3ce51d6fcc35c0df9e866f926a847ed2ebaf6ad37724c31740487cea2c494c95

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 06:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
Size

46.6MB
MD5

48f5c28b03ccb0fc27908e052ad46f27
SHA1

40c53387536181fa03c8f273e7e95312f1ecb475
SHA256

3ce51d6fcc35c0df9e866f926a847ed2ebaf6ad37724c31740487cea2c494c95
SHA512

3c0dd54e5391680af12483d8462719df36bccc518d61823090935e305d49fd5c0e6aa0e6f7d0af98ebd9ad3e96b020f47d3e974d803b110da8ca8edfe3a2c7ee
SSDEEP

786432:uWV30t40qwbw4Exk8ZZutHTJwlLqi1AFvJ9Yc4vP4cAZCXrWe:uWV30+0q+w4Exk8nulTJSqi1AJJ9N4cS

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2620	alg.exe
868	DiagnosticsHub.StandardCollector.Service.exe
3344	fxssvc.exe
2460	elevation_service.exe
2568	elevation_service.exe
1588	maintenanceservice.exe
2092	msdtc.exe
1672	OSE.EXE
2564	PerceptionSimulationService.exe
796	perfhost.exe
1612	locator.exe
1540	SensorDataService.exe
1180	snmptrap.exe
4088	spectrum.exe
2404	ssh-agent.exe
1592	TieringEngineService.exe
4424	AgentService.exe
4396	vds.exe
232	vssvc.exe
904	wbengine.exe
3568	WmiApSrv.exe
3984	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fa0047ae9be7fb37.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_103921\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055840b02a5e4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2b09601a5e4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1e50d02a5e4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5d6bc01a5e4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f210902a5e4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000aa1202a5e4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f888f01a5e4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
Token: SeAuditPrivilege	3344	fxssvc.exe
Token: SeRestorePrivilege	1592	TieringEngineService.exe
Token: SeManageVolumePrivilege	1592	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4424	AgentService.exe
Token: SeBackupPrivilege	232	vssvc.exe
Token: SeRestorePrivilege	232	vssvc.exe
Token: SeAuditPrivilege	232	vssvc.exe
Token: SeBackupPrivilege	904	wbengine.exe
Token: SeRestorePrivilege	904	wbengine.exe
Token: SeSecurityPrivilege	904	wbengine.exe
Token: 33	3984	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3984	SearchIndexer.exe
Token: SeDebugPrivilege	2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
Token: SeDebugPrivilege	2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
Token: SeDebugPrivilege	2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
Token: SeDebugPrivilege	2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
Token: SeDebugPrivilege	2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
Token: SeDebugPrivilege	2620	alg.exe
Token: SeDebugPrivilege	2620	alg.exe
Token: SeDebugPrivilege	2620	alg.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
2916	2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 4804	3984	SearchIndexer.exe	112
PID 3984 wrote to memory of 4804	3984	SearchIndexer.exe	112
PID 3984 wrote to memory of 4500	3984	SearchIndexer.exe	113
PID 3984 wrote to memory of 4500	3984	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-02_48f5c28b03ccb0fc27908e052ad46f27_mafia_magniber.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2916

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5020

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2568

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1588

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2092

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1672

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2564

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:796

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1540

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1180

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4088

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2404

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1880

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3568

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4804
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
21d39dcd890baee2bc054088ff0406bf

SHA1
2619a49cbb58b43caa4f543bb633a65b22d5753a

SHA256
30ba9394265e46ef4697764e8dfb2ae7bfdbcede834b0dd3f0a2d9ce593f5339

SHA512
26182a0a7fe428f187b05558b4d71c58695e0d56c4e75fe6607e27beffa477b4dbeb813e99e6e4d56a10c04eaccef1a570ae6709f3900d884e124ad025b50d47

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
f781595f16f79bf8df953a64b590e426

SHA1
520a5282d457036df72ee76572af7305369785dd

SHA256
386fec34040099c85e3af16039ae7b32b63d1902d72e8709a5c1996c271b3b7c

SHA512
ebd11e351fa3362f8ca8de2d2c9c2fdcbf60484505002bcbe9d8547e15f7ac1a9fc56b5a2ae91433a52c1a23a7724777814a213c9c51b6e246357e2f1c3ad533

