0af4580bd9859167f87cbb0406a3471597fc29ca5878f4721c25600e1341968a

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
Size

6.0MB
MD5

7b5af07077f19343cfae4765fe0f09b0
SHA1

e1c996ee60f8b279860ee3a2c822c35ec2b092cc
SHA256

0af4580bd9859167f87cbb0406a3471597fc29ca5878f4721c25600e1341968a
SHA512

fad16d9f52aeac3d5e9b493c3f48842dd1613152a7daccd17f4a030ef65c1536d1cddb63e93cc4ee16c1b746c5bdbdd885cc5180f537d859fb388b2f1678397a
SSDEEP

98304:2jQSZ05yWCKWNWFJmlrvZHHPhifBONgQBhI8AXXDvGYFQlUf3qrtqQSGiO8kmqrr:25uVw9Phif8NgQkHDeYFhqrt0Gd8C9b

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1676	alg.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
1692	fxssvc.exe
4116	elevation_service.exe
3920	elevation_service.exe
4904	maintenanceservice.exe
4860	msdtc.exe
4084	OSE.EXE
2788	PerceptionSimulationService.exe
5000	perfhost.exe
1580	locator.exe
4456	SensorDataService.exe
868	snmptrap.exe
1236	spectrum.exe
2716	ssh-agent.exe
3536	TieringEngineService.exe
2692	AgentService.exe
4032	vds.exe
1720	vssvc.exe
4556	wbengine.exe
3028	WmiApSrv.exe
4924	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4e226ac475cb61b0.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105781\javaws.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{796964A3-CF91-4ABC-A549-587EDBF9030F}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a043ad0b9d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093f126d0b9d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f663cd0b9d1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025b288d0b9d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000451a0fd0b9d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc8a81d0b9d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d07c11d0b9d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022b54ad0b9d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026b369d0b9d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
4116	elevation_service.exe
4116	elevation_service.exe
4116	elevation_service.exe
4116	elevation_service.exe
4116	elevation_service.exe
4116	elevation_service.exe
4116	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1664	2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
Token: SeAuditPrivilege	1692	fxssvc.exe
Token: SeRestorePrivilege	3536	TieringEngineService.exe
Token: SeManageVolumePrivilege	3536	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2692	AgentService.exe
Token: SeBackupPrivilege	1720	vssvc.exe
Token: SeRestorePrivilege	1720	vssvc.exe
Token: SeAuditPrivilege	1720	vssvc.exe
Token: SeBackupPrivilege	4556	wbengine.exe
Token: SeRestorePrivilege	4556	wbengine.exe
Token: SeSecurityPrivilege	4556	wbengine.exe
Token: 33	4924	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4924	SearchIndexer.exe
Token: SeDebugPrivilege	3724	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4116	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 2792	4924	SearchIndexer.exe	113
PID 4924 wrote to memory of 2792	4924	SearchIndexer.exe	113
PID 4924 wrote to memory of 1352	4924	SearchIndexer.exe	114
PID 4924 wrote to memory of 1352	4924	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-09_7b5af07077f19343cfae4765fe0f09b0_magniber.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1632

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3920

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4904

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4860

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4084

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2788

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1580

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4456

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:868

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1236

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4108

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2792
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8e232c33bd26682341e9602ac9dca015

SHA1
4144736fdcdfff3e73f7b75098a28e8a998e44dd

SHA256
85842153b973ef8ec444cc2214e90bdffb6c83e35f12394305d7cfb0e95a5588

SHA512
4d6e740f50eb0b9ce1427dd3f0f2679e8c94b51ecd6ca35f3cac02281522bae5fa5cb8ea09cea93cfa117773df4f2c0e625302d6ebb3ec13dc13e5375aee6453

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
5c2125ee297fe0eb4e7388ec924cc9c3

SHA1
5952abd692a04ddb54944091b43daf2958d3e64b

SHA256
09febe703da1ec3c2c7ce06ca8719c330bdbae6f9fa24bfe719d9ca913be04e3

SHA512
f63d1ef79e5d6015ad3d78e77b77320293c3d32f29396e9406110c6dd9213d2ab98bef482896ac249d70b60eabd1859fd06373f3ca5c4d26a96eca598495ef54

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8bbc7dcdabeccd467381d4656f9abcf6

SHA1
4de1119901459ec74ed433c78ec4f11b1783775f

SHA256
8226ca20877c2f39c6b9b9b31b53c523151af0ad0008c93522ec5a2198d95a6b

SHA512
044c15c1ea3ffd91e92338e24586c2f3031f90721ba31111b8f358213401f37f6dd5aca7322a36136f833c4cdf9060a67a660a4b8ca1b86de69767335b11448a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3a66898b0fd4a7c79b07019aa049686b

SHA1
266a465c9a1a5dcaf2285a989901a789486ea364

SHA256
71f8906bd89012a4e97b4fd972620868ce1a237dd532acb8c3d07c9ac8bbaf5f

SHA512
8a884966e72a7209855e3af0aa1a558f0728f8fff92045054b3b46c2a66d6bf05ecfd549a521e54d8490a53e8c7b1cbdc5e19145cb4b290efe8aa3cd9c8e7897

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4848fd98b53e4f56b9967941ccf532a8

