d58f68c68eead998a9f503c0d6b284855a534acc584e13be8af5f5e782d1122a

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2024, 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
Size

24.3MB
MD5

fb31f9c8157f739b96fce508fff5a3f2
SHA1

fabf0b4e13362f468809abf220f47f0bacf1329c
SHA256

d58f68c68eead998a9f503c0d6b284855a534acc584e13be8af5f5e782d1122a
SHA512

165d16c4f66aea5e65385232311f4515b76233db42990c85b2c29ad9d4742051c090eb4906ab75f763c61d015203eb506420d987c06fa2639eb6e0fe662a9c20
SSDEEP

196608:tP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1OpUH2SAmGcWqnlv018vO:tPboGX8a/jWWu3cP2D/cWcls1j

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4912	alg.exe
812	DiagnosticsHub.StandardCollector.Service.exe
1176	fxssvc.exe
404	elevation_service.exe
4388	elevation_service.exe
3096	maintenanceservice.exe
5108	msdtc.exe
3724	OSE.EXE
1564	PerceptionSimulationService.exe
2216	perfhost.exe
4852	locator.exe
5064	SensorDataService.exe
3688	snmptrap.exe
4984	spectrum.exe
5044	ssh-agent.exe
2140	TieringEngineService.exe
1456	AgentService.exe
3236	vds.exe
2344	vssvc.exe
32	wbengine.exe
4908	WmiApSrv.exe
2376	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d5c4db296319cddc.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_103406\javaw.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000682591c1a861da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e90e84c5a861da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd42dcc5a861da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5def8c5a861da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b332ebda861da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090e81fc5a861da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f316cbda861da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9241bc5a861da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083e46ec2a861da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006dd3edbca861da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057f0ecbda861da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	1176	fxssvc.exe
Token: SeRestorePrivilege	2140	TieringEngineService.exe
Token: SeManageVolumePrivilege	2140	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1456	AgentService.exe
Token: SeBackupPrivilege	2344	vssvc.exe
Token: SeRestorePrivilege	2344	vssvc.exe
Token: SeAuditPrivilege	2344	vssvc.exe
Token: SeBackupPrivilege	32	wbengine.exe
Token: SeRestorePrivilege	32	wbengine.exe
Token: SeSecurityPrivilege	32	wbengine.exe
Token: 33	2376	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeDebugPrivilege	2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2668	2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4912	alg.exe
Token: SeDebugPrivilege	4912	alg.exe
Token: SeDebugPrivilege	4912	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 312	2376	SearchIndexer.exe	113
PID 2376 wrote to memory of 312	2376	SearchIndexer.exe	113
PID 2376 wrote to memory of 4324	2376	SearchIndexer.exe	114
PID 2376 wrote to memory of 4324	2376	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_fb31f9c8157f739b96fce508fff5a3f2_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:836

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:404

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4388

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3096

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5108

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3724

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2216

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5064

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3688

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1084

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5044

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:312
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c234c46587a1de9d897b7e2c2b6caee1

SHA1
6049fa8b21ecb69d4348ece9ed3d0def18669786

SHA256
3f24126dbafe60822c4a1dee9d1b1d55f14d4f3cd3385ce6aa41573282addbca

SHA512
64797dc200821d6ea2930eb5dd28671c0134d0eaf9b333a549b6babe9841a01a75aa8d376877066105bda4ecb8e99d74fe284ea44b1ac731d38bfa640b5e9182

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
afec0b66adecced90d4ea320bc096c70

SHA1
868c5142c7806e73431e61946bbd076c2d134830

SHA256
aaac7e497df3e1ad0d0b0d7b532f1015805b8b22c17650e4d5a2f8086d6c78eb

SHA512
08b3aea75a93dfd472fdd4e8c97f17be82d56215743014b380f38b6d83d0b33c7d8c858c1db99762a76b3c454261b4bf8d00ccfae921aebdf909305da2c34e01

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
635eb9f2331ee3972d13a614f0910a01

SHA1
3123136b48404bf8fb48001b95b1237091adc8a5

SHA256
1f193990b13e4f2585639ee5a7ea4e793d7e8196e8774ae6d6b7374284f195d7

SHA512
d42b393ad7133d91784cdd36214e9bcd9842e40f4634e79a2de5b9fc19b545497de5bd6933b46e27e09e35b36310a738c5ff68003b2772a321e6478db9fccabd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
a6ee6836bc0f28f89919ef72b57dcff8

