471dc7c9947cb150d2e8b8c8e264dc397c8d7c9d4c163e10ded37df8d10224bc

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
Size

2.3MB
MD5

4c16d3e42fe3f4ababc99fb1534c99fe
SHA1

a4866c4d8ac63a4fa28102649116ca16cb5b9be5
SHA256

471dc7c9947cb150d2e8b8c8e264dc397c8d7c9d4c163e10ded37df8d10224bc
SHA512

ad9cd4074d325d8491274b8887c6313e1540f7e3f910789388e6c99db7b28a1fad38e0106482d2cba778a35c07b4647b7a0fe2ff8e7f8441539e5a1f29dabeb1
SSDEEP

49152:218Ezlgpp7oNB89z0lDyLYMCFIZBCYNIjPnRPGwp6ZU6CENlc7dpJLrQWd:2eER/bIZBCGWRPNp69CEN6rV

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3552	alg.exe
1204	DiagnosticsHub.StandardCollector.Service.exe
4436	fxssvc.exe
1408	elevation_service.exe
1036	elevation_service.exe
2236	maintenanceservice.exe
4496	msdtc.exe
4960	OSE.EXE
1516	PerceptionSimulationService.exe
2740	perfhost.exe
3588	locator.exe
1824	SensorDataService.exe
4660	snmptrap.exe
1184	spectrum.exe
2520	ssh-agent.exe
3732	TieringEngineService.exe
4824	AgentService.exe
936	vds.exe
3136	vssvc.exe
1128	wbengine.exe
1256	WmiApSrv.exe
2616	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f41e39d83e6c0d63.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\java.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4786259083cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b425b159083cdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065b45d59083cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001987d259083cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa507a59083cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a628d59083cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013e4505a083cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f12bd59083cdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b174bf59083cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007c4ae59083cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
Token: SeAuditPrivilege	4436	fxssvc.exe
Token: SeRestorePrivilege	3732	TieringEngineService.exe
Token: SeManageVolumePrivilege	3732	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4824	AgentService.exe
Token: SeBackupPrivilege	3136	vssvc.exe
Token: SeRestorePrivilege	3136	vssvc.exe
Token: SeAuditPrivilege	3136	vssvc.exe
Token: SeBackupPrivilege	1128	wbengine.exe
Token: SeRestorePrivilege	1128	wbengine.exe
Token: SeSecurityPrivilege	1128	wbengine.exe
Token: 33	2616	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2616	SearchIndexer.exe
Token: SeDebugPrivilege	2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
Token: SeDebugPrivilege	2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
Token: SeDebugPrivilege	2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
Token: SeDebugPrivilege	2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
Token: SeDebugPrivilege	2468	2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
Token: SeDebugPrivilege	3552	alg.exe
Token: SeDebugPrivilege	3552	alg.exe
Token: SeDebugPrivilege	3552	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1668	2616	SearchIndexer.exe	111
PID 2616 wrote to memory of 1668	2616	SearchIndexer.exe	111
PID 2616 wrote to memory of 460	2616	SearchIndexer.exe	112
PID 2616 wrote to memory of 460	2616	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_4c16d3e42fe3f4ababc99fb1534c99fe_magniber.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5112

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1408

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1036

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4496

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3588

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1824

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4660

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1184

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1664

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1256

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1668
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

Filesize
1.3MB

MD5
f3939b57907b2ee14bac04bde1ce14cc

SHA1
93e35e6421b1bb4e06c71922771be7684de5b842

SHA256
6640ced29c604659674dd3568126b5e8a56e65c2210e24037734ad50c6265680

SHA512
6b6c512e5692a8231efb43bd98890f12e506c8bc23aa6fda0af51270c33254366f99a3697666d5c2443e0b22efe07eead15a3364f0066537e08a344b4ad222d3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe

Filesize
1.5MB

MD5
4fa499b64ecc8d31071bc067d0cac8cc

SHA1
516fc1b7dfb6f5f7d6dbf4f437a539a3a45bf47a

SHA256
90259b86dc80be2308da4aad187ed847dd5aabfc8a13b942ef50a307c61e1c3d

SHA512
b40602c1fe8f3d1f27d39b5f4364ea713f1cc36f64fa4f0c468ec3f7d5762d5cba1712b771f549b4a70ceb50957b569984b127629dd5318032dca1fa5161be98