SHA1
e2887834a4eaa0020449a9a22bd52d5d74dce9ce

SHA256
eab9203b4e88b29629b8f7e196bebf3caaf91c4a196a867b62dd458f568f2027

SHA512
46f821417dc75c37ad133c0e183d96deafd6113a9320ad850b5f918cbdf0c78f42afa31795b538afbe462c028304ebc72fe295229ac7c85cf2ed25737706f17b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
1c4eb1174cf3c446f42e42c03f942dd6

SHA1
ec89c3591a9c25c82286690d88089b32a2298025

SHA256
f22307847844bd94cc26156ba5b89414e97d72823b74a19696f9436e9d6a43cd

SHA512
e353ea393510a9379a7c282629cd471ad8a9733bbc13baa1714f3e5712ca2a03253c016892784aec693308a89d3c8da57545209e0aabb2adc5b3074701d93521

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
cbcefda72605719ddfd541e66cc6a974

SHA1
62ac493f4db5fdedde5f6d75b842954e5ce44507

SHA256
253c32fbab7b49f4c614a2eca785c9fb5e4319d2ded01d7f74c5455d4559ea43

SHA512
9e8ea0b639a5099658abf853e8c7595bd4f053c84f33fe526c439e6b422d4fc83364aa5415ec37185a74181fd7648cca893a9642360c2f70afb8116c3d210acd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2aa8c323870f85ad4e182df9aa546ae7

SHA1
84c6e7333972f7069101c2f9dda48750781d1bdc

SHA256
dfaa99cdecf8a0d3cb152651c390e08f6cc3e26432fb64eb55bd9a06826c2939

SHA512
e49ab70dfe0e0f44ba97d91fac8463a1ad4a2da4cb9e2b025b94a12166fa2504eff32a32154c1589077ca3e7020ee148c077f101a03825b22a08b55ff29fbf1e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c7aa1d2640d04880ca556c250e1be4d1

SHA1
b49206fc99958fdd2b653a64e124ee1f1e4e4cf3

SHA256
2298631a4fe15f4d8852b5dfdcfd27385e8d26acd91d0d539a342a861d75bbb8

SHA512
748296723d40c1e5a49d47631bce19b40b8d87d3ec8a454cc0a5c6b1c43d2317ee7556c5c25f83d4cea6838a3bbb8162194eca14057dcb736b02274e6e0f418e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
538a14d18e4a2952ddaad9804e6d8c6c

SHA1
8ad0a900edf2865a4d546e4d9a08224612298e5a

SHA256
7a529cced373d028243034a5b947b0d0744105eafb2310351c2188e866a88937

SHA512
5f67f26f583bb190ac9d1c4111c263b6681fcdbd2cbb9f567a4f4b4741e254905f0c6ade8fc654eeac56d1458500a1eeabdd6201b79bcaddab97a6078e9ea96d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5c39e444deb7c1776ab93880ef073dc1

SHA1
5065f93802b0b60b63b9211c5808380fb38d8591

SHA256
ae026f6361537c2dd3f4f3e1878058964ab516ed268b3e30cc317b628917c71b

SHA512
46b990683efdbc749a0c1f6a943b185a76a01c8b4cc3a2e50750be5c60ab7fd6d14a6935ba4107490554d450493f25fd009845a3e516e1f9f5e0ac9919730425

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e434d41c7663469c27b3ea5c080085a7

SHA1
5d62a2699b9caf868fb737ec0fe4f7e2f78e20be

SHA256
7aac249a72da3e3d07f22808d325bb1e7e9e21aef605640f05f7082415ea4841

SHA512
6ff5837dba3baa7c1428661a6a64566f606c86a18bbd14093925ede9a6f5f3034aeaf6886b013a286082356650ee4cae66f49bb264db9a6145eb27edd29b8c4e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f6ab0d2b835b3ad9cca05e146b5685be

SHA1
6194758dd42f98777ac85e834aaa06d82ffa7adf

SHA256
f886cbf3a3e42dd55f36800f22881b98d0ec28b0622262c9bd5323bed4cd0802

SHA512
f168759c147b043e1b49f4e7ce1e60d2448499941793f3fc48f18041ee3642c6d872f608402dd57a32d8cd5fd2697b3e9c1dde845808d35977dca6f8f07a7d4f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
efb3ff3ccd2fc5128d12c9b9e73e779e

SHA1
dbc4992f648a1ffe64b464396272133a4cb39192

SHA256
a77fd8c97317f054e504f948e594c3dbf3b75e02f1408478d665411bc25ec0b4

SHA512
c96b72ce1add66f0deb6e246f2018738e935da1a50923beea6b31084fe014a3c7a021179f31d5280b72cb64b9f055cca3b5798295376774e55229383e9d76c07

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a55a4dc0e1905ae1009d9cd8d5ad689d

SHA1
8e7512dba6de958eace5e932cf2929dc042217a1

SHA256
2cc3e2734d612ddd40c5ad19a5998ec7faad5dd12433afb3fc15f9295072bae4

SHA512
31683fb1e94222784b0545b52ef650d74851b7c56a858f8b6f324743aa1e10a9a05454c0231504d432503fb547f80045a8d8cbcc50efef1c821967a217ac3357

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ffc01a253d41c80be41b3de1027cc3f4

SHA1
414c45eb1d1763fd6e5e1c87d0d99de88d40e0cc

SHA256
5f232f0237d648f572f9b6adff309fdb4539e8048d0c5b3f982d0d07378c56e9

SHA512
a2d0ad3ebb01b65ecb7990c625d892d18cd6ee52ed39078e71d26df7f1d421157ec40cd2f60cc5fa8caa55cd78d2e9888ad18ff5c55ebad4fed2a8fd367f0a8a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0bb6b7350fd52c3a7fb7cc3952a3eadf