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
fe8cbe0106b9fe3b64d10cb361254bbf

SHA1
7e5d972647f5ec5a81854b38c3b8f8365153b47d

SHA256
f1c5498276c01026ad7d1934ddf09ca2269d7a7ad288257eb0ec4100ec03e6dc

SHA512
277a0e17d2a277f0b11b312a46b9463743f8a5243ab7ca4c3b00fd644a1782be20dd794a4aad03070e08f8c2072788e2254ee452a1edd5fd25cbeb00974377f7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3ff3b3c85bf9fbd2d2fdf131c96ee264

SHA1
bda5687cf3670c7bbeacf1d78e5491259da792f9

SHA256
6ecb55b654897c683dfe54781038438c46745012f6db9a7d1b79cc59f1681afc

SHA512
972ab3d499e754c12b7ec23ae5aadd027a6d9d95b0e98b73ab4a377c1f117611a8584d3e63ffe179c7c6096ab69283a5d3d647ba86493697af6c51f6cc8f816a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
58dfa38a83266db6f59dbe6efee59491

SHA1
7bcb6111e34280f8c71c84bffa52866a7c4ebb65

SHA256
00197ba9cadd5348397c35bcfab33dae40cc439af8d74a2e1793f7edf1d62a2c

SHA512
afdd50a14db697ea5cfd72544ea250b025abc6b2be9d7219069658925a59d557e94c1df3182a6b0986822fcea0bb64a3d9eda21d07eb28a8d037ac6f2e48a109

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
646838cbc3dc0dafb21da97f206be384

SHA1
a471fe937adf87798f9c9fdb941a1508227894c3

SHA256
57d63658d0560710448ad4047bd44f7fbb90ec46e9d9eb6afc3a0d69fb3aadf2

SHA512
441b28c49ce7ce24000d8eadba008f5c81c1346bb866e31de8a68a29b5d81f6dbb06701fb6c394b949281d75c3e855dcb3279f9575a1cfd6dc4920de38d1fbfc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b6770b0bdeb126f61a4533548009150a

SHA1
950cb0058e315fe4665f28f0f0a3ef5f31686ceb

SHA256
ca2e7d79ee6d839cbe13c1ff8f9036f196bb5483424497475a77d5ff868a6c6c

SHA512
2d77f96c9ad9431f43a2862f21452ff27c93b632b26a94422d9eb39baacb2b930932d9c49768aec2813344aab641bfe8b6fe05ca019397d9dda86af24c53821d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
609524843246dd4c2a4edbb6b3db3df6

SHA1
15e45104fe16149cd81d13e870c5738b3b34c91c

SHA256
198c231cad5099186e48418c6e1aecbb41bfa3c1b5ad4cef0ee22671b7cc65af

SHA512
e888065b04290b733a027ecc15f305f1ce4c7eba17d62e0f07744b22eb025a209d35df5444484f211d3be64d34519cde5198c59a9d5bfa306d4e56f646d706d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a72b92db49d5843634819ec498afad3c

SHA1
b96b5908e3c9c5facaf44e36ae3c3e5bde9b5a4d

SHA256
91991e5c46c77c2b89028692106da1372a7d53a1093e1bc3c8b61bcb90591211

SHA512
8cf14bdff7cf7bdb7ced986fb55e8ab656439a56973ae2daf92b5ac3b39c9d0df89709b203483e9f7e4c01721ecfb49a5f6b642acb89e58d39df1fcb9ba67eb0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0802521638c507e3269e76ac51906cd1

SHA1
f0de070accbd5959d49903308dedd88331b7f76e

SHA256
bb45775cf29a020b25f52dfad5ca54710f8c6fea5a0bb1a036ab8fb0c3c23d5f

SHA512
3f4d66fed3c4912f8949a970282803be82208b7464226bbff65e1d92628ef982f429afcf53f9d73cee90697e013292243b0633cada6e59ff189843718647a66e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
31b8957f143482e07a4f10fd72279da4

SHA1
07b30e5612d66bb0ffba7c78144256f052819926

SHA256
0a882cdea0af8d894feb52885936f1b1ff72cb23a6a4b296cc2abdba5dbbc482

SHA512
34f2fe8f304553a9f5155b7b4793634d5ac6c4da754a513337fe712b40cf2a0a897f8f320e44b240b860fee80995095188d323e266fd7fb2872719e375fe2b32