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Filesize
9.9MB

MD5
0268ee42938633502d5ebc243aee80f2

SHA1
6fb70257d4f6ba20274024dcec29bf94b2ed401f

SHA256
e66b622fec9a7184755fd021f2c2a6b57cff41d8fc77c85cf19aba080b6f65d8

SHA512
8459763a04d864feb5fcc52c613c2b91376dbafc5c7faa05887749fdbbd75b835672ec5904ee8e9a080159cb027a51692ca31e4ec8f7f432476b6c930eb2a512

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Filesize
3.0MB

MD5
277ebe26ab65e5d22e3b50f462e0da9e

SHA1
917628be18efe8accc72b2ec302896522fa0426d

SHA256
f9d42bd1601b125b7b93e4350d7dc18d0eed28ef25cbcb702a8089e891bcff21

SHA512
026b3bddf02374696683d07a046563aaf957c4fafe5670f7c69a65482d6c25b468030c37ba54518e7e612a963f0aaea60402e16fcb258715b679683688f50e29

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe

Filesize
1.2MB

MD5
ffc4d89503996b05cbedf3ba6a57ae53

SHA1
239c3daf368a5f7c587380ddbe6ccf18aff35dd5

SHA256
d0a8dd1e6417f207902d9f808b86d9a82fd13151750b73d67369dc345820a2b3

SHA512
7c5b8771986d7cb349fd2669a60860da3816ddc5d0fa2e1f5784508da479f1a729e71a813e68ea84f7d632db041562e837282b08666be05886cba1764a99517a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe

Filesize
1.2MB

MD5
b9ca100a50ac9e265e23bfc0830d2790

SHA1
834fa884eed943887548a9307b380048b8f8632e

SHA256
241ead1c425e9bf0abdf752bea8f5435d9b3c6a528d193d7c725ead62ba5bb25

SHA512
65e207d984ad630dd2d0f25991eab416c5bdb426a068c2680201b886bcb83f4826ba00e3ded8fc29245aad86b3ff48877bf9697e665b7278d6f2d90709bbebc3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe

Filesize
6.2MB

MD5
1df61b22553e751452149d8fc4fdbfcd

SHA1
b3e3690d7605bb15cb17b1617894df816faa555b

SHA256
4c2f55c4f4c9d5f950e7c12b83218e1503a2215a9feb92bd85c9ff7465a420fd

SHA512
18b507610460506fbc8154df4fbec60b6b4e5b87275e3393ac99e96bb191a058c8956c18da9714550a36dcd65051f5b082564af52c0f457aea05713a95ee46b1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

Filesize
1.3MB

MD5
a403e5fbc07f16d2b2739483ba596147

SHA1
9279c094483d520913f759a948cbf1f0d83b5f41

SHA256
97e03b0b8831770644453ca49a3060e34e2dea4956ce2619cef025ba3a419091

SHA512
ec40ab9119e785ad08c1cb5675b4180d333f6360f11ef651f17189611fd726a000813e3ad1e346e825af76fbe844e6e4782d38d9cad1706aa2c1af44f174253e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe

Filesize
1.4MB

MD5
19b8e00835bd1fa6cc85466132103017

SHA1
56ca8bdaa40bf124e9f418dbb6faee7df7e91bb5

SHA256
368b42dfd21a2ee12c21da2dc7c8c2e95525e9a372bfe4d5a2434c37b9e77513

SHA512
4e66e2bdee82294d7bbd17be8e8fb4f762f581af511e6e886487aa1b19927750023e490dc014da11c8f929fd8034526de6e1c5a2cee66365cd3f52d7ff0afc43

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe

Filesize
1.3MB

MD5
7789811ecd7eb93e1bf48a8056d6381d

SHA1
b8da04b30a4554eaa1715e23706b8f4dece2fe78

SHA256
a11b62010ad5afed6b320d800ccbe3c61913098a3bddffa27b0d6bac8a660411

SHA512
9db5e3c46505647a9b2d3739c7314b753311a328a34eb7d935573c14db9f3b6904995f28cc446e603299b65dcfa2920d326b80c86a855a8093dcd57956c07f24

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe

Filesize
1.3MB

MD5
967c5aa16feda08b3165993c4b26368d

SHA1
d2c98d64363bda6b806029d6e1f638dfcf2ca65d

SHA256
96e1ed626ffa3f5f15d9053cd90ca84e64a49ebd355da428b07647b04326fb00

SHA512
42d036c70cee789b8d95dba5517ebb6bdcf4bbe1107be431225f56ccd2ddd29adbe50b9ef4d361de927f3c020ad88031da6b42594ab5166d8cc1a520f1915ea7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe

Filesize
1.3MB

MD5
716c3a1feb2b43e7ad713758bf7cc92b

SHA1
7af9731578e317805d122cb14022207583fa27d3

SHA256
a85728af25e354410bc56f3e0fee0a14bee41aefeec424207e364cbb7f5ad0d3

SHA512
b08638b8fd2e6012bee98448af16bbd133343bd90333fbe46658c5ef5bea4f7969344bd35144b11d1c71cc2411d7c1a6ab40b836a1013003c850b7036ed8ff79

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

Filesize
1.7MB

MD5
c6b609cf23fb9e4182327ea5596e8587

SHA1
491445ed3a29fbe5bb9fa644a4f878f79f5fa0e3

SHA256
cead976bb938dad4b838fc5453d96ed4e05fc63b2e8e11dda3fa03619c71f428

SHA512
0f8759a5c00fa32ff8935d279efcaa22da8a22ab3c8107777028d6c707332654576d8fbd0df8697a564e366e77452ebd080934dc7eb2cfddeb23a4c4a5b8d7e2

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8d9c2948c5bdefd8814b7b91d680cd48

SHA1
a8e354a02affbcd5b1cf6dd276af198fae2cba86

SHA256
4855fe71fbfc25abdd8996d0b0dc8b0544fb5195697193a13f4db613ac3f23d7

SHA512
09fa83fefefe5a77d4034cc84c7b669f993a3b257168a3138dc390517132287f45d77c8cca04b5ac033abc562de22103c87f4b87a647cc9fc6f73eb234084910

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
49af52e8ee0eec92e7ca8b049ee531be

SHA1
3868bc142430f679259415e61c1fd26e363e094c

SHA256
3c98db09589466846d4c7cc3c465e7cc46fbfec35d0b4decbe31346bf199f911

SHA512
8ea6c714cb8d9ebc291d32d6dea8d686653f0ccd892f0c337431faf1ee6b9b184e132dbb96529032ad37191cf5d15cf7bcbc2854e3f9cd38092ecd78019dac54

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
9922706b5b2bb35a8e98c8aa4175c04b

SHA1
d8cc78ac2132271b005a0227379a797bb9c7ba3a

SHA256
5436ad9b4949537b4fa3254b7617e555998c30e176ff440a01ce52b4009620fa

SHA512
cf168bdd499253bfa083a41b8312c05b5a98e9a8a0fecd94d0287e02863c64b8ba2c55656a217579f88194e135fb00f0a5df47bc77481676297fe4308ade4aea

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
61836f0fe59356dd91204dae9d3c52d5

SHA1
adb3a21cad06e3650bc8f495e36fa74db43f7507

SHA256
b7e01fbc74ce631951a6637240a044e2a67c29edee69bafe248f64ecde5395b7

SHA512
a94dc2cbc4f847c08acb753a9d27cf66bd0b6ca4563cae5a0e96ba407575e10f9dacb005334fa50f4352db0eea47e6fe3fc194837c66de676ac42445190b3d19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\rmic.exe

Filesize
1.2MB

MD5
d9bf068c8b63176a0867034cc65e5fbf

SHA1
3659162541485130902bac600e31068b75bb63f4

SHA256
72164d8257a7989141e2f902c7e009d98be3e8baa94df4bb3f604dac8efc56da

SHA512
7bc5b3049fa7d28de4868e4f83057b45a93957685f18f347a587ed3384ba64591a687174f6fe727ba21ea1c614720e5e41e83efe8963cc9bcef607446c6ffcd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\serialver.exe

Filesize
1.2MB

MD5
efe4c2c1dccb970ab756db0a7b1ec50b

SHA1
3037d546b6660615d40f37828f322641093125f6

SHA256
72adaafc4657451c4476bcbb558099d8a53262a4713cc89b0e4d10049afd16d6

SHA512
5021272dc3ba9f2db00c8fe4d54c7901c93edf5e26761d70b271da10c94d90f07779c91d09e0f034321e17032cfed490797aab9372668e958a43a40bf6fc48ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\wsgen.exe

Filesize
1.2MB

MD5
6d7f1e683695b1851ccfd5746c35bdde

SHA1
647e2551d19ce3fd9029ed81307dfba7f1628312

SHA256
6539779593d2e18f5b766286b860d47093c2f33a9940b857a83be52fc471cbda

SHA512
afc930fb83047f0a974e4b659676c91060950d32403c73dddf2ab15fd07334ec6c714464ea80d6a13832cf961fbeee7c9c2d25661b9577d7201371525455f1d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\xjc.exe