SHA1
af2bd1efed9b3fefa0677a33a27c3671211a6991

SHA256
23d6714b927201b8a2c39c949c415d4e8d1d2ecbbd920f5e7cfc58377b6f90e3

SHA512
e1f595df57ce429a9465d3e74c97fe541f854206016ff60620f828e033a692df51dc2c931ec4e85b2cc5d279f89497a778946f7245eac28c9b699bd481c77c5b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5c5e13fa056ff59ee346e3c4c3de6405

SHA1
0ab379f83ba47dbb1638751440269948cda542b8

SHA256
6723fa01dd21cf0b200472e0809f33193664b0710445f6bb363cfd8ed3de8ab9

SHA512
6cf230f97917967863419b1a534576b3c47f3422075d5675f13ca22e833af4fc5a9cb7810ed8b05de5d1583f7861e870f3762e7cb38121b4fd626e2d52adb477

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f4e115d5f6894eb74e098acefaccdd8a

SHA1
34aef2b37526f3a51053ed101e6467f5c04490c3

SHA256
c6ad8ac454a25d4c5e5d7af3eaab574e79f1f748094d1b7e6a426dc1f6f03c11

SHA512
efa3e0b3a20a49b20be0d5cdd04360e106dc5ff13a1b255d02623d505a898d91f459b9c3c9f5a9fad065e89f38b5839cc967cfb9df39c389525f26f334760329

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0405005dde3452a3a6a0b2546b762785

SHA1
8a964fb16586b55815c575c5d82506e9ec2935f2

SHA256
3bb431a9e8d8c73b63ea47356825887dddad706914f6428a2370dd803ec76250

SHA512
988597d91af4522a1522ca4cb5e1c068973da5321da1f41f86ab1393b3dc9fbde5a1f02257cc85defd745f0e3e028cbdb828a2ea56622edf01b92e4b7ccba3e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
68c5a058d66b5fcbec574af5fa8c4c6b

SHA1
8987ebcf622e553693ffefcc5d7edbd57fe05138

SHA256
c6445c6ee72d7bebe69efa671af8b51992a76512fe7c7661255c4d85ec1ff3ec

SHA512
d7bf241e57af5d956aaced4e2b72da8f6ee2abd2fd6c12da410be46f33300d810b6fed77aef37d8f949583a5c8820fdd38579b5ab52d4287f79d1ba01179b496

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
bac330155478cd333de9ed109094b1a1

SHA1
4926b13724b3999a4b5a8c4aee3cec96fc6add59

SHA256
157ab1e35b95c69f5cdf3b2abd72149809a5e39a3ebfa339bada8e7615282519

SHA512
7547d5d5c0ad59bf8bc9b7240fd88b93b85da97884cb408c93b1b8a80c86498724dc71a4f30b3bb1f317abcbabba0c81165dcccd25272fc82c01b2728cc91938

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
836a22105fdd343cb5f334b34c7f0e83

SHA1
8f035a1e051b9764e6aa9a76b94802c3e5a866ac

SHA256
9573d14602a95cb9a7e5a36a4fdd0566dc47d3df64eb3e7b7d21f25a3470080f

SHA512
5791c3c9bb4914a519a7c451c10a2ae98a6f95d24fdf18429d8d84c1a300e6a2be5a1db8a7fcd6378ab9836fd1c5cff7254462c73f7db35669dec4fd71ae5037

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
24ba433d464f7d5fdb20fbc655533a07

SHA1
48d1ebc2c14eef8598306a710ff5aba46a011f9f

SHA256
74e80275970f0999605ba4c8cff79f672e64262e8c43ac20127e36c2aa6e5fa9

SHA512
4b53fff7b080e8c38c831107aff73436d686fce14bfb44d5c7ce339a67cc448235127d23fcd7d784a6cd66d50c7315f0298e31ec3d613cb7d7604e3d4b143e6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e46fbceb7f27dafeb996adced537cf78

SHA1
1e83686352512491cb485d31cc16a138b5aef726

SHA256
ba8499b9b38a5d5ecb638624e82ad57343f0aac4ce12c9a8c2a00196bd341a0c

SHA512
b6e588052ee5c2229324ff82d21ca77191b4a7fb03c891a1c26e3b7669259552c6dd62f20cbd7efec0337d4e484636bf3ce7a012282a598c5c56d84a3da4fcaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
8b49b664a3f9e349b7f5ec0129eff5e8

SHA1
f0ac9eadec26640dc57ed6e547331e0f93c8ce2f

SHA256
fbc121c89e05e8ee620d512503571ac303e955bbd779b8647a34c93873cf144a

SHA512
9e8350555ca241c4a72634f31c1942e3980a1d9e660fdcde75a13c2ced5216e3ef57831f01b42b17bde24cf8006228d5b6ac3ca8ac3557caaf755303decde550

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
92da9af29d9ef868ecbe82cc11436a4f

SHA1
467df065709c34dc52bb6aa8122bc78d6f1e8ab6

SHA256
b8d4ef494a87e1831f043f8713bb19184fe5e4bf21c3dc1bb81a50f533f936ca

SHA512
cd1496c20ac26eb1066158b81d42b503f1ed3df19495c974976fa2f3364b4fbe3e5017831bd44aee0044cf5ccef469b6f931886a4413e09c8aa6abc571370153

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
579d0280186eb0ba413e28f703917ac8

