02b381a9033649b13f1a8530f4e55384edd2b8a3ee108dc2cc282823e362e4a8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 11:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
Size

24.3MB
MD5

0c31596b03a154c40c2fe6f26be382ae
SHA1

975d8bf987392067563880c4fa387da7c4da9e05
SHA256

02b381a9033649b13f1a8530f4e55384edd2b8a3ee108dc2cc282823e362e4a8
SHA512

d74c0ee73bd378cd4b791a7267fdfc5b5fd33e33ab09aa2cbc5d0165356b0f5fed409aa1343229a4b3e638026b1849c8a10343d8cb34e6f57f04f043b38f8fe6
SSDEEP

196608:4P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018+S:4PboGX8a/jWWu3cI2D/cWcls1vS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2484	alg.exe
2164	DiagnosticsHub.StandardCollector.Service.exe
2168	fxssvc.exe
4596	elevation_service.exe
2504	elevation_service.exe
4276	maintenanceservice.exe
1184	msdtc.exe
4928	OSE.EXE
4896	PerceptionSimulationService.exe
2320	perfhost.exe
3104	locator.exe
3440	SensorDataService.exe
4700	snmptrap.exe
2544	spectrum.exe
4452	ssh-agent.exe
4688	TieringEngineService.exe
5000	AgentService.exe
4860	vds.exe
1516	vssvc.exe
2792	wbengine.exe
4856	WmiApSrv.exe
1584	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\109eeed0c4fd1e7a.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77625\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77625\java.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a292da2c4c87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000126f2d334c87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099f836334c87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037ac09334c87da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045872c2c4c87da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8edd12b4c87da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046365c2c4c87da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	2168	fxssvc.exe
Token: SeRestorePrivilege	4688	TieringEngineService.exe
Token: SeManageVolumePrivilege	4688	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5000	AgentService.exe
Token: SeBackupPrivilege	1516	vssvc.exe
Token: SeRestorePrivilege	1516	vssvc.exe
Token: SeAuditPrivilege	1516	vssvc.exe
Token: SeBackupPrivilege	2792	wbengine.exe
Token: SeRestorePrivilege	2792	wbengine.exe
Token: SeSecurityPrivilege	2792	wbengine.exe
Token: 33	1584	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1584	SearchIndexer.exe
Token: SeDebugPrivilege	516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	516	2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2484	alg.exe
Token: SeDebugPrivilege	2484	alg.exe
Token: SeDebugPrivilege	2484	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1280	1584	SearchIndexer.exe	119
PID 1584 wrote to memory of 1280	1584	SearchIndexer.exe	119
PID 1584 wrote to memory of 2328	1584	SearchIndexer.exe	120
PID 1584 wrote to memory of 2328	1584	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1040

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2504

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4276

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1184

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3104

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3440

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2544

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1124

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1280
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1f79988349e638f1f492eefc7a9cadd0

SHA1
0695a19d02f8396c1cc6792767dd1b2d528992b2

SHA256
22b31e988ada31932ca7ca52c4f14ac20e2528cf26621e90e8765c3753552731

SHA512
00b77b7d9fce92abcaecaf8494919e67c31d133a4ce352a322fb988490d8ecdf5275fec6da0916f2c63e1e5f9e8c2da69b2a39460fff079e8557dc89241018dd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
4720e60b3a02331163b19fb400bd4ada

SHA1
a1c5683707c430c71f18dc2b6f221ee5a71bb673

SHA256
db674eb7db727cb7ebb3137216cc75da29c45adbbfcafa11f57d0e8302f097a4

SHA512
f7a7b377558690a29b1e374b950999b91757eafcf9b193545483cd1106613bd7c13bc91043783435cf02d90726ef0e6356496c66eebb7cdd51cdcbefff6ba839

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d9d4eaed031e409b32d5b91c0fac73bb

SHA1
d8e833fa050345c0b15d5597fed782dd66fe18f8

SHA256
f64de7f8c885438b2cbf911d253856b969d17d1833d63b0fca0d0be559b118e5

SHA512
7da147f6578323cbc6049d4452df313bc3ed69cb2fc2c5e94932d114534fe46080b20414d42f6a2111c13f320ad0552c629d33c7430d9bd5e0c78aa4bb7a67aa

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
27a0b2f4096681b3efab7a9805c0f492

SHA1
9e37e686029f7936dafec56838e40d2c5e2d0284

SHA256
33ff3de29a0d44ea68b3f88a10e640f7c396e1de301ae48f6f9010d6c322ac2a

SHA512
2a8664aa7fd09efc19e76babffe324ce644a12253ba309143d0351baabc60790925ea6999e04cdd2f301f07566c55b402627dca5ee4fbb4bf3255e21869afbec

