11576759fdf3f6571a78b60a88231ac1167e203d6905e1f0fd27e2a3ccfcae94

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
Size

2.7MB
MD5

65026a74eee2763d301cc2b0f1bf8b46
SHA1

16544f2bef53d1fb54773fd7bf13897c1cc05dc9
SHA256

11576759fdf3f6571a78b60a88231ac1167e203d6905e1f0fd27e2a3ccfcae94
SHA512

6327544151406111db10b448ecca161188b15fe99924ef01b3d9cac1058474687b821f558944c1d6c05befff2466541b413bdb82d4cb0b7db8feb24a2aea7d67
SSDEEP

49152:6dDa7yUeiEbMZgZKUxT25uv8QSv4RNGDJKyCsm:Z2UeijgDx22AcMFCs

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4160	alg.exe
2012	DiagnosticsHub.StandardCollector.Service.exe
3484	fxssvc.exe
3884	elevation_service.exe
408	elevation_service.exe
3312	maintenanceservice.exe
3308	msdtc.exe
3960	OSE.EXE
2448	PerceptionSimulationService.exe
3092	perfhost.exe
3688	locator.exe
4900	SensorDataService.exe
1940	snmptrap.exe
4752	spectrum.exe
5096	ssh-agent.exe
2260	TieringEngineService.exe
2500	AgentService.exe
3128	vds.exe
2492	vssvc.exe
4552	wbengine.exe
1920	WmiApSrv.exe
8	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\271932f1c1221773.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\javaws.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{9733680C-0D1E-4BD2-A74F-0CCF42A8BF32}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{9733680C-0D1E-4BD2-A74F-0CCF42A8BF32}\chrome_installer.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f410df4573bdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007afbdf4573bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d25fcef4573bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e98d3af4573bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a11dff4573bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c4918f5573bdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4c20efd573bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
2012	DiagnosticsHub.StandardCollector.Service.exe
2012	DiagnosticsHub.StandardCollector.Service.exe
2012	DiagnosticsHub.StandardCollector.Service.exe
2012	DiagnosticsHub.StandardCollector.Service.exe
2012	DiagnosticsHub.StandardCollector.Service.exe
2012	DiagnosticsHub.StandardCollector.Service.exe
2012	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
Token: SeAuditPrivilege	3484	fxssvc.exe
Token: SeRestorePrivilege	2260	TieringEngineService.exe
Token: SeManageVolumePrivilege	2260	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2500	AgentService.exe
Token: SeBackupPrivilege	2492	vssvc.exe
Token: SeRestorePrivilege	2492	vssvc.exe
Token: SeAuditPrivilege	2492	vssvc.exe
Token: SeBackupPrivilege	4552	wbengine.exe
Token: SeRestorePrivilege	4552	wbengine.exe
Token: SeSecurityPrivilege	4552	wbengine.exe
Token: 33	8	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	8	SearchIndexer.exe
Token: SeDebugPrivilege	808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
Token: SeDebugPrivilege	808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
Token: SeDebugPrivilege	808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
Token: SeDebugPrivilege	808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
Token: SeDebugPrivilege	808	2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
Token: SeDebugPrivilege	2012	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 4952	8	SearchIndexer.exe	109
PID 8 wrote to memory of 4952	8	SearchIndexer.exe	109
PID 8 wrote to memory of 4416	8	SearchIndexer.exe	110
PID 8 wrote to memory of 4416	8	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_65026a74eee2763d301cc2b0f1bf8b46_luca-stealer_magniber.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4160

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4212

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3884

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:408

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3312

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3308

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3960

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3092

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3688

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4900

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1940

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4752

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5096

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2876

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4952
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
05255646914ed9c9e7a8fa21ef154ece

SHA1
5a6ed2db3c6fa71b037e1952f25c6266715bd328

SHA256
dfa1b489bbe858897e39b867a2cf5fb3d527db206f51c115aee1da698c8c95c6

SHA512
de22dd1c2e227de35954cba3eb7d9f96fc92f9f02b86231472d1553a617517129d3b7b4dc43de9d86cefb506632ff8faae3b59d89e1164f645778a82e79f0895