SHA1
2b409e7f52933f44b1194a99139dd9937e09c1ef

SHA256
7e65fe034b7757eee42ce0c91b6df59a36c233101148602c111b51306b72f412

SHA512
1bd2f4a83feb12c1913273d54d25e22db92a5ec45060fb32e2eee52c6d19f73b9039ea5305c0ea9e4daacb464295fb6d6d07b18bf018cbbdd0df730cc22f1a13

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9a91b2158b8306796c2679ccb3d3a536

SHA1
5e2fcf29675b5f012d39f8bf3e0e4e3b3ea932c2

SHA256
ab3e7877e1425c8cd9eb68709158458e05c6b2e5420f4772393dfdab6815c9a0

SHA512
2256a511f8c7915b443806c35d0ccda5a7f1a7913476293c776344cc53e259de1e5629409d2b16d85d9c84eb359fd0d15b953a41c71149a85eedf4797217c03b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
58d6c457ff39bc43be1e25a08313a8f2

SHA1
70aa4647a39934a291809e470ee76b001874deaf

SHA256
ec01f9ea1fa0f00c8d6d09bc8b1fc7f2b5e12c79f0e66a103c47f78022d46bd8

SHA512
2286362f5863bff9ad0e2662cdc39ac69412236dd0c4d64750810c4235163ddc33a49442c3f417c32a798a607c5b1dcdf68b2fe5e38c95df478e14324fcf8d8b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
13834244954c5532345bf3f08a5fe224

SHA1
cecb85a70621b8bbafe4ad67fddf9ad9c7b63871

SHA256
f6da4ce0f24ba3f9570d8e17cf240b9fbbdc0f3cfee47ee9ab13c938925d305a

SHA512
abb26eb0b90361ae91ca50ad0cbb58908474cdcfe3e261d4633e91d253047a45ac18a7c6378ff53bcca46b9e3df8bfaea59c6ca13f2c31d2fdec4950a9defe0c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
61775a54078ee66f43839f40fef0330c

SHA1
69889837c6f08109ebeb9b9a58512c0ce26e6686

SHA256
aab41756003b6397e75cf6497568cd41005e8afd28bb954ab575cb0d2ff0cf0c

SHA512
147c1c41e48ebf8b556127599bf300e9936929f8a0d260de78637702906a53d704807445efd0d20d15a5fec9c176c53c294bdd5693c2cc6f2d6e8f1339d34d32

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
3.7MB

MD5
a154a1ad224bedc0f230ba3b71f26c50

SHA1
46dec451e4be7b350b11796fc7db45ea0e2cd790

SHA256
4eaba5a2e7d0aa9db81789fb08b29f95b27f859426dd4418d79f3c7bbf3aae7f

SHA512
186fd29ec2aca660053fd7290c3b68590de8541d4a6d20070bfd4b0496f8fa29b0b926adc83507e266160e9a8ca7fc97afd35b9583352260ca040b16c7e2a55f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
6b518c4c4ebca1d0c2e995056646596e

SHA1
d54a69877c0f8cd28070d22ec7f338eb43508e37

SHA256
163a548778bfd0691207e5f4c7a7831faf32492faf139dcdda447bbddcf84b47

SHA512
906c62716edbdeeac3da23ea424a1637848a2a98183002dbdbd132492e0d5ac7afc75b2e8560d072f89e1487cab93ad26a69debf97389030da8c908444660e24

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
3.0MB

MD5
ee00ed5c99f029f5d2441174e3c39550

SHA1
e75980793324b67a1a7c68c3863c0304fda2dc2f

SHA256
bf7c5b0f0c1958e31472dbcdc166931d854496146d1763e87390671f056ab361

SHA512
3b51d08424a7f775a6b48c43d3b433aef38cec654124f65c7354da5b20ca65864e9c201c6160b47d4bf14a17e23a2263c0bf2d04c01a5c12cd6e2e6e7caad3fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
107f3ec39182e391f3ba141d4793e219

SHA1
f44303875a44a7dc0af2c622aa0f3052bb747c9e

SHA256
0d2957c499ee03d1ffa86d41292809d0f18266c15e6481ddd7a24b4e4551faa1

SHA512
8a4d910b3c83b329f1a306f7aac076f5af54774e22b659c5b51a058e62e78e117d3bcdbd201d7db517b5c090d9f68af6c575c4d0baa1b336cb5a363fd6c2918b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8a699434da1d5daecfaa9883a5368826