SHA1
d4d6cf34e0d59784787709e4392a57e5c984a82d

SHA256
36a0f73bbadf24eb984c877a4ae8b4bb271230e0bd50631bd9dc3f8b103c5173

SHA512
a18fac9529f52cddac74c008bca210548806276102e9c8dbffa2759a3c43f90ce5eb6e92e61b40ed95185651b83857a22c25b54815cb26f0ca8525a77d1a6061

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a6aa13617104cfc07cf78a3b4fcf5030

SHA1
3132fa92786fda8c70ff3bcd4431e54fb8a50eaf

SHA256
b2454e2e8242de7c373cd3418b20a364c41f582d515d10412ccf937064c90a7b

SHA512
e323019e96f04abc4bb9dc504f4ebb4928926a487d9ef06b500efbe125463a176dbdd429a9b75c79b23945fecb41e068e91fef53e02fd844787d3d00fbc73a53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
9a815db5a552c1865154392caffdc300

SHA1
59200f3a5be53533602292e151268d59d4b6b199

SHA256
49cebbf38274d2b2a45bfa3d2c79390808d3a0763b30fc2b06d29027c10102a9

SHA512
40deeeca68a881b862d825f5f3618339f511b476b2b7a47e7cc07d0e6e2e7eb32a952f982bbe14629fa2a4da65a68b8ee13f0131c025fca438483faba3c7ba1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
7e9f2d8393c6adbc927c5e2dac6df7bf

SHA1
058a8b3b60f55f6a203a3d711a5a0943967fb644

SHA256
a47898f7f83a36797e9ae75b165b80a119a0a2482f4eb50c5a819c1f9c7a1b4b

SHA512
402fc49e6c72d489aa816889d40b099300cc4edad60ec04cb0d2db7d04f60b80225d06bcc413e023dfd561b4bc9c4080932abaef6e1e1146a3b589343c270e99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
9e8593e70c3443d31a125bb979575fd1

SHA1
f0ea877e7830e2f4e1b524dfdba956d572e7b9e7

SHA256
d90a69f98e1d43db9398b74acd759f7ded97e7106fcb19319762a1004d3218e4

SHA512
143ae9c510ad5f99d6596965a51d89735c3603a5c81c686bddadb164de364b13faeea2c4a9d32dcfe7d25074b94ff026ec58289ce304c2dd784948e901b2730d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
0b11682edc3b2d8d2fd41dea70bb5bd1

SHA1
f3b4cfab18665254a83924676871c598646cf64a

SHA256
2f1df0cf43ebf9a66e2cdeb3609f540c67e1e2b0f8ab8e534c470c0a1c772502

SHA512
a81888107f4549371f17ed13f382e0456b941f16125166b2491cf30bded83793fd8bacb5cd4b9e095fa4a947561ca500783e46d4208165f83811edf16496b28a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
f7426f47b6e7703d1b4580b2e3d0d4ce

SHA1
7a990efaa7e1e0f909132b53bc8845365b5dcfa1

SHA256
209fbe1215b6ff66537a516595f87bf3976ef760446c1f5f4e3e329af6250ac7

SHA512
df28b377dd4e9fd7f35ae5a41604361d6869fd585648ba18812e7c47191eded90dd16af41b2f65553f48c98784b40eaefb4f2b0da2b2770f1ed87709ad3a3d02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
63740aba6906aa904459f98ce16077f6

SHA1
99c2e0a15011fc68da6bbcc40f002510dd84a588

SHA256
c5ca20facf42f562fd392e615823ffdfa01b2c88d48b8986e0c335835326ae19

SHA512
372608336d340034018188a20053ed37f9fafe29ab8eb899fe5a0f06a17b8d0b78873910de8b0edb1c5fd56a8b67c01ef1ea4e1d8416bfbde541a39ea2e30bb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
daeefb53df9fcda5e7ce37963f77e3b6

SHA1
1571359ba33eaaf6ccce23fe40e6be61d896005f

SHA256
56387924ac1cfe4014507868c9d89aa77c40131ab4c373f950aae8b5051fe497

SHA512
6ab0d59371bb2aebf7a81e0ccf73061acebd713216b95ec8cbbc47344dd4fab31a5bc9298de1411e52c7b8274a4597a8dce40f18a538cb828a808973564be183

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e879ec3dde8c6dc7dbd7a1262d940b35

SHA1
cc2ffc9138303af5abaeaa1ee64773f4f54e7b51

SHA256
0fd25f3a3daee64e911f6584c0465e3dd7f6df58d1908306a38b0c9964444a47

SHA512
c20485cc8b5302d11fd712bc219d8fa547426c76c064e7cd1bb5005cfbd693c3a221af460681f5c54a78d84b2633408a1f0cbbab4991dd30d3279e17fc151422

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
540ecdc528533243c6a23ce44cc03133

SHA1
6c0a4782365f31b171818f49942245467039b51a

SHA256
9a3567b9120a46951932846afdf512352214d69be539f378459d1bd35a430fc2

SHA512
a70d9996ae187a00feccb71e6d887534f9557be49666a440ef454bd1a2da2c8f46585f3cbe97b6b399ae492759ccb8675eb07ce624e84ff49c64e7eb44e0dfe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\Agent-20240709T043804.log