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
983737fa31d29b7e30908587020e9436

SHA1
59c53899cbdee7ed2a453aef37fca70567ebefb6

SHA256
e541e61a26c8e00862d2e8ebe4daf43170d78109e642638047efcf9215f44f8d

SHA512
1b2bc42c25ee171bb4b36e258ca89bb54b3778019df0eced799bacd11ed54c3c91341651b6b0f6d1979b95fd1f400835313a8f8b12964b7717e5d13db2e67265

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
c9b7b8c604d70322d19e4c9caafe19e4

SHA1
6770398262131e50d055adffcd5bd5e8e56cf3da

SHA256
d1461d6092d6e5aab3194cce905d5d31bb95d7bad9a76451728fd023b165af5e

SHA512
e0eba001fcbbe8058d98b4abf600c26669773eea219c3234bcbace897d67752f00a715091f45cce98879f8ebe3cf81166a76c5b1b1470e6a2263bcd0b1ad8c86

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9c9269efa60ef0efe6fa116c83647819

SHA1
a1f642551cb176d9c8d50acf268096be4e3688ea

SHA256
3c573b9ca7ea06bbebb364e6dbbfd687871a614e1380b66a079c0211f53cf153

SHA512
7b120d408cd57a9fc6467d0d2697908d300036801bc89583f735e05a42e63784ea0c1459daa6d7b8b3f86f9a39c28cca2bbfc89870e47144aeb3516cbd7e4b0a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2bde3613aa32d03e44810aa6905b41e0

SHA1
78832b0b5d71105b3dec4fed0a9f3457fdcc5915

SHA256
1a3fb2347321d1d911ae83e135e39e345b0a175b5eb93316bcdc65c31173d36f

SHA512
7cc22f1bc0aa2848c7e225d5f95f084b8a927a352b05ae6912d4ae08620bbaf0d1af21e837da9b3a061469f9c8fdcbc967f13d9b41627aa1892e2097ee3b4be6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
0c1abbb60d011e80ca3a19a82e350065

SHA1
a6316b7eb7d87a1ed1e3ccb0f951fa29370b27cd

SHA256
53d9166b7b6cefbce34fa8787ca33250c909d8c15cb03ceb4d4d17cd89a00253

SHA512
1b988c89aecbbe4d0bd34fcfba96ff84b469dd036b5ac9eb7bff4bc91353ce6dcb21dc54d50a5ab8161140dfc8133ae9aa65127fb0a3908dac47d739e6869ffe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
5ddfdcc319c012bb349d8b36636e88f3

SHA1
12ce0ec6f25176fa3f189e1d5e076b5785020ff0

SHA256
09748b6674a886102278f5c6080d8ea87ad505394e5889441d1330a21d3d0492

SHA512
fddfb8a3471323f3be187f6ab73a4a978460b9bfd0395ae945fe07698c68c1899388cb07c8feb1b493fc8c9f60f13e09ddcac147db87dcc9e2bf30948920d626

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
dcd3c8504e452ee118869a5fa4acac92

SHA1
00fb3117c37a9d3cba564ddaedd8ee0f6de39e89

SHA256
6cc2f2f322deaf060abc8c832eda7f0b446f0613ec92e299acf49b20677a7c28

SHA512
4514b04c2f180ed0d0be837f81f00f81b5a27fa9b67f0f16074ec97d69b48037a113877e38bcd4aae4973231122830d7bce757400b95a643bc6f833ef761323f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
a69e4a53f9d880a2c2c1abe158223d19

SHA1
216a41053e08599808764266b7e3566a872bbb78

SHA256
12310ccc4182f447e6c9a13fb4777cab25e5a633c3696e89025c9f19a1c714cd

SHA512
fe73c1acc2db209ea97baf8db7f199f6b37d4d96ffdf8a8f2e386328ef1af48a34b7db8cbad33a21a87c50baa44842ffae6057fe2cac67904b45c9123b24ed9d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
76812044a26ac9b6be72519442b48402