SHA1
34a729936f7fe40948e2f9814bc2333c1de16a03

SHA256
d20171cba92ca74551658aae769a6a1e4c44c0f6b54acd262c7a0f499a28ec49

SHA512
e091777bd77f84bd4617bc90269bf2aba4fd3fad262461c756aabf0b7711ec415cae5a9fee26081b027c6f5874cadb8baacadc3eaeb5a0f5aa6bf52af623a09e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
c750690de35cef112db208389eb664ed

SHA1
cfeeb66b918f36b7df5f278445b58aa638e58990

SHA256
7e10754790f9f30459cbc6ae0bf3ada2bfd8813194abe0b2475a28e3a4e5e467

SHA512
f36f0fceac4fea6741f6560fba416b60e7f5ed51d4c7ad53084fd0e650a8a4e4c70f3a5ac5855f74766d47073a6713a44547463727926a383053334de22a0150

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
832KB

MD5
1ccecc221f078e11c3bff6dc340d9ac3

SHA1
15c8bab9ede4cd1faec6d8333376364a72e59389

SHA256
36ce762604492e3ddf1371c0d7ca314bf70509b714082a6cebfe89852f79b463

SHA512
ac47d3a87fd8de3bd22236feec12d9b6ac4ec1df9eff56b91500372b487613dcc10658fa86a1396cc26b117fdfc9a944d81e402ceb516178382977ee4e57638a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
7add6ce2f54565441642aa1a58cb38df

SHA1
d36930bf5b471545f13088da462d66c8e3c8f5aa

SHA256
a566fcfb707318c0d1d3a71341abd9bef920be5309bcb269019c2ce9e22fa4c6

SHA512
efbf98b10a75514a3a639ff296adb32a22e8da11bf7e4263b687fd2df5983da3d48659200ab2f60cf7eba37801d29853c8ed0671760f8c2062289bad70f76008

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
926465ee6fa8dee974770406e821b1d9

SHA1
74047e973e486bf9ada9bf2a36739fd73736c0eb

SHA256
dfe0367f9acc5f3cd6c42371e7ab6cba9066db7590ef5d1ea24fd4025072e0fd

SHA512
6655feaad86173c334d4212baceb6fa174af656cf170e7ab9a3148832c7ff08c7c095bd858a7d992dfd49ee60b6649a5522b36ccecb7a2ca04b399d6ec46c55b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
23838d3c24fcb1dd05823cb0aab0245e

SHA1
c57d7b70c88556b5c3f82783fcbf8432b6f6b0da

SHA256
08828b47f0ac7668feb12223ceb132c2c4156af9f44306d6e9403ac36ee56ad5

SHA512
2e97de562ded3982bad9fc3386934dd6e3f4cb6bcff1eb85e0076c1e85c3c8ea8e604b4612ca9e3db6278fc67d5110565f20a329699e44ea52a49b9ea4c3416c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
1.2MB

MD5
ab7bff322d0ddb2ba3c9a0b71d8f3237

SHA1
744bcaf720a723e3cb8cb10b43d40a389e119a7f

SHA256
aa3ffa3be7ffd962787e11e3fd2839df8c706cae84fd7496db52e051870780cc

SHA512
ca38e25fb0e00c43eaad6cfc91bf207fa91914dccb5fe0032b30dfa45f1f2e2c25464c25d2300d8aa730a8b7f73e252b91220bc16c88761bf538a9dc142b8ba9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
896KB

MD5
57de33049321f36aab15128e3237d01c

SHA1
9e2cfb4948bbc17e93f12092012416a134a99acb

SHA256
e72cdeca098534075b14577e10547c70e810c11812582a43724103a9b264b6c7

SHA512
b935702545e88fd002a66cdba3f45b2945a9a301d7527fa561f47f3f5bd54ec40e79adc6590d02b461c92e6f161b741e76743ad4f316034461772614b96fe90d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
832KB