Filesize
1.2MB

MD5
5fb87a7c09905a3f2f453f7eec1de80c

SHA1
c87c109fc310a8e3760bd0f9beed68ac0923c732

SHA256
f650b611d003c4d86e44ba547b6e721cfd98257cf2f70cce0b2ab1f403ed71df

SHA512
b656d18c78ca677ab82960ab2a550f36c6f19d34ed998b1f23dedb5c699dcd0c51861a73070aef3f44516ceb84371431a0ef89e9aeb34864a3aaa93051cc7332

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe

Filesize
1.3MB

MD5
129bf675155a78c357c5dcb61c43215c

SHA1
fbef8889a21972d7c23ba38a9bf462c2a3669bea

SHA256
f04b648171aca2b27646820a3fc12f4b67d63329d1c0114c4875d4e9bf69268e

SHA512
d7b677d0bdbb2c728da94737a0fde2492f6c1e86386c8836b778251ca761b65869b9bb4e5e26c2835bb75523b6020b4f6ebe35c3e09d8eaef9ae44725f5dc506

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe

Filesize
1.4MB

MD5
84fd95d0eb76d2133d4a486d1da7644c

SHA1
c8dc2027cdcca724cb950f661cf6d8b4a9a3bfd3

SHA256
1599bf1764d06d38e26ff61d78a1d5e4d13bb25d47fac9696f5d1106b9027619

SHA512
310e1f71a8fc0ff96c6b780a740e3a373eac916fb792b770d3f540689b20a7af3baca991a4021070b59fa563c32225c5cf41356e892358a0b85a9194ac4942b5

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe

Filesize
1.3MB

MD5
12e90bf88664d2f17dde99b2ceb4dfe2

SHA1
5a9667e0244eb285e9c9580ced1eebc55fc4defa

SHA256
3e51e6405fbc35db81562213a6f798c61ab95152714d5481d6ba572bc0688374

SHA512
973db42de2c74f888af7965fb7e6388e7384e52d77994a3dd16e8d760bfb56c201fb40719202bbadf2cd6a677633dfb5dc46ea22f9d2d9faf1000557620a5a94

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe

Filesize
1.2MB

MD5
79e12635d879880e69e53029d48943da

SHA1
f34874c080ef303526aa41ba34a287aad924ea91

SHA256
6ac903c051e6b6c5c5b074f34467cff1c6a335e17e1f3524493a3bc7c6fde5b2

SHA512
e62fbcca86fe02c9a4165f149c15fb987822cbc45ee16bb5b01c40ab94c1043085cc7303692bcf445b2517329bd2dc143a5aa611b0cb032d8893bc9a292a3931

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe

Filesize
1.2MB

MD5
b16f54cab9a08e037974dcf406fa1f49

SHA1
8b941f4d89306a0d3a089b25b46e1e8b4a11def0

SHA256
04f11b37fd35e272c8b5b893145eaf3f61d87c2795e3cf0760931a8c511ea77c

SHA512
e5f142ba664ebb1826ffdd2873d56e4a508da59f34a0575bde39c62fe1ce0774aa859e76506665b479058ba3f701c5011d8ec9cd41b905daa02d5055bccf76ee

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe

Filesize
1.4MB

MD5
6867d9925b27010ff106e5025de92ca3

SHA1
5ce41450611f4530cefa4fdb247cb3c8c9a3be03

SHA256
f4ffdf3a371eaa26df10c7d0685b2e709f755eae4f435ba83036d154ba6e0aaa

SHA512
40059f68c2977274b32c71ac08e82bec0491dd4106dab9805f3f5c30044ba51941cbe4cc210b10fc2ba7e6c3abf90fc11527096e55ef97af3a3883774be1ffe9

Download Submit
C:\Program Files\Java\jre-1.8\bin\java.exe

Filesize
1.4MB

MD5
fbc3154d559c29586d2ec00d4b1b51ff

SHA1
29c6a505b0354eb7462d3105b179a6c26fb3efb3

SHA256
357ac27784df4700696b88b5969d7adcd3f1358d40fb1951f5131987b08673da

SHA512
d992e2a9eba84dd2b51be17cdcf2b84f763733c975f0597bbb2911fb0923b2412cae22eaa9928eeffc6e57972c8dff9c6f0c6f6a08a06ac32cc06aa7befc3935