SHA1
425aca8a5e9376b86c8232585f416805a39c025b

SHA256
b4598c8d466462115125860def3591f2f2678738df66ffeb30ef2faab531e2f0

SHA512
ec5df2090b9f77040caafb7016e8baff46473f3b3d961b70dffc5c9a19537472828fb77e1945d56a27a5b90434c33765296e18705785161b5eded322499158b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b57751876eb6cc2ad32d5c37eb912944

SHA1
4ac3d457cbc53bb0bd24ee25cfdabb67941bd21e

SHA256
1356dd16c98e059f697e9747f1bb05e251610ec74ccfef7cd54cd33e2183557e

SHA512
d4ad36f2a075a3c5ac45fd7ab3bd4f8186d46214d4b7be243bbeae01bd7c616c53e46ca6ce2ee15290450d7d4ac7159d8f1cc4caccfe3f61561299c6ca938dda

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c529579aba4676e0511847f78eae123d

SHA1
a2b0f633b1183c4a26267c7f76766de1ceda74fd

SHA256
4786c97fe42924869b4fa3fff4188f4c8bed8a5eafe9031a7f3db0cd4398b92a

SHA512
103f7af5e95e634a88be31057387e774bf2a474faa3016b22ed5330cc01df478b5d51361799f0de49791cd163e1af824e63f69885a023dcd1139e73e75e1f724

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
7f0f4e76aac6df4bca0d02c77bbf9253

SHA1
b5ba9c871ce9d7c9493f313958d7dc12443134d6

SHA256
dc09f0453a2b0b68a5479894b6795ecb2b15677ef34b6f0be8a50b3cde697b3e

SHA512
13a5473d6a2c129ec416541beed11201782783f8b2083bb1e2ae80efd6381997a2785901b4df40cb0027f8663ae610fdbdc3e8bf393974377244b98008ca63d0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
650252c91cf39a32c11d1a164f3cc25f

SHA1
cc9b09996aec44c619b15ae59b00c9baee1112ef

SHA256
0618b1de56474a26c3bbebcaba2236ee863f2a3a7222f7a7bbb743473591e30a

SHA512
d003b79b967d2ef817d4b19d395cc28b3db79f0057b11ad5eeea7e8f6468f6ead3e03729b7559ebc377d05705c08dc4bfa79b1321644c935802aa3abd9936892

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
ebfc370c73e47171972e101925c06b70

SHA1
5056c15bb77a6aa3dfed097a2e00214b1dc3f1e1

SHA256
0cebbfd1a169c321febea4801f0fb0d6ba37893cc637d92a6b9e725b4b59bcb3

SHA512
48b353170b413781a08298a53606d2d4d350bf6cec1a3c0f9972d4181df6a71bbe4a7a249c366ae495833d4db65a4eac7b4f8cb8f9b1647fa8b9591716f5da92

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
76c8b47f15dac17c47d571491aaa6e2a

SHA1
b3030b80dddec61b1603d37d96ddcd9c94018623

SHA256
0a8698d5588bd010940862e407801939d592e95d198e422548c50b34a9e208d3

SHA512
2b8b88fe4f5b012a3c9ce72e99aab1353d85c92199684164c476dc27ed56c0a8274312eb6a989414b407a88c00bae4b5dd7002d4af231c3545993e69bfc4b4a2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
8f8538006f24250855acede97edd2ae4

SHA1
fae43f0e509f060e40b0c39d32230952bf763d09

SHA256
4730b9b4549353e7dd60acdedc2f65676381f51fdf9150f06ae2857a7f2be498

SHA512
a999526e21bba31243fe252e394d72c45c6472d7888829136ec4ea1cf165ee8307da7a363588b8579f8c891435467beba4f3af745fa40ebe4d44f9241ef342c5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
60fbafd029ac6a498f502b57d652e7cc

SHA1
862b4a4d44f39d420b1de16b6f1e19baa8fd059d

SHA256
f68206d37ce057672b79227546a6243f7aa0ad733ec3a24ac0d127469a79560c

SHA512
63dd9eafb5243684ab9dc125f3ad4c255f8343146b85b95efd5b11d1dfa1a4fc2019b6683b8862154483bd723f3e0652f287f89c3852a889ca9f1aa7e5b08cfe

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
9bb89dc459f5a15cdc973f710334512d