MD5
753eaa2f6b4d69e25c6485dc53ea0453

SHA1
053abf973c295e7303a17b3f536df171b569902b

SHA256
368b2f51804fbee67c21bc474dc5c6a3501d21026ee982207ac1482582e84c89

SHA512
c829b19552df692dca4795d5d57d234d8f354602077493e679afcd77d8ef39766971fb635d768a30421201766e7d3dec9243f35bce2fa926a9b64f43e129958a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
832KB

MD5
96e4438518bf3de1fa610bda5e0aa246

SHA1
bceb5a63c1db8d847a47101ff807926ef73ca770

SHA256
c09d2c266a7e0439a92eef76f3fef6b7e42d577c183d66fe2f5c15edcd331fe5

SHA512
8f56f3d8fcb72d2368ac2da49c5fcb81ba0d50c3c3f6bde5e134aee96ceeda1a5f4e19017d3510424668da3e1bed556138957e39790c31ffa0b07039f1072a4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
832KB

MD5
2a12b97d89a43cfbbfc7ac1bda9c5662

SHA1
8be8db9d4b35852377c3c3ceff9061ba81227ca3

SHA256
1f2aa2bca1fab8887fdaf334927bc33a174cad82b5bd59d62f71e76b0742aa79

SHA512
b630d2d3cab5d48f48ee19d5ca2419d0d51708475ebf553479d3fa2a74e389f037bb65fd8341f33999cf9ed536a49e0eb26ce61071541b378017a7a21ab3e07d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
832KB

MD5
1e1c429340b780588236fbef0118b650

SHA1
cc1b024016b63eb685a2a7b335dc6003d98ef60d

SHA256
8983fb53c8ce80e9729c7034c54f7dee436067a566d745250ec99ccbc3833e0e

SHA512
a64b178d375a0f4e75f3ba96792ddda8ac59b970377b22083e49c629c1cb7f67bc4b3b3875d342b723f1abd71e958b6b92d4680698539676c8b4383d26069cc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
768KB

MD5
b909a2cfb18ec11b0d24c0d08b0b32f8

SHA1
5fd3b22fb20fc9ae605e36a70c0a0b29286b0e49

SHA256
4c96660d4cb088f555e4494b602df7ed0b37844024415d87bf6f64c13844d054

SHA512
6940b3cbd6e80f38a58db99233bb9c310ca275d2fb496294bc6203a0fbdbf5786f8264bc185ea4eb71921c976f9ff24143a1dbb794e4a0c2f6701800291b588d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
768KB

MD5
89e689e5482a963faa79db3ddb49ee66

SHA1
2857e9c5132457a694c0198202dc089fc2ce3326

SHA256
4cce025032100e932a87f8a6bcd0c327cf480714004aaf6da79d0093e1dc9813

SHA512
325dffc8e496653e94b60a8c2b0a3423f23b210f5f215126699eef7e266a7becd9532e200583ce2b1b73af5aa7692ded99697d4b3b57ed09bf392cb440279365

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
768KB

MD5
d7f8576a08546bb89d0e55ce4d1b7ed7

SHA1
f308028c8ec42ec2e09d5848cd213db55c87e0d8

SHA256
2137aab3d764b0d7b9bccbb082673e11a4a6cce0f2fb8e6a77ac764e761678a0

SHA512
fa278dc85902ec431ade493b6b0e949af73d64200e7497c2aa15ce34b2a8ad1304b9b687c85d80265526fced52bedd26d11f588cd80820c64589f813bcf484fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
768KB

MD5
9af92ad5533ce18e5c81df66d23d1c07

SHA1
0de04223648cae0a493ef45fff99cbcd5987324a

SHA256
f4ff806da6ce921c25ce230c5288393cac2765693da17953cc35749439d69869

SHA512
8e0bb1d442e3a26248a4f339204629345de5b0d3f0feb80341fff98100849c0456ce65fb42077ce82521513184d09ac89df92e60cd2bb9508e782259d4beb1aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
704KB

MD5
bf78272b6559ab9103d5cdfcf50869c1

SHA1
32282dcfade5fba9786ddbf7885f9a81f431a23a

SHA256
982cb1b99499ccf4831caa895fe9abeb7f4a7248fb5ee0fef5f73b7df044dbfd

SHA512
12d6cbaf6ca5def0a73668a1c0089d4796c1928fd43655d266187f7131892235650dba0924ccd8992a772b30ad5eb3f8d106ae94e89081b8666b90a2902a80c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
704KB