Download Submit
C:\Program Files\Java\jre-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
f124423df03d87c2f0507770bc60c657

SHA1
5be650160fcfda4b9eec611032302b48be282d59

SHA256
5415fb0889341e2d3651cda0120a82f0cc92f8901498be6bddf8ce831963a6df

SHA512
c85b2521c35cdbe0ed0a34b583cadc9708d4450d76c573bc2a6e2b2bcd93e0981e32cc215ec137188a95e6353be55e3d48e5bd323ca5d3295086f0c8b055c7f2

Download Submit
C:\Program Files\Java\jre-1.8\bin\keytool.exe

Filesize
1.2MB

MD5
09fc39e17ba6185a622d44ac2bbbad1b

SHA1
dcb5cc6ae3d97d0957e72f666724e2c48c861b67

SHA256
b638a584502f92f9268fcf877d19c68e26bc1aa050c3ec59f1426374ac6aa6be

SHA512
04a20f5d832e02fb36a70cc2d9b438e026fc2e8510ac596b70480420aa8281ba83b22f68daba94fd0db2d267b1d43425b364642db14c0d00888c333220e05776

Download Submit
C:\Program Files\Java\jre-1.8\bin\orbd.exe

Filesize
1.2MB

MD5
cd672cd7f389eb410c6dc8b1fcbaaaac

SHA1
03e7ad446f92672fbf3b51f656f84fd6fbe0ff37

SHA256
ada66b97001fe61ad4f49075e91575b5690ef8f3b2d0ca42988307cf009a1dad

SHA512
55dde1659335a5b70937d31e0859194aeec87412358bb999e22fe2c66932a8a1f3aba00fcf2c87b7995e5034c2f9a241f1395704e78088a0b7780a0d76c3002f

Download Submit
C:\Program Files\Java\jre-1.8\bin\policytool.exe

Filesize
1.2MB

MD5
0ad16bbeef2b74293e3455f6dfdb1702

SHA1
543a6bcccbdd2495631bec5f64bcb3428c316abb

SHA256
baf3392cc342ebde64e6da4cb2c58074e63a684608f15d323e8143a625693829

SHA512
33a0ae9447573d01d0a0f2ad158ef2c5b7cf8693cc3b7bc907c357fac3efa6e212a9bb3ceefb77675d2b263afd8989f951ab514410f152fe37182ceeebc2a462

Download Submit
C:\Program Files\Java\jre-1.8\bin\ssvagent.exe

Filesize
1.3MB

MD5
f5762e8f57d717c99aaac658c70e6833

SHA1
3659a909b828b2477775cf2f0119a48909dd18a8

SHA256
22189f9cd37a5a5218c2d41554cef133c9c3291a998bfd798bb2ee1246a68049

SHA512
71d084acb8a75dd1d68db3bb978c640a14020082de3a1f4c943d28dea7adbef594938f89843dfb643e633e691ddba4f3fb25e9a94deb015bb5d38d649c20f44c

Download Submit
C:\Program Files\Mozilla Firefox\crashreporter.exe

Filesize
1.4MB

MD5
7859095bcc1e7375d6653f5418e98403

SHA1
281cffe42089355871214c2d79f85b91f4c6432c

SHA256
b7ea667b19babbe910cef7f96b58b90c8bc1d1d31c13f1cf003902148c35f9bf

SHA512
a32018ecb6568d34b52f19f650faec001f850c3143d74cee47038076eda5910b4e9162a318898995d7d6763901ca1a9cc1a98412ff149c91340e9fe4ff2b3e89

Download Submit
C:\Program Files\Mozilla Firefox\firefox.exe

Filesize
1.2MB

MD5
7f953a3cff2e7c1bb845e28924ba1ca5

SHA1
abe37479f2bcdc22d6e4a7d1eb8e874a092c428d

SHA256
9ab154c765d8ab86664b1eb38a6da82d5539eff3c93de0ff8d76f6ab3fc4bc39

SHA512
309a1ac25c87d139def95f443c59f8be3368550799edacb5d7b06dd3e78e2cb13a15ce087f13328d45fae1d2c031eb4f085c1b3e2a0b0341a8b24854b5a7889a