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ff25dd4f67a8ee57a2bf05cc67d12f19

SHA1
3ae51da8c1b5261f8a7a2b29a129a7c48080c71a

SHA256
660bd98dbe9efebe9f030f24bacc84e266c3d8403b969fa03a60f0c5879662e1

SHA512
be6ed39bfd4bc3f72b8fef90366e295a698de08480cc3ec75899f94702413835f62c1c23c5a530b3b7f19bf8d2d14727bfcd4664d4e6e0fa0e6b94a4cb438a83

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
654e38ea507735a12efbced182c93f5c

SHA1
108b6718b9d690d6c9f440890253ca63d4aa42c0

SHA256
ea918a4bc88aa7a5466ef95c93cfef12b8b770640db3925bd92b9cee5338c1dc

SHA512
27a470f2af51b272c28d00cd5289c7b370d97ab6393c05e32bdccab2aedfae672c5ccc97c6cf62222017912d1aa9e61010d8b9f5aa4a0997df683c1d074fa182

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
83cb30e4e8a3df1cc12ca3774d23d24d

SHA1
99367605febec08466187a2f2301e74beabe9259

SHA256
e669ee5129532db3794ed45cced2f9ce4be0bc86ed985e51a057113acc3c9479

SHA512
e9a7fa1b2164b8d1acf997a2dd031eb4e5aaa24f03b6b3d652a2d58bf13b38214935c4dd54c8c6e36b47b822abb21afec17cc66fe00e09f6fde60e87325c23d3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
3350ead79cb9d1286eddfc91711f8f48

SHA1
1d3d433d697ee98ef6db6944bd13dfbbdcfef4f0

SHA256
32bb019e3c2d47d6359b3492cd23ea0e58668479f6adef6e97e9cc904b04523b

SHA512
e8d9adf0314f5f5d13a2eb1c77de77616f77ad284c5722f690270d8399909484696f61ddd7592f71ee53794c0f9a20afc3b3b9f0c83f5cd1d36e060b79319984

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
eda9f3902bb983b020b7343eebe758c9

SHA1
5328f92ac78a6c61609bb612d14703de2b0e8b97

SHA256
3837f63399c40b38b7789f885fa22506d46b38d3a8ad17774df3fe1fb0e5673b

SHA512
9b8910d5d2f2666de369a19ba94f4079e850ea95e0af6ce9408169d37d0dcb04e5e3c57b22f745e0ca4fa3d7d80a36b08353e5445812735f1c659d588d52663e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
d65562e144f951c53c670c1d49cda5a9

SHA1
ba4e635c9686732fbeea8be7ee394a510bc702df

SHA256
ef55659f340ac690884da7730c4b1b55cfe56fe56240d9869538b15e62674663

SHA512
84c6a390fb9bae6417af1bde8eaa547bf3fb0f6c0368bd437dbf1ccf6a198895b7fc07144951ff5249adccbd5111b0bcf533a3f5de2dc81d5ce1a5f091fb1536

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
0d8910a020c61d18e604096f420b0e36

SHA1
9312c7c7f0c3fb9071bfb1dc08092a367c677307

SHA256
a3103bc94371db7ede191eac0723381084efe24cf2d8769c95fc8705872e3287

SHA512
83be9cad56e1300a2c7d2fa5cd93eb42bf5117a6e6954ea343baa2523a93b657f8f38a1e8dd2551058a4230f4be675629fb6bf9bca6ac5ace121f086ccf90ff0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
8fe482f9223992dc6c75c72659e450e9

SHA1
6f1407f741779650ae568cb83ec090c93aaf817e

SHA256
c6fd738060dcd27673673e65bd59ac9f31b3f961487294cb76ed4ead270a4e7e

SHA512
6df2f0fcda558e82e3bdd38596f9ad6a694f1720fa4f1b883403b54c3307a71d8765b0e307bed05a80a2f24ef1f08361bb8332f0d5cdb8ae53e0d7e454338a40

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
501dccc0b9cf2d7187f8dbe836e76f72