MD5
a87ae8d3690ffdbbe26506ce71a0a8d6

SHA1
fdbe3c79bf4c4f9b244dd8a1a428c7d538f938f4

SHA256
71fe230fd765c793e0d3848059c9081434ceac16af54530e208aa7dcda287a1a

SHA512
f50368fb605bd8153b5fe560e3f37fa3e252391d271fc3697fe2a918ef577ada4db96ed3e9f36e4923f988e865c0f21602077d46deeeb00efa90a7a5339791be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
704KB

MD5
f0b75f0c13c44338bcc4b8883580fa09

SHA1
c3cbbfb1525f3d8cbdb731acfd6f5a12c26a1db2

SHA256
6cd81289bdbf272c4168cdc650dad7a192b9e34045a21baded0f43cb6798ce0e

SHA512
24edd2e006861ff253adf4cf4ae5c38745767260fb91a129d1daa6481ccd851ba3efc89f5c5924fe15a0441af08c9f7960401e937fc0a3542f67366d6c3a7566

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
704KB

MD5
388611a6dba2adefb63578af478c6e88

SHA1
be40f3619cae33d19b006dd038c54711fad6f74f

SHA256
9b5b4dcac1bfad086617b6659cfd296a4383bdbed1b2aa4bf20c2b9b630e45f8

SHA512
df29f8cf9e96bf7ceb8def4c873897c6dc3413fa10767e83c7798a2e2844b590555411d2c9261e1711ee6ae45bf50f298187f94317bf45ef2c09c3581c065fc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
640KB

MD5
3fade7b34c9c6f07a9c305d6418ce865

SHA1
074fa0e02fda390f5878ccd15a810932764e632f

SHA256
43db3463f52402a26e3551d3fe99137931859f1dba24fe6d443c4f8d6754ad07

SHA512
56641637e8e181a3448bc2c2c89ef65a45c0c8095a848578f68c9ce3f42e100b5c4b484f645af775a16cedb85b08685e044f6bfc1ad19b89a6c498b1122a7f3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
640KB

MD5
266d6265866b0cb5d92e138bcf270ce2

SHA1
4143c82635d04f849cff30df082c9a4cc193b7ab

SHA256
1391063f82e49dfbb089c9d6d78666547922a3ed519323c6c1bf29d79435b04e

SHA512
18d342deade13e067424a0c4e2f8e12d88aba6f590edc4c5409f2450e92d6aa4858e332ec83ca21c4a2e794e29e0f48dec098861177b5ba992fc2d7fe00aa598

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
640KB

MD5
49db04ece456145105bb5adf0b88aab7

SHA1
04b62ab0c990c3f3d1321969e4c79e9c06eac05f

SHA256
293cd4a8bce98efce37cdd62c080bc5858189d38c86f57c88c22c8246ca785e6

SHA512
48ad5e9e2f2e5be591559115daa2a899787bd9fb0d80cb7afd4b8fac110db616012b0083bca5a800fca4756e58a3b53d9abcd2f0196d9be40cc53e248424de11

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
92621a5c5a6401f862d63ac8696729b4

SHA1
84e6635513f9e44af909936de3fdc8c4841fbf2f

SHA256
d26babffcd9f5429f9ab33212f4dcfceb05ef0c5680d7d5a0ac1f2c40667d691

SHA512
2014f6e3c1eb18ae203728abb026b3b540698085386b215ef61af6281ba56bb53d2e195690815a77c64f111f99c61c3b076a989e19e8eecf4928b7f7a207a28c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
894adfc0fea580f9dd29624d29133ac9

SHA1
feb7f83c60f50a10eef6e0840807a272c73f4fea

SHA256
7f9bdbf9ddb567d631943b0086ca45d91ccdf3aff71ef361b49656b1404c3e07

SHA512
8a076c6b9ff0e75857354b721e627ddf2cc01449f870c9b191cdb3522f7289687e90652defd840175aa842131fec05a9cde9505152b668f714d1de7a12206673

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
2157cce74f02225dad1a228075a58fa9

SHA1
3e01f5bffea7fe84d3bb9c84517f7779ebdcd5cf

SHA256
a7e8b6ab8b62d9bbec498d16ac82056eb7e5f4bf4815219515ae8b85353bfcd4

SHA512
85ed9cf9770ac4b75f8d4d89a73b8fe5a55f5cd553acb2c5a653184001a95db655d2991354e545886ebc1f4635767f253c38fdcb19e5a8633de10a560d15659c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d1e74a4145d5304449d838c5baf6454c