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8701783a0023ba70dce44520cf81cb76

SHA1
ceb553812861343c0e55984d4074d74d0bb68de7

SHA256
11cb898ac98d6d8f508c1cec02bf59e56fed1d212167e3e70ffb3a7f93ee7026

SHA512
736c10ae9e06a7f660407ded0d092ddf15d72a30a09a39d3db5cc76008e2706c86b818cc993febeb43bb5c3db06f8027510616a19cd3ba40cbc2a303d729c385

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
a03df785ee812f900a37ad913b2e89b3

SHA1
682b5996c9818dd64fbd5e8ed88c210dd92f5b89

SHA256
7d9ecc82e66d9a266e017952bf7830d1462fc087fa9ecfd7cb8011f33c2174df

SHA512
32184a1baec956b64c20f3a99f28464ba51d6994105740cfb8a38197bec659ebcf245b8a246dc5105a104e7947f6e87a1d2e23aad7f4c5fdadb3bd5e5327ab22

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
283f1dbb0e9e0f5bbcdccbbb1cde4116

SHA1
0166f84efd19bed0f6fdb0e17499bceda774b789

SHA256
0b8297c4eddbf3f1a0611a2e055cd435f66d96450dcd01855ab2dcba12b63a90

SHA512
2b429b96709ea265a8d82bd96199cdeddbc24164e13f9364f1935f0e5a0704353ec663ea91dfe2d6bf6bbfb9d216b615df9bfbc97bd9f075d834252c9a7a561c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
30d2b6bf34299346fcf1b9827a110bb6

SHA1
9a9e355da8e5bbf479a2ddeb7cace19c2fd4b4b7

SHA256
2ba11fa75042877045cb3879fe0ef4d7104b95853bc57c9167271705a6c4cda7

SHA512
2285586d7a88dae85d49eb7818ef090e13faa6ec063acd626b55e63396b526c330f6808b0c441e7f13ac8c5413acd77be4cacd5bb40dc5405231af1d5f066d7a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
85859a38caf3510e31a9fce909be77cc

SHA1
a46a41b598a48cd3cd20b4724343c515b710bc2c

SHA256
83177313ee103ee6f42ab5b669cc24aeab809ef369a5dd21d1cdf3c808c68b9e

SHA512
8bfb683180e402297241d1ee53c344d2c69bd87b6879211e0541451e06d022194a624e0d5a938817ae1982e69909efdb4bac1d1db0f19a177e9a7a286c02e56a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ad36c22e36aaf93fde7f594542dea500

SHA1
7ed31a2cb5f758439b9f6d1f549c2131f9c05b3a

SHA256
9eaa8be0c06cef0e13b659f8bcf2bf00cc7242939590873fc8f4a7d794e4ef13

SHA512
5cc8e0960cde10fb940d5001931e826c4cd3ca3a275e9ed8b66305c26a9c67676ceb5901dac3ef6fc8909fec13c6c89a77abf023007f7bd46ca84aa506a3f0b4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1b44d3176e46ef100f3b1a9797cec21e

SHA1
acf3076d0a6b030fbdcb56b5846a35bc23c99828

SHA256
4b301eef1be76c02ac4c5e34c16d2a29a1ffc9e3b0bae4e33261dabc81e7f3b2

SHA512
37e9b4670118f08d285110a1fd9d1ea94ea6684c50adf70deeede14b01bc284263a57b6797ef62f2e414696b319101ae9d2d0876c63d52f19c104756a563cb51

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ef6f10f1d99b3ba045ba217473dc5a71

SHA1
71fcb69fd425de7ca1fd26c91a8919c4c226cd5e

SHA256
fa715aeba372a292ce240ca377cd7b76ee2d35488688fc63e0785b355f995afd

SHA512
58fab956b5095fe152379a42c55bc4c7b39b9223996e002c937687a0169341c43b9259db0b0b93743aff5f84493bd26b1f6a0cfbc88d117b44fdd2572be91e54

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
96220ec964710986366de225621f3f87

SHA1
2879f329ad62fbfb1cd2e9bdb8a5be82023a2bb6

SHA256
e8e428ea3cf2f8f193b1ec3feeb178b2f84251fb2a20c2b683252ff88ef5386b

SHA512
7910af0ed965c547ac5cccac84e273ad7a155abf7993593eb456bed29e2b00f88ffdf66ceb299fdecdf5bb98fbf8923bb3d47b9460f9239037156a2ddc7cfedd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9532f142b30ae0b5b644e845a638fda6