Download Submit
C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

Filesize
1.3MB

MD5
0e0e647a1e6f0ddca7da65fa2f27b950

SHA1
a4a4e89754b5d22bb9b91355b1f082cfd324cea4

SHA256
83c73e0ce54fcf07d23f648544494f815e6823f089c732e86deb1aa425cd3dcf

SHA512
57e46605178ad1c4b933020fea5d7fd45f8d5fb25959145676d00c12552ce52ac56ee1b35bc91dd34a175ca7ff4728c44551a1832ffe3882ee37580af99b76a1

Download Submit
C:\Program Files\Mozilla Firefox\plugin-container.exe

Filesize
1.4MB

MD5
786c598535264bdd67cadda66d68d18e

SHA1
572cf2f6f7f15e156b064dac904d9affc2839941

SHA256
30eb1670677e74e47fb016dd7c12e9eb993dd36b4ebad5bd12385935d9ff6a54

SHA512
846fde8193164bbed3d20897a30ab13dc698733ec1a5a68de53e5dba99a23e1d09c957de9fe5acc69f01fa27df1f4f8b05f866e6cb03883140bc71b46aa1c709

Download Submit
C:\Program Files\Mozilla Firefox\updater.exe

Filesize
1.6MB

MD5
6a7d6f7447f279ea944789adb01eb211

SHA1
847f612d9e95336be52531eaf4998a45a1c70884

SHA256
54c03ef654a80ca0271d3d95fbbb45ac842d77093db193b2ca7a3dd28c170e73

SHA512
99c25d683f983a8efc141c2a15a3f0df1b69809015067dd873af9485896f66fc2baa49e05f6f306cc9c0c234bf3d6f33354288df9787b4f0a27b87d0bbac91df

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b67671c3986ca0fa8d2ac0c665d540a0

SHA1
23d2233d833ddfb68a4be88e3c1d27bca502a8de

SHA256
a09fc079be6483744d06c83b479a51d23613217ecb5d8b77e0c77326ba6f5186

SHA512
39d9696f1281b4cec60e253f6e206dcaf6cc07fd581e133877a91fb531ee89d262b29be528e0448b644ad63cb5b11ec29c552d54ba4ff280093e47c57decd93d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
4fc097a19a37836ebd53a5e7d3d2df18

SHA1
847cba3f96349be665e8d6ab165ef292f6faadf6

SHA256
f07d3d7cd0689136e83a4fc95e02047f6f416b86273d1a9c3e808090dcae28ea

SHA512
10dc3c9b5cde21af9c04586f58ad2084fbe9219246b0cf245bbadcda5b0e9b98b5e3bcddfab876c78c724fddd30accb895a75a057975ae0f920af8dfcd1f8dc8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
13c235c66a075c7b369494b77ddb5aa3

SHA1
49d8bf42f683b1514ec585d8693c7bc0315f6311

SHA256
896d98e04785730559d5b68f4344a2e2be4cfe4ab832ffe07b6e08dcf272e71e

SHA512
e440fe8630df2f20dd56f56e7c4bdc383e10688d0bbfe5f3d04f4a991144cdd8bb4a1f310820244f1bf4c716670129d248b0a024e979bc1f1aa5c1effb11b24a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
fffd4c0e6ac3b4e7063955be4647d097

SHA1
3dde09ec2e3f652863049c72288710a951cf6756

SHA256
986ebf3c85fe4fe023e2933cbc1407726467488528f00135b2659a85daf35674

SHA512
155f41c09f1f62bfe78202539cfd699a36aa0f94ecdd1faa859f5e7920585b31c60e3ade3b7562880bae6a678feac5a701b39bcff121be1c4d8a18eff1f5e401

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0bb1711739a9baa4f2c6bc5322b51d66

SHA1
32bded23965a2678a9a8749009c898f871d6c17e

SHA256
e9742d1312b139d7ae17237d26b69d66a795720891e159257e554ceeb742dbbd

SHA512
e9bb967614c6da9db0bdce40a86985c6f10941032942da4ef3150b61f0a2d7f31388a730fc24e1abe5891c394db8d2b6f487121dbda82efe9b67bb2a885f4a90

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
54ce7eb6f7aa3b054e6d1db233f05164

SHA1
41be149916c99901f2be09f79b4a7ceae663f764

SHA256
2a556070aafd8df9f3f42a6241f1e8bc889a8811545bee5db22ed3694c6a38d7

SHA512
ae0ecb333833ed9285b46016bf53aa473f0951132619f0dd25a82648fd9f5801e4a42be07589c8565508b5d6317c14fb85898b96e96e50fa08ef0e68e51beb83

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
cb58350ab7dfce2f507ce318c1878062