SHA1
d62705d7cd68d1145da3560591dc685d06068774

SHA256
699cf2d705a61c11f92ce026d3f543ed0fc4575cc03fb17292a012d8d6d281bc

SHA512
78f4863d2592e6623bb0440267b4d362e92538d77a3bd14856863ca6cfa60e44cc34da3516200de9f4c81d95b1a83496c2751f5ab7a503afe759631d3a690d37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
88b1eb1f04f0b93db91e9a0428e6f30c

SHA1
78490bfc443f98716e6c0535a288cb197fd98276

SHA256
14561789fa34c640f7142b2fd530e9496da939c78faf7165db3cdaddcf813915

SHA512
b37237768566e7905e1e1e2fb361fba8625cdc8ba0f9e52ae853f80501ee0940b359d0e3a31d5d082efaade8d22b2d83a718db47bf45539c1bc75d7992fb39f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4d1973e19c12fcf727f77f8d1b07275b

SHA1
5d3cc17cae52b214ed968160adf3ed6a5b604d0c

SHA256
8ca3fc6f6538844cfda0c7d847ddc98cbf31af60054e2fdf40af9e535d994450

SHA512
507dfba7a935e8fa6ed51cbb3ddd88befbdc534f62aaa552b8ebb253404e71f92dc750427492a210f8aee3c4e1dec18cdd59f2f474b6706df0c683ea09fadfb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
771e4ea3205f14d2fc156b4963fb5185

SHA1
0eb1b3ca5d89c3bd8d181915f3490bb9ef4d82d5

SHA256
e3efc944e9bedbf00502ba4af292486120c169eb40a2d89ebeae677c06248a6d

SHA512
454b677da29ddf7f2674d38372eb551156bbc4afe154c1b86cfd87e8ea986701f3bffb987a43a96dd324b0d08aeb9793cc2e410cf6fc442d76e078b0c4ddb78c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
b12aaa8e099a9d97f373f83f5bb95cdf

SHA1
66a8d7c8527e20d129648ac7051e5cce84e63a96

SHA256
93920b6afe3a9a8cb013a6b3726f033012c394ba05a9825a7982496cd98b795d

SHA512
f44f7bded70133395b34042f3585b6724170b74fc9f0c25f8e43b57ecba95be9e11f867f8ab26e2673995360e81bf7538a280c490ea301dcd8e407ff6a6905b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
58ff930a5148dd3d8451269bf7318740

SHA1
95a3fdbca5648f691a83a03cc9ccfe4efb00348d

SHA256
3cfa183d44d10401c45d97dfd8459005816ff282ab82ff51fdf368258d792e01

SHA512
d53af367ea8fc65343b14ebb8e8f51778abbfd4f5f5110c3aa8ac28f7d6d33953b406c8725404388ebf938ecd024db105fd4319572cd49884a6665971ce0392f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
5c16dd57d28b76adc0a9cbfb6a23a581

SHA1
1e2748a97c46142d27b8aa49ad7577c85aeff6a8

SHA256
f9daee78ff6689e14ec8588867276c975d41fd9f639f1f0385e30e8093c174da

SHA512
2db083b65ca66636da32001706283fbd0a6ac4988e11e8b0d56e77bb73fe51bbdb6bb9a0955ae7b4c256a30ee9da34d91ef742c9597fe43cea264d13c556b73b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
06463b97aa2688f04314641c0ac4cdc5

SHA1
862d6c2949ab39f9218e9e402b59871d4d15aaa1

SHA256
804ff07d2e6ed1e6cea25f056d314f2c874dabb75605bb72c798a8ad18e68b6d

SHA512
537fb664368995e3b950cda4c47b52ede8482062aff963d1d5bee7ad4b14a123908d0e4c57fc48c0b7dd7fa2ae3d575fd2cea1a1b417a67cbbc86d267a00846b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
88bbce5fc7e5c4bb4b192b69af099f1c

SHA1
ef48b19db1f6606e8722498140a01738daf54b22

SHA256
c0c0d5e00d4a1484fd8e1e8a8620ea23357a068cb06bd0217909439a0653920c

SHA512
adfffec85424a8f6172d545d4a2b0fdd0090652b4524503d4f2bc8b201c26d60a3be76c0b7158115c098d270c2dff6dc077aef17ae7185af01ebe4a7a349ed3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ff0e2377bac093a088dff37a80a42ce4