SHA1
9553e9bc2215ce2761381deb32b7c67f391a1e47

SHA256
8caf337322b9c7c398bb9ba8178f42990f90ee73ad40165148681fb808ccadf9

SHA512
c1f1a9fd08012c599dae77a326203f0402a0408215dc9ccd65955c61a99c4ecf9ee693973e899017d2bf712f873dd32f1156235c37ad056be1b76ff5cba81735

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
ee7db0cbe0c93a9e8550266537e15b2c

SHA1
7508067fa6a75f39d251144d707e565dcdaba785

SHA256
529484670f2780c27c7e486a9915a7346c308a9b8d8968010835ba8d2b50a960

SHA512
999098bf2a1521ce9fb32697e48d06fc37f60ea6351a3e661cbc5d2ad9bcea0c1c24b854aba091e2bf649a8f3829a53c45e67a4e35e8d427e53ec72e49a4a83c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
2d84e721ea8b95950709d958ceb8e3e1

SHA1
0d61b2f1a6dc0f6755c778ef0f756a7bc557660e

SHA256
b350f4a7b4eff63b33d23e1471ebb9a80851c9d11ddf041ee68187d88e9f21ba

SHA512
54283ea6ac780784451b76e3d23282b5073b617711e4ecc3664304f584745f814d1cec0ae4a3683e40ee649372a7ea534ed0913173aa3c7830e364981cd94463

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
b67b7b9caadba5fea1a705216317247a

SHA1
a883401a19f92504e4effca48b240131ea05e91e

SHA256
599610505e279bb143812a1b911b005bb8eed8f11e4082bb0cb9ec00676edcb1

SHA512
7261ca76f1b8cac87a7e74467ed25da3a5abb9291a21e73b22504009abea95137ad76e13b85abe2b30a85917425b9a99471c82c9e2d8d10e3f0036c293317440

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
79bc31e2a73a54d627cd4332dc0d7acc

SHA1
54e277dcc9e21e276df9667fdb825a10a80b6dae

SHA256
a85822b3fdb70c82744cc7b63ae5a7faa893aa78ce1e9ca605da39ccbba1fc40

SHA512
785c93f36beb9ba6cc96d54156bda4eda5573930eecff0bc22e984cda40ab533842762774a475d13acdcb70fd4d33a0523a32d6716b1d73a481ed5645414be9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
8575a666f9ffa9e95ffaea74f77ff9f1

SHA1
04dda9e507a498e204a1e94eae986ecfa760cdc7

SHA256
88e79cce7f972ee6bf1acae3ee5557d76bdb6eaaad353015030be61380d7fdbd

SHA512
82b7bb6ba8414b16cd548b2752031aa143e70ffe5c85b55fc6fa85f1077971f22200d440c872b8fd0455a975414d4f11a1164f8f50271a246c329c3752aef072

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
51420587d7639b7dc79878892c6cff90

SHA1
41f5d3407a78eb394b32aa67032cf2dd61631960

SHA256
00d1133adccbca3d883b611cd739d1d01f2c9213fde50906b5880e53ef5ef661

SHA512
12c8544e0117b8e0ee24b6cbead59a5132beae27c87994d0042f96c7779e7f86e79b67105e3957df24465741c66071c977fb823395553c13456ceb8694b7f0f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
db08ea613f6cd80bb18bbf8418149c26

SHA1
f4640701b48fe333cd4b55004e68b23a259c695b

SHA256
f580ea640efc5927c7ea8ccc872e65e50b7e72a6ae4d631b2c71f6cc485d7c8d

SHA512
4abb559ff0d52b5db863c19fbad095ce3cafe6387d6005526df5ab4dcc4829274b71444e4070c895f4f424e4394bd6d8fae312b0c9a4a9ae306686333664da26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
89d8eaf4a52343a400629c87e1e11696

SHA1
9fee215cdabaf3ba0ab78baa8e2dc19bb953cbe2

SHA256
5b10c96e7ac3dca788ba12319f9faf982c54bc2cbebdbeb947f8bf37d20fbf57

SHA512
f56e569a41e591be8d05e8ab80df6fd267f53461db02a99d96dbe78ace30732bc18fb162ec9a7d32dc8e2aab468aa707e38227565c4550ca85ed3f201601d122