Filesize
768B

MD5
31e639e244f42ab034ed19fb2daf51e6

SHA1
7ffc631c1b3c80ae8d785e459b98f04f17c295ba

SHA256
77e56cf56ec1f678f0eeb6468cae6be43d6a58f1b3732713af26b6bf6a7b6293

SHA512
89ef0647cd8649b2194072cfbf9595ed558b5e421bb6ed662a729af8cc82beeebae7aff3e102834c35b77f20afc66b805e88ccb7ba8aa48ecf6e7961a35669ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\AgentErrors-20240709T043804.log

Filesize
35KB

MD5
3f3b6d3268142c40aab0ac28f11a176d

SHA1
0e3c9e98247d0ebfe438b1220eead37f56709f77

SHA256
131dcfebd82953b4215f1f1f56fce26c8994337f7463def436c8a1784abf6c09

SHA512
4eaee5ac9867e667ebb0a7c96d4226cd1abf6689287dd38771ff391972cdebf9481dae3a5e882117ec90f2b08bca9842292c950ee137ecddae66cabae5bffd0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\Features-20240709T043804.log

Filesize
91B

MD5
31245145b79a9981a8dbfd515066388a

SHA1
14d5b8c52d0bfabfb179f4a1b693b3eb6c68e027

SHA256
863932f9754c743795c5d05c51b74e64f8acc3302d015c291feb5e27aabec0ab

SHA512
d878789749f7b76d28cc93dadec35cf4bcbfea70977af7400cb41ce13d08850003b94b6bab1956b77811601c8ef80beef13f5d802f1376b03b6cdadf921b5c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\Operations-20240709T043804.log

Filesize
290B

MD5
cdbf7677c6e1de35d573c050c39ba7f2

SHA1
53088cca46d8115f75d24875e36284d5a4e312d7

SHA256
6773ec2d805daa6f2159af5b03ba2264798d86b5e3c79f33954c9d23cc2f0abf

SHA512
c59b8e08c1ede8dd42a8c336ba7b6c06891361f25cdfa61fbbea3490d7577e0015adb522af7932713386f63efee6c7574c7afa8de612576df4d375da640ab056

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\Telemetry-MessageStats-20240709T043804.log

Filesize
1KB

MD5
8f2a17409ef5c64ecfe68e4dd3ba4c6f

SHA1
c2bc5c03da67d69f7705867912cbdf2db44941e4

SHA256
0ca0e105217b0af12baa355f07bf58b239161f7a755ac4931c0e82596d9e4336

SHA512
d79b8fc38f0789b0d6a8e715dc97ca56606feea5fe0ecaa627be6a0ae411bb46351336687b057a32dc403ac8442e97454ef369108709b4f7949466d14eb9bd4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\Telemetry-MessageStats-20240709T043804.log

Filesize
1KB

MD5
8e29040a795ad0584efe935b5528689e

SHA1
d0a03b7949802e3949b1e303a4aea1c79b4edf68

SHA256
3597e436dcbd8fb581bba8a70da8d9eb9ed6d1ab958f46cdf5a6e437c91ef020

SHA512
8c153e9517d00ffc677d62f9ac09412a0914c3d65cb59bfbf804729d010fa70459c60b61a991924067396a165cd7a3458807fa05f0154e3e6c91de9caf171529

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\Telemetry-TELE-20240709T043804.log

Filesize
3KB

MD5
d34aa9dd025a69053b77a83f8f9fa074

SHA1
0ed00f313d06b1773cd6cadabb2e2a5d2d229c2c

SHA256
39db4a47785525c2bcb9094eb8109ff9eb674d50329048d77adad9a515b13cbd

SHA512
195b5902076a8298c39e4e8c2c8474596a53fcc83e43423d13fc78482a637fb2c55a251627c29d34a88067429897127703067bc0cb8df859959ff9c57da9c840

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\Telemetry-TELE-20240709T043804.log

Filesize
6KB

MD5
37c688216bcb41b69a928046b15c1184

SHA1
ec1aeafcb5b2285f17326d16e369f6bacede6fe2

SHA256
7ba624d64de738c8c52b4a66b0e69e1698c93b961a83a3439d566b191a15cf81

SHA512
3c1ec0e3040e83b65d9229617c73c053a80a9dc19e4496a4d7c97b4ca202c77085111da0e33b35d1e347e52721c22ed205c070aad3acfb3d6511581d6a8bac78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logs\Version-20240709T043804.log

Filesize
756B

MD5
f89963456cef23435b2b7b81f10412da

SHA1
640a3fcd4331adecec404155d80f49dbb556d510

SHA256
a690bc3cebd676582f452733254ce9f19e800474d4e6e94e5abeb5334a2ecb5f

SHA512
458c7dcd9f6c7f5c0d13eb8a04461d7d0eeb064174b6e84f83fc7a21b5dd334bda9995e831e2a530348e4f9062a8404148c3333d61bc589fd244fa8155d425cf

Download Submit
C:\Users\Admin\AppData\Local\data\cache\bc\20\bc2095f930a0cd551a40c4b978b6d6e2

Filesize
3KB

MD5
bc2095f930a0cd551a40c4b978b6d6e2

SHA1
7f49e7e45842c88f4ffd1611ba8de2ee5f36d7fa

SHA256
8521eaff77b3e162fb8be1b42c541405e929d2bfbb31fdcf353652f952dfab05

SHA512
d2704bad722a0731b470a7e99f026adf77b50f9756cc6293c345770d84bf3c78782af1c265ee45147af0af3e2b54ab8589c15480ef7422d8e4cf672513ff741a