SHA1
4292067670e1f90800a5cda8785498fd0b76b02e

SHA256
b6e3551e9cbd510105b316e154f1b5a869288385e9752bccd1e1bb99d7e842db

SHA512
8fddce37045e4ccae8b5a8769e4c34fce62f3ecfcfeb2748c01b0f21eeafa154f805fbb45047673efa6a46e73c1a19d73cd0228181ae1317e7530a9ab69c3a0b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
930e27a2c9aaaa84b5151265ffd92a70

SHA1
ea22cce5d91225a906f82cbe0905bfd4c9c7cadf

SHA256
9a5153ec0d7c3320cbed227f552ff09eb2b1a809d0c09b1ac2eba9a198b39dfe

SHA512
0bb4508a9e0080b7405e9c58a7a854ca8bb290bd33c687c43ee6501afe9d3576ff23643c6cd8c2683f438cdff14f18ff7aa1d0cd295dbca81e9a0ba6914da2f9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
c044f927c0e65fc9c98a5a0dc719c968

SHA1
c8ae6d753b93626d2001c5be47411d84442dd7aa

SHA256
2e3613df3b3ebbae7157d7f716be549e15bdfebe8a2f8c1f608bc9c5f6333736

SHA512
58efa678748d97eb112d0165b1a8b0fef442096ab5176aa91c11fba0e61e76ba0f74570fd38b63bd40bcb9801b70edbbac0c2d60531330be457b3259c2e1e98b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
ff0eec5081b44499d0a13aace1aef39c

SHA1
4698cd0ef69a8de06b11ed5bf94d6bb088a92a12

SHA256
2197c6251b23008d93433cbe5a31c9372a0a40664e7c2488c44ef50190d13297

SHA512
4b9478faa3d7a7cc74f055312d10bf952fcc3b5daf432fd71068710d151ebf6c0837bdb446d8d2fa788393d3350ffeb54ade7fb54e45f5ba074d3519da535709

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
d6d56cfacb9e042b667fc48a4f43b899

SHA1
8f1fdb26c4d0266c07c42bdd975405f74a031659

SHA256
91f787c4fdcd1dd0f12d4fadad012e554e340c8589c80e3626f9d93a37f2c0fe

SHA512
5c23ac3df02cc5d3199e38b589d319e10c9004a0b166751af3cc9b0e756bc64185baa2dfbb14658817d8c43bf73aa0148ce295bb8bf61278da5c75faafdc70ab

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
c49caea29fed592d63f1bd2d8904ca56

SHA1
967ff4cc7a09a4fc7f411c0caa6bd00d0935c808

SHA256
3bdde432e03465fe63a23e9f4d4d7f4e09d574a1c839d92b67daf63992a12c8e

SHA512
7db261593ad5e5201addf57990b07e5a3c474295348c50018a1feb3e10e2aa11c219b884f5253a818ec4e0efb91e2e9c65985d8347186880b7f66f021a4052af

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
d8b0b4c5666d0f60f171c9737d415719

SHA1
e4367202916912babc5c5c577ec2b398679aaa90

SHA256
d1db53223a2f55e54638c2c22662e1c8e325371173ff258a41e9ed3073d88693

SHA512
4907c4e92051519bf62f19334742595263351046e97ad177cedd8a2ce5463178bf3ad1c8233c1ef802254e11ef7b1e9a5ed094e4218dad1c55e96198926bfb05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6ad2b49cbdb7925ff9ce0fc8e5676f07

SHA1
f1b1ef44abb200fee7b8d002d6aff6f141bdbdf2

SHA256
b5b106dcf0cd0ddd7570a29377d5259050bb6cdc9b9c191ea2d7ff5fb9d18993

SHA512
3ef94967dc266970ff5cb69f0f88713d193e119f577782d75bba75302dc7272122f2891d71027933f9300908e5ed1ab5b0338dceefadc66cbfbf963aa0ce268d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
d606c09cb39b1d7b9d341f2a68a680d4

SHA1
4d9608e7016b9b4d314170934c8fd995e8ad183b

SHA256
077010a27f01eae714f547d6019251f22f7dcb8df3e606f73a0cd0b1243ce22e

SHA512
ab68cdf6ed99fc3d80c6b6a366b78655d431dd3d6c6df940d474b26de1f20789c66a586645a6493792984a620c6c6778a9022a22045eaa613503ae0af60ee8f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
99ffb20d8db9bea8ca875d5b0c2bd359