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
0441bba082ac683d8162b918ddf1b225

SHA1
20d0585e98832fa1bf38a656dbee0709413deff2

SHA256
fd7f55f624b2f2b80eb5259bab93f2b55e1db15a545354bc37fa08e0b16c62a9

SHA512
c41e0256f015f05091dbfe8323ad324f59e8b93d2540835d58360ba484b781c56ff7335f7a8e6b461da95b9e0bf707dae981bd12ed36e655341b49e625a43b6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
11f28625160c168972a667aef5bfd9e1

SHA1
d47ec8c49871070c09e3f18c7bfe517e8aadaa89

SHA256
7bfafc8e77df3f1a9ec44013adfde8f5d9e5730b9693d38276d8fac6b2fba062

SHA512
9e229e0c7e1c9ced7aee60496ded30394c66945bc630a84575c0d5dbfac177c2d3159fa63e82bfb6d3cde80bad082943acb62049e13c5c2e8ba3c8a8c12f0334

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
53810cb005570790e365143078bd2583

SHA1
e750978e3e159e80efc85465b99f0433ac11b557

SHA256
792b1caec631937e00adae3762cf31c6dda905bda5cae05c083ce9db9c8b6311

SHA512
689a9b8aba277bb89ad85ffe1aac5dfe86ba954c965c514d63259137213d3b5fab87122ddf0f2233325b14ef7c5e606fd40de11897069acdbfad32512ec3fee9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
5ccc484cc8292cafcad6a6d7a3bd8ca2

SHA1
274390d1258b7489bd054c2cf7916a16f8c39ddb

SHA256
e361bf848a4aff03f00d74cab40eb5e6743c8fb17ddd665dee708492fe325acf

SHA512
26fb2d789e7f7b8016394f7ee13d547abb7552f526a026dc95f99e75d4725d47696388ba611ee129b1f5a8de80183b6be264bba893bd355df153864e6b1b4c9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
ba1e02e94144cbe6fb1afd9c5d94fb25

SHA1
32dcc94109828bcad6bc700ad866f6df33fa1cd8

SHA256
8c9da284b1607a28ab8e6af2029f96272c9faeb79a0a8aa75b7351e7cad510c0

SHA512
f5cc4425f650dd3a4b4446888d3bbcb274591dacbdbf6470f5ec2217abd78500fea1b3e06610c41722d41c43d9f80e513b2efa8514c8a71089b8e2b203ed7048

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
49b260ef8b5c974b7aeb5b66f147fc0d

SHA1
f9366199e4602d5d49192f3c9452c40fca9f0dd6

SHA256
06415089ec03549697aeefbc65ac21fd54ee6c14c781fb278bde9e25094a793e

SHA512
f0f54c97b352be17656dd729fda317800f9584070096fa52ce79889ecbec9e639e1b72fbe4d5df993f6ed2684d494a2c917fec5e2768e4884f9e744f94137b5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
df8598d31f860a5311429e340b9d5bb3

SHA1
46a738bc99b90cfe461cdb9a39fae362a7d35b07

SHA256
b23ec938fff4c080e3171446dd07605b47b8456733f3d8717ad69976470c3236

SHA512
357acc6390e8350908fdcb249819022f67353cf59fa3274ec906f1f6e89695abd1e1a7e0bdd0937ec94cdebd71e953c58c16a427d974f7da3d85de11dffb02d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
cd25c590e7269f5a4fd0eb3134b56233

SHA1
4fbbfe793d0da9c19e9ade0d36f7d6af40b1ba66

SHA256
6b7c98e0ba61c1e2a3f02e4074e86465b6462cb5bff7c1c8a4ccbec0d3c9731e

SHA512
cdc56846fde45bd15e97fcf6bd580eb104a3282ef0279248974ae641d6a1899fd41592e514d6bd49ff8c0ed697a98f0d344971816cfeb6fb40499760ff688603

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
366bf1a3ae0ef82c9fefdedf2c9e3ea8