SHA1
8bde5bbcf4a78feceb6d7eec6886b6607162e836

SHA256
2c2b06dc3f00c806e3accb1d4c2c1361c3907def91da081046b43750278c85c0

SHA512
08d8fdc688ed193d89b5bb047a71d761b83b30e9569f4f3746590774d589e5a6543997cea4a52042240f20b2c47cb57bbf2d8f07404e189292e1d3382194a54f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
95fc9d952be56ecf056185a3c2ea59f7

SHA1
598a44bde3b1f8458356b783fb0702de40411f8c

SHA256
b9265ac2cc6fab6856969fb1f072f509f78e07cd21ba58aa86857f5828bb5eae

SHA512
06c3665c1401b998c2daf82cdda42165ef5cbd4b34ca2f715ef11cec0fe8baa4aa463afc68483e87e129cc6bf27f863598f728c78d94eb36c0e75b2ffc46c4ef

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e7393f622c9216a90e7db03733161d0e

SHA1
9d19266e250291f4f0bf4a8c882ab379c83940d1

SHA256
900eb307ce14ad8be05ea5ace6eb0e95e85f96fb55912572ede63af924ba5c60

SHA512
ded5ced081c481842ceed620135b69d1c0ea9dac2c6ffef88eddd52a23b0649a82d2d7d92e98b10161e9d993dcb5ee649ca15d43191e0fd9dd4b984a019971e0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f7d8491b0b229628ace14b53948f1561

SHA1
9cadc91573fd1f00f3f3f098a9f0b4ebfa300ac8

SHA256
d1ff868522e8b8040a7e83e8ee2c065a5c4fe5793a5781f5cd9dd2bdb3277eb2

SHA512
0d7fc444a9ed6c1b89c3245afe2bacad6bd199618e2b9282120d86bf824525f600cc500c412e9b0238a8ea8d49ab9e746da420f1c64fd7ccbf3bd70e20c2efb3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
96702882638eb56fc1fd64809211f078

SHA1
0351b614442ea002f5500be6e6e41ed5594ae661

SHA256
13f10b3c8175bb912fb6c7094457188bd3cb53debb6b878d70967e713642987b

SHA512
2ab4cdf028f62331f54a6ea2a1a62efc065c8f35f0b440c781284550aad1e1884fe6522c190a76d0df7642f97253ab86699abf3e35d6c53ba2387fc85ecbe05d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c2df30c875942b77ddc3dc5e0db849b8

SHA1
8bdbcfbfa14dac70d36e5ce1b9f81dd068ded368

SHA256
a88153e5fee3e4feb449cb51719192b99e863b30e9aaf441cf8b68a0b8d39e28

SHA512
e365fab3759992a930e499d7a5205bed641dbcaa4efdd3eb7501086414556d4cf93251dfe184ca697ad6d1d641c453ca45d59a0def22359beac8c1399d9a94c9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ec780aa5d99aec8a601b4d84cd2125b3

SHA1
859c9a0100642dede55b3ec6bd3746d5c96c2114

SHA256
b260cf9ca4a01aab3c704fa3ec3627e4e867bffcd20e92eb65dd347b98ba548d

SHA512
28f8712cb13acbf0152ca755566f6e81e28554e9baab4a05e709ac016e31031b34e5c6eb8262c2d0877716a0b152422d586ccc5ed64a67bf91bca69c556940fb

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
6f0cc6f23552ec8eb94f04873a3de596

SHA1
211014e5c9e4d18c7c9c4f65b0fe6b18b5f9efcb

SHA256
5686f27f428bdffa34bc7ccdf4bf7e359e534c6d9181d408de545d5df98f9c66

SHA512
398b74a198c6615c56eb29cdfc1671e1bf6758dbd233a9867c42ab7665d756fffcd5a916221bafe99fe6d732672596017374e1ee0e9e8498d6bdeb3068a69e66

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
4e80c29d979934d7b1d7ad39a1d5b95f

SHA1
f10848499f49099e25729c8164698d86acf848d1

SHA256
32f031980a7f4dfefc6ff1076ca65a638943dea30573279fa5001c95dbc5327a

SHA512
2c83b074aeecc4ecb523b4bfcdd9adebfa0d1b0a93ce0f7634659ef349394d3fd60a82ae21d698452a394584ca58087e401b3de205971a309cafc85076ef0eb4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
8d78568ae1a51a93b63b54e8eb56f6e5