SHA1
6191d22c6d9d22afb4e536192667a950d9332acf

SHA256
19fec68cda3d853ce53d1aa86d06366429556bd47b7bdcb20fb6297e675656b7

SHA512
940a5f7297a72cc51221a1d4b601742acb6722328480a08e5ef82965294aa1f184797b5c37bca894d0e4ed972217623de05ba415945fbd6f787364e27a500090

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
21dc8f57abf1b8b39648306481134637

SHA1
78556a0f1fbef81d6e6568b4a05466a4c6f9eb17

SHA256
d2f6b2d38e3af23f8dedfc079b87f0ce348fbb117e2fce78f2340e5ae1613495

SHA512
059e6f22aadb94f2a250a0238d2bb6d10b629a1d1de057e143f8b330d2944d3332c2bebc7204cce30336b683b15f2ffad79255dd8fc1b7a4836ff04d7bf5df6f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4cf740f8259a1fd43c7cde5174a96d39

SHA1
bb78c91bd02dbd00f1bd771dbbfd2aaf718d3c30

SHA256
514e19894b307931d1e0b5ca9fd13fa2c3046429f6e3392e9e1182837c3d1866

SHA512
4f31695ce92d81e111a2192679842075b41a8e78f0593e763ba5adb46c61d00742f87b0e6545e020e4801fb0dc799147a08137baadca0f0189cf26e89ddfdd13

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
54265d9b9e59d7567870bc1d65ad481c

SHA1
7d64bf0c1eeb5b469530c9be8c4094fc7e38e833

SHA256
1bcea31b8b7439e45b39105ab6d9804e679db8c1a61a0a49cbfd817fae73b1ea

SHA512
b9b0fc4cb0c10aa50bdc4633ec5d1c93a21c64ea5ad5a14ad0ce16b496f1a80a1537e5378917a66ad8be23a920833c50a8168193b43f0e111876576bea80c878

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
640KB

MD5
6fe58a3cede64180b15ddaabacc19a54

SHA1
a4a64735a2d81d37ebfc04bbe0490189f391aa11

SHA256
0c6f38b685201f40f381c47e2159a877554ff7a81d2314a693d4d04e84815e78

SHA512
bca3a48aae01aa011332cfd7af6c8791d329bcecd981dbce819fb69c430ca4165a10264863b178d40cbc598854c9525f2c1c70454876b0ee4e80ddd9fa6af488

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
384KB

MD5
f469049e447c2ef2c718f0fedaa5c507

SHA1
d0696aa6e51bcfc4a59d92c5e8d0b5765329b13f

SHA256
a7e8c3c71f0fcfe458a235550c4342e8435e99c1c905f44fc4525031e7bf33cd

SHA512
2b872c8a3009dbc1d7e5b73cbb309238597f26b1e4ab8e5f676ea58a37c4ead807208eebb047e73610791f2eb83e3f45b0de1b6d06351c063d96a7fedf82e585

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
79d5970b47abc811b80ee3cc50bd0674

SHA1
a01761adfb54b53318a3ca317eb1799a4aa91d0e

SHA256
da654dcd023e7ee9726fb0137baab7717ab55e8da8fe4fca309385be0ceed5e9

SHA512
d7208254f75f45317108a96afc9b871c7bf308dc5a3edec7da5f6ba14692c5deb1e78cf54dea2d75b56f489c903d99d052c4633f68df6ba8026ea900877e2fb2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7ed60b2faee240ac229da9d0dc92082f

SHA1
4a87f8f54be959972c0daca7cf222c5b2763d091

SHA256
5fe674e16f0f8c25dbaf067ba8b6c8b1fb68848d4911532953745b97aafa7408

SHA512
3633649eff528eb5f5f86e0a509a766315a9a853e8e07c2be600198f2db8fa3e7f906bc4ba98344294fb5730de52f8a463f17d32afbf68e55550673c787b77f7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
384KB