Download Submit
C:\Users\Admin\AppData\Local\data\cache\cdn-agent-2237058

Filesize
1KB

MD5
85e2f6caccd5f9def149a0d2ab2490bc

SHA1
09852979ffdb1fb2546dc43729c207cec2dd0f59

SHA256
bf4afb31c4a2fa22e3fd1e00c3deacbcf513db30726b56185aad26411031de2d

SHA512
402aaeabe9432649d9ee792a0fd6493f9b89829e929add0de665508b3a384c47cdfbc792e15a73e00f9c7334dbb2d0b1919ced80eef12fab7f4a9fc7c63d2ac4

Download Submit
C:\Users\Admin\AppData\Local\data\cache\cdn-bts-2248514

Filesize
771B

MD5
b6c07a5c1e6daff3cefa8498078942c3

SHA1
c21b57af00c0ecdafbf3d7c4e9da40a3a4e3c39a

SHA256
996cec1cf904d298550ea073b5b15287ed9dc29d2afaabf830b16bf2ab66e082

SHA512
85063057dd51f07b994124378d6bce018cc9e72cafc184c96dc139ab48320f3e3e6e7b0022ff4e3d02890ddd4e4f8862f547119f30fb201247bbaff57d3577f6

Download Submit
C:\Users\Admin\AppData\Local\data\cache\e8\a9\e8a9e3b2b36cc844d7a26a18fce57792

Filesize
308B

MD5
e8a9e3b2b36cc844d7a26a18fce57792

SHA1
49be54edf2f73bd6108b3e70beefc6c6ca7a41e9

SHA256
861e375dcdfe06f23998a42e9c9d2204d3dae197bcfac37d6ce54284e7a4a2a3

SHA512
90c4e61fde0dbac2a529b2dbc99a600be7e4f0edbc7868b5a894e10f66e543d11a92781f758d3070d465ad5c5bd2a9b774ba278a8fa2e26f724411558aa84fd5

Download Submit
C:\Users\Admin\AppData\Local\data\cache\summary--2300739

Filesize
14KB

MD5
d319a7390756e9e03516cfaa973822aa

SHA1
cf9aa46f4d191d8222a5397cef44d9ea6b4e843a

SHA256
acab2dc60ba142f92ff53ba5efdedca10f4edd22d6ee7c50eec70194c499ce8b

SHA512
85631d0299005125ca292641653b9b8cbd673a6752647d4fe661f4d01242a3e1cb7bc7618847fc54144115fbbc7e38700a5c9c5f09f8d54185758c87ee3234ec

Download Submit
C:\Users\Admin\AppData\Local\data\cache\version-agent-2293507

Filesize
742B

MD5
0a6dc7c230116725e0b341f9875d1663

SHA1
2057195fc18525dea4c2be5c5c21529da614e03f

SHA256
d60adb91c957e0bf2710acc21bbd7f1990a120a7d154aeea3aa22cb7e587b435

SHA512
71e74c07f7f2e8c351bca19b9a5b7013fa37aa7a6e8a19b29caeef44194974d24a746af18050a1cc294a5c20e51e75b77c15e06236e3f3bd544b417c539ad248

Download Submit
C:\Users\Admin\AppData\Local\data\cache\version-bts-1801026

Filesize
3KB

MD5
74e66ae20b960decd2d66548de0924d9

SHA1
fa2596161dd052a3ea0cf0d880cdf71e7b961a8e

SHA256
cb38ba56c1d368a8723ff4cc4d1b7ff23ef51188fd7d5405194d970edca3a742

SHA512
40960a984cc51869f806ce66263d810c093ded8854407e4b1b2c4799488bdf1c4823f366a49ea3a9e620e0775f289a35260c117542b4e88f141db7dfd396df9c

Download Submit
C:\Users\Admin\AppData\Local\product.db

Filesize
190B

MD5
2f89df0be1ed38062742ff078086330e

SHA1
f7aaf1f5bdfa78b21959b8b6d1a870ba67090e46

SHA256
8450a46c2049b4d7062a08db2f29395175991a66a254e22ce489945f44648ca1

SHA512
3b0d0b1e0a2c9cce9c2127afdd7027a2fbd841d9dc62a681dac27f39663d5b983430c9820414140a706befcfda4d485ce8e655c7e181ca6236531982a7aec480

Download Submit
C:\Users\Admin\AppData\Local\product.db.new

Filesize
344B

MD5
54bbda6f6488c6e0d899490f981dfa96

SHA1
e48308a06ebff3f5b4db7454f37d7041258a638a

SHA256
e5055dd21969f086ee97979e01797b1765fea1e953bb51ce2cefa5e032df2c20

SHA512
f7755006d9cf8420d2cfcfef25313875315792fe28beb4e16fb007be78139512c3c3bf69a1b3c7f3efe609258798b0cc6431bda8d8358dee908bf32c8538ed0d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
2e4d07260ad3a27add015ca73472030a

SHA1
9d0336b53ec512e653c3fa271be6ba811c430f6b

SHA256
6a3d434c553482ddb187c699ba5aeeb4ccc807855dd46bcdf1c05c9022cd67a6

SHA512
a6198237a36fe8fe7e6c5036df1c6a3e0cdd1871b9bdedc46abda0b2068aa60ba5341433e53e05fb16921cd3b88e3cff3eb7f83c4b50c01650eddd46a8267f4b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
96e7d3010b788dc80f400cc58327c203