SHA1
9f480113f0957ee4977371d380391094cdf322bb

SHA256
b6773a6e7980dd7d91fc3110a7f42b301b81c19769649c4f4e846a9871254c05

SHA512
d2f2dc6cc04a399bfb159033efe44d127f53edf3e8bbd11075bc0f7dd9432dd802d6eb270882b66b66053f2f1c3c30bdbf20cb07c8aed9bb1e2dba1cb0e9dff8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
6da9806c1306d688c43eb0d2ff72670e

SHA1
802c54f185f909201aabd6181ea30396c1c0aca8

SHA256
1bbc82d96e5defce47743848b563eaf6e0770f417680104a8db27f264951b643

SHA512
be6011bae817b85163959f80cc063161eb1bae1c95acd2c5fab6e9bf9acc9bb4cd2611d58d5b17099c8336757f086166310f8b1f0063c8a68b81d5e93d72be50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
aece40a9215af7cb95c833f069d9b419

SHA1
6ffb762bdebffa0837a34866e23e0b041fbe29ec

SHA256
2f9b7448a6e83c6258d396bfddb929f0d5b1bba1841746d6e2857066ea4916e5

SHA512
edf4f8a6197eacdf135a02bba60fca9981478c86eb65576f6fddc5751840363127bc9c333b921716392771ce5f2f67e42b309245e19b3ebb3249aecf2f711cba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
e061af1df43d049a10284296dcf4d89c

SHA1
4435db559bcf0964c1dad4161ce73cf91609740d

SHA256
c1cc2bd52e913f57dd24c16355136bb85d0b3391b2bf120b310b28dc66b601a8

SHA512
43aad3876fc8c515f449d88ce3991caa82e5838eb99548eb5d24899acb339f8ca8e04a30f9d3b45c786f7fd59298a804f8cc7f2415a108faa20cd924bb612d94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
d6da017e26a212b3d1fca107bbd78c58

SHA1
f453ac7aece31ce13fd230593c11c462bc30e35c

SHA256
b70289eb0fad83201d25f3d12bbd4af00adcd2270238442bf28bf921054039cd

SHA512
6b4119cd1a1f055447765cadb9dad79fc348938c3442399faea0f553466e071524d086a316e4dfbee7ddf9ccb6e2189f8fdb4e5063d4176bd6c5c3650e47eaf2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
dd34f1004e2397243a88374b637fc78d

SHA1
5749b0f3c25f64be3d68ffe1a7b8ce08584c74ab

SHA256
e156488c51592ed625cdd0bbb1f1a68a5f6e74a7f1f26ccdd5c40005f0f04c97

SHA512
2779bf10a552f1a8daebe5856079cab6c91b9dd1c0bba878056588b5e89ffd1e5e07e52cca025fef7225fe5c0971439e84ece0dd444a6a31396c2302135ddf32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
6f43243858c9b8ef9b9fea24880c3bd6

SHA1
8b7da634ff4ce3ee5a4a35c1b39622b7aba9da9d

SHA256
4fb98b0678fc264118e2ea6045603b9da8da026c1f6c2c935c08dc6ccec93335

SHA512
59696e30ab53577a52473c56fceea336fcbb4b3e282f2d502b1389f1a883b54c3a961c6b4389a0eee81f486377aaa3278b0eaa1c5b82604f287f2e6f9d1dbe09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
1dd1929f201e1ef8d366488c2e8075ed

SHA1
9f54ae5212b467f94b2d5674c50e4f770255702f

SHA256
251cc6c7fc51c82aafabcffea7a9a0044d725b9fb3e865439e9a20dcf8ebbca5

SHA512
05b5b95f9596c205a09b3e09d37f8bc59c6d5e00e9109aec2e1762c896ae13268062ed30425724f8bcba4ec8f2917eb35d818614a0614be55d5275d2ca3a68fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d6f1dd40e32531f95f33c7fab5c4f244

SHA1
8a5744ad035aa3b8a764b09ec627d31dc559539b

SHA256
69465ae2bc299fb983ee588608731665d2bf3f62758f8905f46b3cfff1febad7

SHA512
0149404033d27ee0d29890eecb1afe95a42d7a0c8e47bd5fdc01375ebc877a714c120883ffb95e972f720a3f9fbddc038ecfe5a4dc05b314625388342ac50dec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f2bc35b71eaf3f0ddfcda1a0559aeb38