SHA1
88dad5e94e61fe14007eaca30235fa683bc1a9d6

SHA256
7aa80ffb6c5b482fbe4a784d8189533a53e95cf7546a2de5ce89d0667a970fab

SHA512
c7e5d7578c4a4ba103fce01ed0b7433ed87344304875ad87cafd73cdd3acb7ebdf18c3058d282af3080fbc9d3d53e3cbeca469feacea33325c55aa9c509e367c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
67b658776ac1835229c438b322d1560f

SHA1
eff01c7af11b0f1fdfb9f200f81b68a6088aa534

SHA256
182f3bd8fd59590949048ecfbba3bd59d5922072a5f49435488b5baa477d6dee

SHA512
ed964c6149d749a2a4b904e1b8fed75d218a366e5bf6550a7fbf202a577bac7886ddcfa9ffdac961261680363f636251bb56a33a737965b503f155756a12f9ab

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
5dfd28eb06c0178a815f52af574692c4

SHA1
77876561af3cef84a9d167f9d6b412ee493a5c04

SHA256
0a03fe7acaab6876d7bfc4716326153a0bf216fa4deb4649b169c472dde975b7

SHA512
ad7105d4685c03f4bf2432d976d86715125a7db09f7bfd9447182ad577a516c42480ae4d63a96972c988138d70a68fcbcda26b176f791803170f594e6437fe45

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3a6b04d1182119dd276ffbe232c8c30f

SHA1
190d41cd8fa5d3b846e1aded1124358a8e76f17c

SHA256
99cae101fe625f7d697df4a0ccb36502051b9a881887c30d36818a2c6f3383f7

SHA512
953eb2ca2c3e888429e8a8e5f924dabf7da9d1bddba6697dfeffbf857191666449947f0646035ec253780aeda6462b5d2f1662413330664ffc4885176f689c00

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
435426c043b69009d430a07b09cf71c4

SHA1
01dc184a00617e55e7282f9740830684b0994b55

SHA256
d601c3399164c74a7b8150dce721296add6a520d77f7f91a2fc7b6c8e0e54aeb

SHA512
9cbcecf71d6b232f2ba53e3657ba477634cdc88d98061af479a549100ffaebd99e746a75b933f3783c6adf52b39dae70f18635cac403d3a42f73d56704a56b1a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
cf136da139f018b2bfdac65234039706

SHA1
5e603a384886e45a4495a587b40b197fbd518cd1

SHA256
649f82d21db6450d4bd39cf71bd521eb28792dde9dc7ddda9f8bf647f6f5f776

SHA512
ba06c96011983a38f8a649c4865d1d10cdbb5d90b04edd4161421ae6c3ffe7feb86739fa988ed1c9c0e10d1b22824579e28313cb265b170cd48795dd7086b195

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6489f61baad1cbd84b5f9c5c58eb3808

SHA1
bd0d012781b1db65d5ceac236b49ffd8c87bfc7a

SHA256
d656ca81619d26e21f66720af060a1a500565aaeac0f333654e706839cb7aac8

SHA512
0d38c561cc252d59dbe7f0ad886c3d3485df241025e9e7e5c250f1d36be96ca0954f0c05382e1653edc5805f8d29cd70db83f5997e95e28eb5310ea699f6b791

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
30ba03a548860edc60ad30203e386340

SHA1
3821454ba62ec29c59d95530514a07f889d263d2

SHA256
0a70d47a9c248e13e994072f87fd6bc85565e3ed8f6c91c27742f2b5eb93a40f

SHA512
6d148b2b054fd1ef7bed23ed3779fdfee8fc5328b3f06d0d26fbae92023a3b74676ef43ead554ad95df2aebbce90ee72b6cfaafb22a4090086f7ad3eb775390f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
c44f86cd3a730cf72cf6189875a805e4

SHA1
97310e081dfd0b11d27b40b2a661201beb142870

SHA256
0bea3725ec0be83a8e183b4c47669729951d1dc657b0212b9519cf9bf99884ef

SHA512
aee832483b9a36d533f5a24b706f385f33ff7911209918a90c463c8cbc5b2da66c412086aaf9f97f536bcabace80e673c9fe55a5b906de940638f7b19cd41977

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
bc1ff70cc9d1ffd167cc06d0a72cb9f8