MD5
0b356b6a476881ccc4869af4af56b1bb

SHA1
fe036aa4a4513463477e84f1cbbe789d03ba9a31

SHA256
4ee17bad0e1bbac1590d11cf38544f48b0c8d9720c91685a236d1ba204a1ed2e

SHA512
85cbc7b839f7906c0836e9c38f8d8d389c7c09e1b7ad10746b22ce53211ee6bb754a73d4f8ad544a7609e3b22d14814b58ebd64eec21e92e0bb08faa4030a2b7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
85a30f1c37f21b802bf6b06277e6c988

SHA1
08b6816b0be7877b27d82169b11f2c3218fb0767

SHA256
443d3d0e68e289a2d2c27a851738779e34c90d4190b5a0ee636805d916dd3923

SHA512
880b90e808fa6de60ea11f67dc9698af09d75f7ac8c4b79c7a8280190d9758070705413049f25d8182209c0efaa2b4d7f1f1a918c98b18c3e04b3000ccacea7a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
68ccb9fc1f15652ead4075c5eb16aff6

SHA1
e600430325c935c1d3df8fbf7f18d1c2f9f37f14

SHA256
be59eeb53d83d36870a5ae33c5296a54006a6c862237478a7b0e57cc96c4cdc8

SHA512
69b238343a92617bfc9046b7b005d8bb8ff1da379201cff19f2af7fb00ce228ac5c2df6099f09f4a956a0e9bfaf0a399476369fde2137bf116a754b8b3978b7d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
98586c682547530f6c4a11f4a5cabe6f

SHA1
c539531e101c34c9b8d6f66043c0ed7d23482d3c

SHA256
b9124fc4d46640e6dec5248ff79dcdd68283e9838fcd46af6a507b6e8c7b9615

SHA512
bd96aa48b2d9c3006ea7a2ba58de9bfefea6ca5f210da07c4c9a7ade37f12c90a24adbb0562fbde786f272ea4911f72f47774c8709a548095fab39849be9d0aa

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
77205a97ee7564dda02c29b3a1c3ad65

SHA1
5319046633f75462b27850f7c2887db5746b7bfb

SHA256
065ec8c203e4843c40b99a3bacd8a36de9202d01e976667f6dbb4d582391857d

SHA512
cd378658778c57108df19e9669aea9d8c21d86ce173c51d5a003f3c84fe41755e367cea42a363ec097ca5bf0b9c3983a7e1d45cb2793bfdf8f1f98ef377d3922

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
e1086f30a7e625e44ae042c9b4774006

SHA1
220df86f9057fc9ff8cdf2ec692a6ff8342f8476

SHA256
90e686b0d3e6a0f7d12e8f7dc17e74f131c06007fe91d614c9f23f8337294ac7

SHA512
77e840442b3b0e48ec9d266a279920bd9c0aff16d2bc178dcbaa6585410af77cd1b31f6e40421e375c26783cd53f8177690f69514a8508400023ed9e7d2747ee

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
784eede8fe0b15f54a30f15a8f34608c

SHA1
e32dac63f5017234ad838b47502ad6b029144a03

SHA256
f1f402a86485b4d69040143ff6019af05bc8472e23f038f87c304529fb6aa5d5

SHA512
5f6e96a791a0522104154f1989862c3db371d59376d47eb4c8a825a7851d2becd15679be06a651b9b11d123205105b4e0df32365a5e46609d2e6e895b50636bc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
01d10d3e86a2ac0a22df746959bfc98f

SHA1
412afefbf9b4b5288039229b2b7cd425357fbcb4

SHA256
f6f9c288a11fec2f249c62a0b69cab65635e2a6ea0b1e4da924a101e159889ef

SHA512
ccdb58ad8ea68e7241b94ec1f2a275b47818c77110ba153528b5ee02a999a4f55853857f2395a6ef4d5bc8f2667b9722716b845801a63774d4d649101b7a2334

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
40b2d7104bdb2f12be7a021c3d1338bb

SHA1
0e84501a3235172752944874b5f77565c9dd1735

SHA256
5a8282ece2a0d30a3923d533a13b3fc82d216c32fc78238ecee4ea46a473a0cb

SHA512
d44e620d59bb7edb9a0821c09a845cf30db5142f67a03b225973c800da6f0eea0efc5a7b128edfb9aefb49a9f5abcdae45f9aebf06d41a4d91069ab46088f170