SHA1
bb10d7b2cf96e5d83941d1232e3c361804eae285

SHA256
79fa998b9c552578e2f479c2fbbba0b84bb4883014b3c2e2cdf0ab4f9a26c6d9

SHA512
240120dbec42922da178c2b6d2bdd36298f5c39949972fb5043a237884c622fdcea04158a36e2a9a62c17bf82614edd922ded51b9d320df0ab1a20675570555a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ce8ba299274c51c53ca279db79a05f1a

SHA1
2d70818a1fa866e25f8097d5a3a75ccda8b18a6e

SHA256
c7de6a7bb50df41a1bde943ec3e3c8b1510ab47312d5a0dd670f68d0bc13ffad

SHA512
bde5a9c50d45ef70b986ca6706ff3e231436c8fd8bdc46629cab80d44f3e0345e7fc09ed31bd7cc42e52a0e9aee9dcb8a0ca229a28dd1520e5bb4ed99cae7b85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
277b55c27376bb0ee6ae304c4b79eacf

SHA1
f68a8d227be56098ab6e706fce4a7e0a235dc642

SHA256
6d388c184d4dc4e5bd235df9df50e8a1fa5775424807f191dc25fa6bc58b568c

SHA512
49852bd2af0eda044fc0da4038d919d72edb17513f87f86a7010aaaa4a59fc889ab2f7613f9c770b0c03bf155d7a470272cd978acd74e7b0d1184fbb3be666a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
0c62d3a49769a5cb19675dabefc2d778

SHA1
717be9d173a4b02b780f92b1a25ecd35496e5d92

SHA256
c6f40074ce1484611b45829c956b2304902ba4a2bdb6a5e7ca2e8c919c81b4c9

SHA512
2b7891e881eac67a21feeca792badc74f258410e5d555c544e1b95b03582aae520fea062f03874826a846ed2d04f6969f015cc999d0d2a76d826e9b9bfc51ee4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
c4f36f1ee4117bfc105fac4b614dd62e

SHA1
3b3ddfb084e1a364ea80cb35b79772b5fa10b64b

SHA256
2823051742cfa09a84459aa516e70201b1a29be9213670ad0a607015d6d1665b

SHA512
090553306985f2298b76cb0e7159db7548f9bfedea5c588c39496e253b8da51892d4e7fa2720ed2da9f62fac4d6ee8272c336df9ccd6f446b4a4391e5d76adda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
9ae975e22c6759affa4e32d354ee4806

SHA1
9f550759c44bc9c1062e81092e86d7cd723da24b

SHA256
64ad61befa2eb783dc7a322938e58172e4421fcd0ea1abcffb368005b92cf38f

SHA512
5c65f7fdcbfa6982b6beec9827e3c86d081e4b9b37e07299bdcd1ec1922d0a3ae570b331e4604f0f0fa07ff6305cc4ad60f11c1fa05ac963e14f8614cffdbedf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
2bbc8f3a32d936262b744030660dc252

SHA1
bf49ee005623832e77273ce5f9c6e0fb38573c96

SHA256
2dbd0ec898217bd01c7baf88cb8bc1c10560f3e53c33c408d719dcd2cfb32af5

SHA512
d5a7922f40ba5b3e38a177777903bf8454012339d7306986a60bfcf8993f5189b050d7f2f4263cb7ebc3168e2ca7b83974b23a6fc0d8fb2b1bc1af1e50f9084e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2016cd3e4c59c36cafa8c3a0d0f026dd

SHA1
77962273d3dbc18d9f87e4113fe47c8846d59bd2

SHA256
e8bdd3ab8c189b3542d981e2f2ebca445f0ebca73f64a6cf4e25dc618602102d

SHA512
4e215f19c4ffd4a04489fa5053da4e5c56d82d4093f79dec19855a67f52abca88c8937e425e9c3e4feb8bab74d203dd7f862d28a5595dcacc36b5323e0a190c8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
97b6824188bda502a88c5afa20a03161