SHA1
fdfa05b9996d11981172b8f149c89baf7790b987

SHA256
ba5d356c0b8c61dc3028518dbca5290e5398b40baa35e605723f526830531911

SHA512
2d7dc0a76bc23d378fd0eecd6866a781a967cbfcd3d7d57239fd1d09f66d0e2140f97a66b0ee295c27beb2e0c19f88c890fbbbdb3a31339fa3b937d64606ccbb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
93d6df85cc240fac75f6d5bdfa742c68

SHA1
db4bfb36ba9f0994296d57381b8202da1bc9abca

SHA256
bddae9084480cf8719fc06d83e30a7406af36efa6cf755d162fa1ba6dc2a0669

SHA512
8cb1bb492aaf0781a4491c280ab4400d4d1ce2a56ebe78ad1d82a26c70a0cd887531f462f3c824af676dd04087fda0188f426c41e18f94621080ed5ae5fdda9c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
578ad63a6e371a658e26775628f14930

SHA1
f322aef42b9f62e0361f438c636a3e33d9da287a

SHA256
1ec310830a8bafd9542c5563c0af8a24bdfd6322354c32390947b5e4c835c4d7

SHA512
04f3711663cf55bae9d83c363b6db2beb760e0056cc534f9960f8cecfff41efe47ad515cd768625ea292b25ee5f37c65dfc42567dede48e4b4e25dc366a06f4d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f03b48b127face6bfddbb90e4de3baf4

SHA1
95d19f1ade143c97a6c844a6ce759ae761f09cad

SHA256
956485707f621ee7bef7485fd125272405fb6cac5f5ad6893b9e3ccedc47fe9f

SHA512
f260ff2522dbf7a02f65bb3b01a9b3ec53854073b4068ad0b8c90add8ce2d1f1980b60db38c3e06822ef4eccc5123cc02617f5e8de8689ef783fa577766e58f8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
16a6b255aef10dbe15bae2a4a40def2c

SHA1
265f04e75fc87e374bf0e57bacdea3855040ee25

SHA256
66d2e39d477923b08368ec04cad5aa1d1a532023b170bf374ca1559a808c471f

SHA512
8f01c1d63b2d2511758b3b30ab3c007d53857d81361b925cb39cb4c03f85d84a7696a5b6eaaebf546370f99c4be2711f2d631ca10264bf3b0968cee603cb7719

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
cb4e4b32a529c1f8dba07dcf10f224da

SHA1
fa637944170739554fb990817a71601050a005d9

SHA256
d6fb5ea034014ee1829fa8958568d469a2f4f46a6ff0e5cf38324b084b112e6d

SHA512
01e606485b3268f7816dbdf73ffc1d4a326f7b302ccfffc52610241a0f10fc463ab6197969f1c0edaa33e07c089114060a8c6ab6a7a51e01b596339bb0d90665

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1e8ca65328ac783faa1c8202260375f6

SHA1
025b3e80db81f8650ee175791126fb4dc397b0fd

SHA256
d10a7ebd7bf03a61a5b63821efd8c3e5264e1c11e9d3a1970eea4f637dec6152

SHA512
c32278a4e0790e0d1abf154a3d21d86959cd93ae78243daf111a2a0f038cd4a1dae6882337d9f4777d17dd6df5750770f25a7edb73762fc8daee2272f7363263

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0f287397f7a3ac3b22471f476d62128d

SHA1
bdccbd3adeea3c70eac62e188ce4725abb8c0f79

SHA256
ddf5e29e20d6a1c1431345da06f9513b5eee040fe62094678b6eb66fb806e2fa

SHA512
2f0a2c2b219eb92c5462b54213d5c8735e6372870f4a0a4c72755849ed034548560dd00e155bbfc23c9b7d4b23f1593c6b0320297d5ce1e519a317666a6e372a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6ae9265b21948809392d3dd02aadc91f

SHA1
939b5f122b2d86073b74db28799c0cc21ae053fe

SHA256
887ca864969d89f1b694ed4cdd7092d2be038aaf7a14f394bc14b628bb286060

SHA512
d6d7b5001a9121b495433444af8a67071ee4248078c31c6082093c19b57c0d227bd17059d4cf8602aaf315794192556ea56b66215e59f222e81ca05575c63dc0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
1e452ecf77a8c9f2842e7433f2cf907d

SHA1
a5fea7fb2f49240e19a593b9d79eeb1d3872f7bc

SHA256
b63212b1360e38a9da93d554a3b1d9b7df4b238525d7172c7d9389353b3907d5

SHA512
c7e65fc7de69286b87d6ba5cb8d0d925c9b1349a79ac59d59d1e3fa662e16508ff96922a117b0edbfcee412f7cb53316a2c5dfede44dac87ccbe4091970a55b1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
66095a82cf076cd51a35826f782b27d4

SHA1
7ca975ad61271e6df3f0f885116d9ee145812d3c

SHA256
c6ce01ec1cb19a73d9603726e62003e8d0f2313f78287709307aa386dd0635ce

SHA512
34ea2cd03e675273a1f2cd33c308834eebc188f089316d783cb7ea093e696a7f4375e895da722dca933f6edc53c4759b64ae75301c5a30c0dc2766e5b688e09a

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ea3a6ff0ddd8c7f1dde9bd6ae90407f0

SHA1
ee3f7510bf34751e6ec4cb113e41722450100625

SHA256
f0db8a4fc25f254992dc9d884a9ec85df3262b923b492eb713d184e49c0cb104

SHA512
7e31b04d1c8e934f591b343568127306b38481d44d6a31a34bcf5cf64638cb5f0cb4f6e0959b24c24cdc450fe51c19f6969b4714d3982c444e33535e4bd4bda5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9677ecb0214c9a4e1196a81f31060330