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
320KB

MD5
fd1100b344f285057dde563e01dba6a5

SHA1
5f84d5045284c08a19f7c33025e6c81c90cc296f

SHA256
03b7e8fbcf18dedc7dbe010557da1e4e150c5643f4a6e4253cf657b98519fa5c

SHA512
db1742f3b77bdd1eea67e4598174eab4edd38ee0f0b36162ac5d93502cd178830caa855bb60e1a406cc1383fe5b151bc27b7d496552980d24212b274f2a50b8e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
882fbb1de679de7c0f72ca1c302be482

SHA1
83c6c236016ccd767b923ee5c116aaa7ae87ea35

SHA256
0df6e18001dc669037693597c5df84b41e2e30fec1629614cca22bf4b953492f

SHA512
5e1717717fbd08c51b540120fd860ba376f08358ae07f02a3ea90079d4e7ac41b3530b9bc77d8cfd2e9924e2320c2babd01a0cf0bae9ac61306d384df477ecb9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3a571fd5a821efc339bf66c8b745b612

SHA1
cf19f35df89f0dd10f23a2261542dd764635f8dd

SHA256
54b06cd7423894822c52a4316888aa3bb0987c05c3af2ddcce4933b281dfa750

SHA512
f7800df318d54015172a9699633639311fe2d199b17285b65927b7a46cecab6b03f76cb343e36a109eb61c8e30fe744498249f308c29a271b5c849608937ee83

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
bb9e852f4532e25cef9af9cc075e26e5

SHA1
711eebced1b65d1bccb732088a03b7e3895f39a3

SHA256
6064cbc4f60e7f57fc2e17abe8e5e362caaa190afd0b408764e94de58ae9084c

SHA512
d093d2534979fc89b0f1f1ce22cf1859368938b0d6fd92fb5391915feb269d690bfebf5956b205247bbb4203cf539e028d41607939be1ea499a09c591b3961fc

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
6126917df60eb1ac5b84e27a3c7c43e0

SHA1
0e4b918c93386c9f6a1ebb4a955272890f180cf1

SHA256
82233e3e85721ae9b3f01b63cd0ffe0bafe1e78365a862c94fa601bdbcb74c8b

SHA512
91834dcab83b7305164e29c3123a5678b24e26c2135bba6add55ede5a1ab9dad9e780ca0aa3587d75ddc48aa1a025acc7c04aa07b8938b0ef04209185f46d1ca

Download Submit
C:\odt\office2016setup.exe

Filesize
3.2MB

MD5
cf88094e3b11f220cd1c04d43411ef15

SHA1
fca03a93e9c667de12fb1aab7388e4aeda5ab981

SHA256
1cf6d81aa2077e1cfdc4fa5e342beed87ca8c4b47848767b71866fa5d8d17a47

SHA512
3e8df35fb9e6f9371b5e3afe541b61f6b44eae46dcc4877eb0a909e81bdea721bcf9f4aa583691a6c79d767d4f40cfde716c987cce84197427f7ce29da52ca78

Download Submit
memory/32-275-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/32-269-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/404-57-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/404-119-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/404-50-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/404-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/812-90-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/812-25-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/812-24-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/812-31-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1176-42-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1176-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1176-43-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1176-47-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1176-35-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1176-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1456-238-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1456-237-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1456-233-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1456-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1564-183-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1564-128-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/1564-122-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2140-279-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2140-219-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2140-213-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2216-137-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2216-141-0x0000000000840000-0x00000000008A7000-memory.dmp

Filesize
412KB

Download
memory/2216-198-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2344-464-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2344-254-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2344-263-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2376-300-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2376-293-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2668-0-0x0000000002070000-0x00000000020D7000-memory.dmp

Filesize
412KB

Download
memory/2668-60-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2668-6-0x0000000002070000-0x00000000020D7000-memory.dmp

Filesize
412KB

Download
memory/2668-5-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3096-81-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3096-84-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3096-88-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/3096-74-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/3096-75-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3236-241-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3236-249-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3236-376-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3688-179-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3688-240-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3688-173-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3724-171-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3724-115-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3724-107-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4388-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4388-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4388-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4388-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4852-210-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4852-144-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4852-152-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4908-282-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4908-288-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4912-73-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4912-11-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4912-18-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4912-12-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4984-253-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4984-193-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4984-184-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5044-206-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/5044-199-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5044-266-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5064-386-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5064-165-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5064-384-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5064-223-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5064-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5108-92-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/5108-156-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5108-99-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/5108-91-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download