SHA1
2b71321ea38183aa6163d3abc33f896e1c96de39

SHA256
9c370f4d76d60ef96d876d8f5b4076d2dd9ec8b2d77c6a4cfd2e4eb622913f61

SHA512
bac10a54e91ff58375b2cda33d13b0a8d6db94a9d8bcaf82700fd0a017aec4e788e838550ba39b22ece8f64243e6a2d4323be8b7d35ea8b7823db6ba94c0824e

Download Submit
C:\Users\Public\Foxit Software\Foxit Reader\StartPage 8.0.2\advertisement\ad.db

Filesize
5KB

MD5
32ae250c2383623617cf2c1345fcdbea

SHA1
d3364393aeaf7dc5ec7ae63dd7f9a9c2be19d588

SHA256
90469218aff45c0ef8b315f8dc3a9b570fa471c6917d8ca4188489f07a976b05

SHA512
227eb4a4f50210a12b875951dfdeda1f9627bd6e57681465e7caabac3fd248181de126fef52d471886a8d08a0fed6e956b644849904e9bdc43c4a0e9fac526da

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
a51744fe3c179e2386dfeae5b93c6d94

SHA1
773da93f346bf78c5930715ef15086e5e555b1a1

SHA256
6708a9b97323616372250043fcf22171b294b44ef44ebe54d056e27c6b5bd538

SHA512
93da983fa756b56dd4e40e82125d8fc6383c8d9fa60a4666cad5254bced544e3e490d78fcd444a20cbe9a04904bf174a2e0b0749bcef924f9b394fa044bf31d9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a44830dd2d8b8217a8524e0d05e96085

SHA1
779ecc22a4d5005924eb1b7965f4924c75d7c55b

SHA256
3153aeb57c6b3c6376032f730fae9e507350faf9757796fc239519709447022d

SHA512
c5c92772b061a112dbe478a43b6afa9851d840e354fa5a0101d130c98cac9555eabd4f65b119339bb8d9c7c57a3b9f4f93947bd623e5a7601fe1be37c1b59583

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
84102903402f45d2f81f47c10e8f2ad8

SHA1
66ff66432045ca5a13538bad51e92bbaaeee15c7

SHA256
1fe72368aea7c548e1bbcc5ec9179525f38e7cc25b530c80f33af8af55c53ae9

SHA512
8d3fcfe1fb0d824884d0d9307b5be282d1d039f78c863fbe6549b2d37de30c282e93b879372ba2fdf40b4ebfd00b4a970c66cd890effdaa2258b1686978095f4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
baf8efd317f9dfb858f333db1fc1d074

SHA1
fc9bcaaad4ceafb96724c0039ca0b83fbd7679c1

SHA256
d36aa52a61f90877733797f31e1f469e64109c06fc4abd2766d4055404fa01c8

SHA512
7a559579203edc3ef084f9a8c85bf8ff5758e66e9ecbcb2336930590e458b6609d26c1b4e60c1becdf7cd4d7940c776e9fcdfc001b5ebeb833300bc164b33b01

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
37fd17b2b622b0ab7a0e7f3a0c109d11

SHA1
70497cb3a195261ea62f169e59df7034a7f5ffe5

SHA256
a2b5e8bc0f462d339c193185c543d5f6814027dc0b1e768bdc205a8c2565ddd2

SHA512
3011cb2265f5457f1f37612562b4a22a2340fef154a5ef92fba42831f79cf0ff5ba71d0947f44529ea34f5ad62b8656bcd0257fc892aa89a3ff9c134d54ffeee

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
dfb09a3ef50247362fd2b9366c10c6cd

SHA1
70b84c1488eff40e5a063babec3f3cf76a3ec020

SHA256
711045c8d6da6d88b3ee8d02bb7cac9d4c1cf8739c770b2a86f2acc663eb5b72

SHA512
0ac010eeecadac8f34ddbf95a451c9f3589e6485f2a394719432fdbdca98c45bee1b6be1690ab4e204bc70143f54db86a4b9f6090bf6e72788f193675205a19d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
6c9fe729c0db627f3560434f05cab8a8

SHA1
39d805a256268c94068ce37a63a749ac87fa864e

SHA256
06175197cf1a5527f2ea14c6845095c4ff69338834cd01dced0132b33859394d

SHA512
57ec1381f8dfe730c4e75fcda141eb23b18437d28e8fea84e88995b2668945833ff3caca39225366a34e90b6dbdaaf9ec32d55974231d90198b49792d9070f01