SHA1
98f527ff682d5966702c33656606ca1f9efea490

SHA256
ad5d20e346d6d1f4a29aa13653c7bbd948e734fec43ea6854b2835cfcf9cacc5

SHA512
98e62409ffe56565b16645a786671aac141b8a09202e2f24aa848aebef27e3a175e9e1a6ee4ac1982a1c30dd7c0c84eff6fa5026daf69fcdf197acad37fa8bf2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ad9aba48476f4da6c370502849c6eb9b

SHA1
6b3198404edc9a2250dc0a015ea79e09b2243a24

SHA256
86fffa7fc29785555ee13b0b3a2be2b6c215429fc6b41f0bc3ee489e035f2d4b

SHA512
1630ef28087c862a17dbe3fde9e2d5693fb47e781704bf61836fcff47ec1d2bc75aff0de0321d5d89744d0bc7c8b853edcab97ad9bbf663677be5bdc4d8dd383

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
748ca5ea4239f9e59c626e6d61f621ae

SHA1
b308609090bd7e33a5487a56c9b162fd2ca68b8c

SHA256
836db980bdf2b28dd3b8085cfecce4cf842e922cba437d1c3a072379d08db349

SHA512
d23b39250fb7c7023f80438fa85a9f6016ed1be018be1c6e0e0ce096fee47b449a00f106308371fc376b046b0c3a1e362474ead8a813570942000309ec2db04d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
203acd6101b80f9ccc653a0a123af8af

SHA1
fa307ea239eebc61e4042d54c204c1bc82e937de

SHA256
7e73a39f7a474821d8c555a45d34864bdf8ee7aa3e744ee81bb5aacc0a6aa2d3

SHA512
01ad63d0e0b6a2eb45be74666d9ee4877c2026f32ca9e37e56ec0c427770d23e75e7a1b0ac0c2f24e9b581b33a99f87364db3a21366c2342f32c83b3806516fa

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
97f32903d9102fda9fe5ceb4edb072b7

SHA1
08196d11bba0efe91a6c4fa1846c05edfb8d9056

SHA256
62bce2e7f430b692330404386d63fb2d54b7c9cbd4cc883a20d6cba17e22f3ad

SHA512
0a3015e9495f80b4563b32363e1cd66e3664eb27190f1bc549fd23ee7ba1bbda5b3c7134bda3e3acf0df507eebe4e259e3ed682ac58eccd1553ee23da224f61d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
44c32e36321b78fa2a8e0fa789176128

SHA1
de5067e0389bd9448b742a53796e57aae44c2d3e

SHA256
95f622f879560dd0391f036a4540b9c6654a9fc8ec042a29bb24d7f7ffcee609

SHA512
deddc9eaea5bb91fc10bf65e45235098ad090991416b48a7cc2f7bd6610dd42ed2a4008a52470e6c4dcdd44526f9e01d2b76900074bc30b3c225a348fb5670a1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
a26a6eea58a30844770683332ee6498e

SHA1
2b88588c85ee80001168452435749e679090feb7

SHA256
81c62d663b5ce51c23914b9b382ce07a4d00955a4a31bab247e616b6b7de6f49

SHA512
ef717ed508e9c92524d100a5f4cd5843d0377c2bce6549ab4c6744706f20679b06e1b8105c140e3da5bf9edd820e643f07eabe7ad8e291198de746391d5bc45f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
7a98ece783886aa0ae5d2f8d1c5f591a

SHA1
1e0b1172a4f4c61ace4d7d8c6f786ce8f887062d

SHA256
c7e23d5c938414a024ed36d9ce8191f96ef1292dd5425ca387909fe723ad6857

SHA512
6d0c39c90d737855b8224f2b163db149c2aef5ea917f9ece34bd4fc701bc7afd5196b1102b6e48466a6708a4103d87cdfd8128b7702c48dc020766367554fbef

Download Submit
memory/868-140-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/868-809-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1236-152-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1236-923-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1580-132-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1664-1010-0x0000000000400000-0x0000000000A4B000-memory.dmp

Filesize
6.3MB

Download
memory/1664-0-0x0000000000400000-0x0000000000A4B000-memory.dmp

Filesize
6.3MB

Download
memory/1664-100-0x0000000000400000-0x0000000000A4B000-memory.dmp

Filesize
6.3MB

Download
memory/1664-8-0x0000000000B40000-0x0000000000BA7000-memory.dmp

Filesize
412KB

Download
memory/1664-1-0x0000000000B40000-0x0000000000BA7000-memory.dmp

Filesize
412KB

Download
memory/1676-131-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1676-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1692-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1692-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1720-1031-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1720-188-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2692-186-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2692-178-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2716-926-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2716-157-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2788-101-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2788-105-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2788-187-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2788-111-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3028-1032-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3028-208-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3536-174-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3536-927-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3724-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3724-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3724-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3920-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3920-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3920-156-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3920-55-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4032-183-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4032-1030-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4084-93-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4084-181-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4084-87-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4084-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4116-46-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4116-151-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4116-37-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4116-43-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4456-138-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4456-731-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4456-922-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4556-207-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4860-81-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4860-177-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4904-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4904-67-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4904-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4904-77-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4904-79-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4924-213-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4924-1033-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5000-121-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5000-206-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5000-127-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/5000-122-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download