SHA1
23d6f43ac0c7ba3a2f981cd81da778ecba03241f

SHA256
44ff96f9bb9dfa6e22eec8b86aec3e3bbf0ee49adc8b1aafe4fa450828227a88

SHA512
cf11dee2da527556ddb783dee71c4e7d1191b8032a2513d8702a8ed78ad494caa06393e5050611be817eba5527e3cfab7781904ac3fdca9efb2b4f678d7f9cf3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f5a320abeb7cda9c6cd30b626f4ca732

SHA1
678cec47e212dbe1ada0d402ee7f88a2a003f321

SHA256
1664969ce3ad575bb34712fa7bbd4db4e3cf278e04d90a328c237bb062e74bce

SHA512
49a4201d0bc5e978e8e23b685f0084d200e29781d8e846a36089b232b77b38e8cf25160563281effd2339b2e5ba24b66c98dbc780c2fd094d56064bcaf93512c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
90a28eb0c65d12442ca06408707424bb

SHA1
699cd43ae4869f28bbe8bb884abff1a86a92422b

SHA256
fc458d96b4b34550221e34a040b8b506c8001ff22eaf575655581dfd00dfa53f

SHA512
609a54b7a8719b827e86b5dc036646212eb2734e3d63a2842666540e8fa3c6544bfe3fbf1008ffb29028511e57e02e89866307fc9eb8258d0d43ccc151e5249f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f2fad920410b9563e258f6638b7d96a2

SHA1
8a4dcd01de86ab47b28443fb7e6347b95c84112f

SHA256
511e4b22f4c49e238c7b6ecd0d58d4e3997377f3a5e369a998373c05c5e63279

SHA512
aa912699aac79b5c060491f10d75abb7a29a42c010a41aa218d03ed25a1f2e5ffa7848c77c606cfce0b596079e23b89a2672a4c00a95d136d278a7d62a5050ac

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
ffe05df000b54e273633434d81231e67

SHA1
018e18d685acf855cfca91e3a79676edb67d6524

SHA256
fa4fa8188204b52c6c4017e2814b59a6309b5b44c89b456df3ead7a5ea729115

SHA512
db6934941b71c719c92f10e8908f834a7b5a2573ab8a2c80fba4c1b2d7cf2c775e2855b54db05bad85cb05bac579e05a8956e22745b5d57c2f36f26727bcd6e8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
eea51016eb2f0ee53600337379f6e2a5

SHA1
277178e621341800e7b4e3fb14fb1c18d96d67e5

SHA256
2febd899ff4a20153d634758773ba9366b2eefac2433ebb02b8038bf86d7bf69

SHA512
4b22d204d0369cb320610dd1687cfe2e226f32aca17981bb502afc63f179b0f97577a0be3ae3d0e6ec1456f484a4d4c83910034c9b508a014c873d5e7a8bd9c7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
0ac81c67d0dcd0c54c5e3a78f020a0af

SHA1
9c6af4eb7fd1af7b4d52471bbb25ec75c3d174e6

SHA256
c11b3d78f4fc08734222fcfc51489b3c006442dd218d787a01bc5b04bb281078

SHA512
ab9da9fd4c40e2837c0a4e8161a9dc755399df5f37b585d5a37b33a5e7734af0e102116b5ed9615b558af40a2799bf64773f3157bade0ac48a86514d42b0db32

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c3e002869ec38b6ac506edc2e66a114f

SHA1
456a1fad58808a35c81f59479b7877f925937871

SHA256
bf4d0a0e3e1a0f91f4f237b605015d7cfc98427c83425b5e3d46246db84a300a

SHA512
975dd63dfbb53a535907b3d51673527208c638aa31063466a8e364ccd70056f43515da9a8e971c2e2e07fa0f265bf830277ae922445f02a45e1726032d3970e8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4f370ab29e65ef1313e60ba1ead32e31

SHA1
dc04e4867c11ab9c0f05d7004510ff9993fad0df

SHA256
d57df5d28c0a037553665f25ff8b335295adb2165a8c3e6bd8df21ffb5ecd7b8

SHA512
b8ee8a153a93aa6a94aed958a99a9d3a373540839f39bbdd754240b1c767c0f75c7ac635c94baf6817869076278bd6e7c7fc08a349d819279a91374a614fa37d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a013b21f7c8f054ac45c172bb7562272