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f05115c9a5779cbda8a4a8d4ee7e3a8e

SHA1
cd841f9a301bb0c60154d7612fbb7ce37d88a1b2

SHA256
83629c085d8b7b66ea53670b0628f4aa844a1a836ce76929646a0f07864b936d

SHA512
fdf7308a8b10eb4ea03c12a0c4d82373695a9a7aa18ce284949075a1f876918669c3d5f38a5aad7015fc2b4df85a0729423936756834b354d3a209db8e3205bf

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fb15103b4baa3a1e0e64e1b61de9f90e

SHA1
3b39ed6c4f039ae9326a48b703271d21e98d8876

SHA256
66de4d4b0f550b1ba443b23b3260fa58639146ae94e8100329811262b191c115

SHA512
c2814350e280fa12b8e7295a97aa75d350c7f8a6ad46e09b00fd38d4bf749bc390f261266ccc4808bf76cda2681882a26acc54eae151e0abfea1e1293b26726b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9cd5430ea63e8cf6cb3a7fa6b9e1be38

SHA1
dec1544da18e90657aec1179d46efacb679c2298

SHA256
b1566d01cbea7d19e7043be0cf39f4bc8d342aca6787fc45f3d013bdd83b41a9

SHA512
c7bd6cb60f5b7bbaddb316a00e1db6f49ba952aa73ed0b1099075d2fa79f3131c5d201e22033c4e6f32a8add42e0b439c066502365b08333bd73b09568a57199

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
20eb7231ec8041af64a0198ba3f5e790

SHA1
9ed6c4796b797f2cd80a9c0bd3a959260bf5d1f0

SHA256
56d2d1b8467ee41d95381301ae5567b69c95a20c09bf6e8eb36011bfef2895f5

SHA512
14925f409b927d25cdc257c64c0ab4f9dd826696135bc48c9c1d969cf45465981dba603fe68504228e387c1336afd62e33d8de1251466d91003a994ef1309c7b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d9f1c4eacd26adf550bf6573247b387c

SHA1
bc486554ce4c23e7c8c7a1794e55a505b3a956c3

SHA256
6b65222bbd891e99134a06e9bd85b3a92f6ca4e9339e040809f31f62e5a6880d

SHA512
aa7c6efada7402b3cf1d91bae09c0512206c844a1acd5b89344081ddd8550af50d580707c47d8af161a0088a407a731b3e6c43b9008322d6687ae74b4f775e5b

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
015f1a1719c1dbb4a6a57818e19dec83

SHA1
04cb17c251668848135a35e8e4d1225da7f230b6

SHA256
71780af35093e424ca50766ab0694d26c305913c43c3580755877c3bd2fce2c8

SHA512
0e3976c6d10b18ae59ce66663edaed56e0d6b9658086eac526d238d26cc497e0850ec9d7243a130c853044b3c7c21cd9251fb04eb79ab3db22c74c9e83813d33

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a7952537a8185be37342974cad578f67

SHA1
5cc141f78900a7b356ac1bd4fdf3f5586a876f17

SHA256
4e8dc1d96abfcdaaa55b472b504186bd53011990d647322da2f3dbca2d2269ae

SHA512
e1ab27d81220c74061d99915ef03e2316ca96cba27925306c6e199567326841e0e2e1d79155aa1d78fe0dca9fcae90e7a738848af5ca2143d207ac5cfee3a1f3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
cd992fcfb1ce75958a27ff57721cdd49

SHA1
1ea3d5d0cba1562a9a10c05fdc69a41996743012

SHA256
444a11c98bd316b3fb4e1c000f69f2c472c083f9712aaa521e4e924f8e783148

SHA512
9dea0fc5cf94b445e428a6f0cd31b3fae702cca5c342f83e1af4a1a80bf7c1841c420ef8d6850db0f5fb719f525a0773db51f0d2f3c55a27ebfa1013b3f625e2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
53c88d569e07a399ffd945dbf5c76a4a