SHA1
127a76a92821f709d28202c159e5782376ce7948

SHA256
486c640d8ea7075986abb18f2f31488c0596dfb55d43cbcaff16bd7ba76011ae

SHA512
762dfb4426cdb226c10f8046ba61393da3b87698c06e496aaa4f5e8bb0f18b43b5facabe205593965f453a67af07c4237649bfe2d69b9548fae3471d6590350e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
74f8c0a6710bce147db24c699d7934b8

SHA1
a8fdcbc833e49674704503c4585557dcd0f5501c

SHA256
936802b2738ac25ca28cd6d1b1e2bbfab0f3c7ea1101b0bc0d31e44faf383f9f

SHA512
11dd5971000508208e06be88ada29dd33faf4f507f43b10bb55fd4e5665be0424fb8b145be5a1a9c14a9676c01dbf6aafcfe9696dba4c99eac8a4a1d0e172faf

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
9252d2f4dff14da8dd9b5ba9e78fbec3

SHA1
02ec9389f08f92142976d9f4e8be386b3c3b6289

SHA256
50bb757c87382acf1b3d403c8a9fbdf6d120b49d12e5a8b38a9d39cd1ea9f4da

SHA512
b8ab5e785f3affd25a9415e02c8e188a7675442f2a30f6b6675f992226c6a8c825f4ca608f028a210699a2b4262c84971214d412892acee2dd5475154909af72

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7544b8e4bddcfc1339803a56fcde06ae

SHA1
e5abe432f10a920990bdfe38fa6302d481628a35

SHA256
6aff055f4299aba835b702285a6d579ff8625ed0d9555688078bf9d18a37a2fe

SHA512
1319a5f2f1ed3e5f0dfbcede8de86956919541b6ae4ff492801ea5fd6544a02ff92ed95246f0dee2878fed27ef95c51efd20ebd69451274c5d235398da91676f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0ac0188734536699e8e71276a3e0e524

SHA1
11effc8af09d277fdd7de0d5c6f7ee171a3b63c2

SHA256
09f1704a397c693bb64dba492437386a1d7359475f460e20c694d30efe9870c5

SHA512
4d14135e92de690c1589ac476e0a026e0cc2307c018f3e86581181552429e1bcfea67ae4b1c459e8d73b10916a2ca36b675574e38beca8ef984c3d4ade4158a5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
7118d6c2230301263d232d6a820603fb

SHA1
eb3e24759c9a47276b5ddbaebba776df14f31d65

SHA256
fa464bd9a089a1c588d5588906721c1e0de2d6393783f9558bb92500f386a07d

SHA512
f4f4b009f028cf63132274e3f82b7fc75718951c660edd2fd2785bfa27b2672cee97726dcf86f5df5ebc63b9c3feb23a7ac2e661ae8015638783c81b6d74ecb1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
03c0750a6266898b19a12a996c83b314

SHA1
47aae19f274eead62b64afac4805480d17e90137

SHA256
83d947b17185400f2a5bdaf16d906286c76b21f78f8b1169d560499e692db42c

SHA512
305fb4a4664d19bd1b20c7922496e4ac9d5c7f9ccb1a98b6ea7b2a867bed851432f3a75c3ddecb83a148380e51ba5d524c5da436a8068ea375cb0ec629b73aca

Download Submit
memory/936-212-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/936-378-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1036-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1036-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1036-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1036-181-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1128-447-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1128-234-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1184-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1184-337-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1204-132-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1204-35-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1204-36-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1204-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1256-255-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1256-448-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1408-167-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1408-50-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1408-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1408-56-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1516-129-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1824-258-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1824-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1824-430-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2236-87-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2236-81-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2236-91-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2236-84-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2236-75-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2468-0-0x0000000000400000-0x000000000064C000-memory.dmp

Filesize
2.3MB

Download
memory/2468-83-0x0000000000400000-0x000000000064C000-memory.dmp

Filesize
2.3MB

Download
memory/2468-8-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/2468-1-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/2468-23-0x0000000000400000-0x000000000064C000-memory.dmp

Filesize
2.3MB

Download
memory/2520-342-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2520-182-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2616-259-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2616-449-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2740-130-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3136-231-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3136-427-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3552-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3552-18-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3552-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3552-19-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3552-112-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3588-254-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3588-141-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3732-193-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3732-345-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4436-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4436-60-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4436-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4436-46-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4436-39-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4496-92-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4496-90-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4496-204-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4660-323-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4660-156-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4824-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4824-205-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4960-211-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4960-115-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download