0daecb09a096a0cf0a94bfdecf4

SHA512
c10aacce0ffb28fbdaf04177192cab8e5c81ad00626840a6ec4371a500ced45ce7eec5ea5cc8c605d8d6c9dd0785e915ff7e86cece947f8f67eab23497a5fd93

Download Submit
memory/444-163-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/444-103-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/444-108-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/444-102-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/512-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/512-520-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/928-33-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/928-39-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/928-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/928-122-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1932-13-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1932-100-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1988-150-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1988-71-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1996-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1996-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1996-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1996-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2156-164-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2156-522-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2264-147-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2264-519-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2672-120-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2708-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2708-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2708-24-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2708-101-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2788-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2788-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3032-451-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3032-135-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3040-66-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3040-67-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3040-55-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3040-56-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3040-62-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3128-70-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/3128-7-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/3128-0-0x00000000025E0000-0x0000000002647000-memory.dmp

Filesize
412KB

Download
memory/3128-8-0x00000000025E0000-0x0000000002647000-memory.dmp

Filesize
412KB

Download
memory/4104-379-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4104-131-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4328-96-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4328-159-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4328-89-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4328-90-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4496-167-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4496-112-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4504-155-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4504-78-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4504-84-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4504-86-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4764-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4764-521-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4896-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4896-172-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4896-449-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4964-168-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4964-525-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5036-32-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5036-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5112-173-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5112-526-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download