SHA1
81b2ef7b4c6e3f260b141d6ec2b800750112a009

SHA256
905e3c445cb9fa056edbc9159238cdc2c30073c76ea973d86ecd4efa282a93b1

SHA512
2f4ad810b86fbe63dadaa890dbcaded28287957340287fad33f54a91f9924c9c34b3f2a4549fdbd8807fc233b35258cd25912246054db994f05dd070af0c0a31

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e9fdc892cd71e96fac3c022958983122

SHA1
2e5d11e2656aa789ad05e1dbc447c2d2dad83401

SHA256
8ae40f5106ab4dc7bfe7c8315f13cfc78bfcb889ba53e7150b2ec4b71ac57ef8

SHA512
36ecb41565e66a66e4a35b0559a0cc9e282d8f8f986604d30d25118b07eb7978f8fc91ed545bcfa537b69f4de853fe4e89a50116fd50dad20a196c72821e63d6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1660651c093359bda9386baa8c23eb71

SHA1
e3af9085e0287f8f85d34674f461b5cfd9919802

SHA256
7249ebdab4386a36eef38c8ef8d2ee2df9299f917f85c57c79bae46ff4b43671

SHA512
bfa87920864464422eedbb6b44ea802d6615c2933a453b8cca5de087004ee8362803c9adba550c5f5b9f6b2c34d6ff16b72dbb4dd3e40955d1bec7cd076db023

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
35f69cf303f9ca4c5c4dd7a3504b4caa

SHA1
d563a464ba88f239dc0d4f889de4d84bdadebe03

SHA256
bec304674f6c2d1c22b94aaad6246167cac8521f7f879c1962b1fd88889d93ed

SHA512
d2ff72c50f6aa62bfc068b313bb7cfb7924f91b5f944894a654d1f96864070dc0b3a7fc21d88847cf17b2cb94f4fed5013868699df7e08923d5da79d4b936734

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
f14cb40229396ebd933dad9e5b759b89

SHA1
e1d6404b3ca8131a1f9d021ee50d586190384190

SHA256
f0e3ad1fc2fee14ff308ae70450903bb492fbe9c4db5ae51b736cac1381a030c

SHA512
2847ec5fe2f81215dccac7499ac42eaff82e6155e335fae1825d8b9878f1e0a91f0d4ac5fa20b3595139e35f94dcd55052839da5d6e362a9733c91424a9937a7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
2167586d8ad708409339fe032db4be97

SHA1
39de5e096f5c5adeb8f51834781fe00cd931cf34

SHA256
1af2caa7f2d132630c1c89576d6090f77d380bead5b202cc8c99ed68f1d09033

SHA512
bf44880f43753f4895998a6749fc90103df86a6a3f023e3ffaaf48cced7b661d24b758a3fd797d1ebd21a417bf2656f7f6b6346676d965e641f2b728beb306bb

Download Submit
memory/232-266-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/232-532-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/796-197-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/868-23-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/868-36-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/868-37-0x00007FFC9C240000-0x00007FFC9C2DE000-memory.dmp

Filesize
632KB

Download
memory/868-29-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/904-267-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1180-200-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1540-524-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1540-199-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1588-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1588-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1588-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1588-75-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1592-203-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1612-198-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1672-206-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2092-89-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2092-205-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2404-202-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2460-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2460-55-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2460-529-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2460-49-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2564-196-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2568-195-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2568-530-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2568-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2568-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2620-526-0x00007FFC9C240000-0x00007FFC9C2DE000-memory.dmp

Filesize
632KB

Download
memory/2620-35-0x00007FFC9C240000-0x00007FFC9C2DE000-memory.dmp

Filesize
632KB

Download
memory/2620-33-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2620-17-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2620-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2916-32-0x0000000000400000-0x0000000003319000-memory.dmp

Filesize
47.1MB

Download
memory/2916-5-0x00000000051D0000-0x0000000005237000-memory.dmp

Filesize
412KB

Download
memory/2916-525-0x0000000000400000-0x0000000003319000-memory.dmp

Filesize
47.1MB

Download
memory/2916-0-0x00000000051D0000-0x0000000005237000-memory.dmp

Filesize
412KB

Download
memory/3344-59-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3344-71-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3344-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3344-39-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3344-45-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3568-533-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3568-268-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3984-534-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3984-269-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4088-531-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4088-201-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4396-265-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4424-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4424-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download