SHA1
7d219c13a2494f40c8f6856efaab9ee1de4cda7a

SHA256
eee887d52aaf93fb50966848ff61be8837917a5890df6ff8b4fe41dde15f96b4

SHA512
dfa78ccf5c9bac6f0ac9a9083c70ae988c0fd7966c2f27f90886f48a36cb39ce5037d1847f96f696076c7b25ca8302b4ac5b54a0037b4fe14b847e7e32d64a5d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
c9d440e9330b82959fed6c7ff9b95609

SHA1
832f3989ab25ee38d41ffe1f7893c40c09158f6d

SHA256
aa8ec3a40b4cb138ffab4e45d08a719a6e77f6c8375403b89d7c8475c7cfe8b9

SHA512
8d9ef0e2c1a55e1b300091d61790c6e9be021b3fa3654c4046e8d2c0d3bc5908e99ac691bd81666b907656e1e94afd6c05633fa3d21aa7209a5e3bdbcb370283

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0cdb5027f9059b64abbebef418e3c12c

SHA1
3cb14283379f0d3c2cef2e983c9f9a7c22d7b75f

SHA256
6cd4fc72963744a34e1a398adbc7ef39cf3da02bd742a41457048e66e9418fa5

SHA512
a6853e940e167da86abea07c170d02b50e16e683d512324ca0be9e2d2676c0a324733c3fd340e05577e115ec68f62dd4cdaa72d559666fe74a979ea8aeb9772b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
eb953e9db12f2bc3fff88713ff0d8182

SHA1
3317a2cb199ef6d60c6f4d849ba92e529f35a2be

SHA256
ca9356d7a3811806fb89a11f0eec7fc79ecb03cd2c53dd01f5bff66b47ddf1dd

SHA512
58a6651765db41861cabc499444d637eeb8105d671725b1e09dedb097021f64e6c7a136b1dbb7ca487dbf3fe191613d296e3dd598fb7235911546bd9ff714b1d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
f929950c364471616b6472a9c71e6643

SHA1
688ab70b87c0c423d75efb65724775551de0a321

SHA256
66f0212194148155c4454fc9eecde130ffbcaf9ab45d9704beebc218f3cc9319

SHA512
f74ed661b1c381ad0305b57386c64a69eb928efb325eab4f0c140722deacdf5069fbf73df344abfc4907bcabd4a24b29c79c04810ccba349f4ac684e2e5d4e6d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
0b619466d20d9ad39e8df190c8b8bdf2

SHA1
b18cf806fe18d4c62694680292cace48d2b65ee4

SHA256
0be7f3edfbca3d7faf2af405b9c947c2d920a05f11f5cd406e58ab2b71c75fdc

SHA512
ef4f4e9c3e4f3f3725aad2dd6eb09feae0ab1142ced59031e9feb36b8c3ea5668e612f431702693248b44c71fd96479d33d2549fe869ce9e729ee435793a9e7d

Download Submit
memory/8-407-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/8-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/408-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/408-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/408-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/408-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/808-0-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/808-8-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/808-1-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/808-82-0x0000000000400000-0x00000000006B8000-memory.dmp

Filesize
2.7MB

Download
memory/1920-164-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1920-386-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1940-274-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1940-129-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2012-111-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2012-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2012-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2012-24-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2260-148-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2260-356-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2448-98-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2448-95-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2448-165-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2448-89-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2492-166-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2492-403-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2500-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2500-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3092-108-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3092-106-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/3092-101-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/3092-170-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3128-162-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3308-71-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3308-150-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3312-55-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3312-68-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3312-65-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3312-62-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3312-56-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3484-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3484-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3688-235-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3688-112-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3884-32-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3884-38-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3884-131-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3884-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3960-155-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3960-74-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3960-80-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3960-83-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4160-97-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4160-13-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4552-385-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4552-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4752-329-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4752-132-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4900-367-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4900-237-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4900-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5096-341-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5096-144-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download