SHA1
d4d64532b8071de2e2c92ada1cb4c61a64bcf275

SHA256
ebf49f4b6709fc9910f9986ca80e9a8d96dc56cb380108577da716fdba8b5e8a

SHA512
43f35f379769c43c6bef5bc2219fa397e468565aa66aa637d0e143ac7fb07c77d798016b803df5ae75096e1b6cf373e1a05abf97d4e8533bef0e6a26ffffa545

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
bb1cc65bc3e1479b14d7978698942124

SHA1
5bfd09251e8e26c2669a5ae8f8a4cb8b16d9858f

SHA256
7bb93a61d6a07744835f8908d6d6cdf9e42d153e59f55a088e606faf8433889d

SHA512
862ae1590698eccbbe150ff705031ccaf9dfbd482bcfa1d061b2d4ae017ee8f335fdf20bc495b142f2db3d54b9abd0838152cfd5bc9567cb167152d0aeb89d78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
1a34f1137b188b59f55ac9f3b5c99528

SHA1
3a5437524a9017fff67e018bf1a15a6150714533

SHA256
4c0af98ca9efe6a3717378584c22c3737b7fe10ea6e395bf966750c8afd7c96a

SHA512
10f3b1b670c55076fd577be22df74abb082027175cec0affed03a36c707c56156ae2ac1c64f94e3715866d42cd96d01a01d34da4fa79b00d8d7dab3d856fadab

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7da717ea489dd8f4927da9fed10a3107

SHA1
53da9a357bd0fd99fe4b5beeb8e8c66f6d8fc45b

SHA256
2802a18e7acf393f6f4cc1268b511a4a4b2572050d5e0a35d18967a59ae0afd7

SHA512
bb3313854c9f28d0d1ddf00cdeb8bc92a982cff39ba3d16e2b16b3c6bdd2eb744a25cb05b487491d704c185e625dd02ee01fe14f0a545103bed795792af898e1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
b2f81e930a472f4e3809532882afd609

SHA1
9994eb8142963f350f3fea2baf36e40e1fc75518

SHA256
1fdcbfda5a29c52c0f7932c4d5d482257c9744f4ad16575c422fbbc2b6a9dac1

SHA512
859ed1777384681c0055691beb3e4fe33de99093eee62dbd74916dd6055f4938f53a3a6e19922155b00edbe1e8963a13f9ddd5eb1303cb0f91f6b874fdd387f4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4ae5c7b8a0bbbbf7cccd24dd9e02796d

SHA1
2ac39332a19c0124a437783c9fa817fd63c7a7e2

SHA256
6f540f3453d7bd200063e36ec59305e31122f424a281e561053a76a5e5ca47b0

SHA512
1506ca0aa13498b60c43e5971be3e3ac09a5a07212da8f77394c0424a5bc65ad0db7f37787c7e9092dbe9af65f77a141e578cb2280800d1800932209c19a2475

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0c408b2f64bd2c8d18c0922544003321

SHA1
b9a5c9b92f0ec278e26c023cc3203d04a2577b52

SHA256
0217b6e1d3eaf69ff39c3cdc0022f50dbe9a7be3913a68f53555d9cac7a2683f

SHA512
5e9213282c0db6ae6b5b2c19c56c5b05763efc626a09529059fa955df51976b926d8b787fdb26c413b5c5b52f5b8407ab0a3905fb5ef109aae2f482aa134f397

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f4eba1db8d5b3703fcf7ef4378f9f90a

SHA1
3e1f66c714fd8ecc07694bb6582f32a04767d1d6

SHA256
940fd8bb281d2aee5fcfb2c7cd604a3303786559989d26a3bd01de42147cb13f

SHA512
feba8dc770dedbbff33293e36dcd2c278484b6af7755a7631411e3edd925fb8668afaa9ee02a912b63dd89bcf4b53837f093b445188d991fc28ef841fefcdca3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
655baafb26bd55836cca888954a00047

SHA1
8b863b06d729565ae4fed9b5b987ef6293910e22

SHA256
bc396ad2f23ffeb4342f561b8e1bcef71ff2709fbb1b3f60a40f92b627a43bd1

SHA512
b5fc00be3c6820cbce67e9c2aa28f5ee778e46e7024e6fffeb3bf569e961dee2f16123ebd3c69f4d23fb9d6dbd5060ae63f3b8749852ae65a8fc2e73863c08f1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
db1b972524b6f56e55d42ebb838b0f68

SHA1
6327cbdd06ab7b8f0596fcff851ac026a95b032d

SHA256
efa3fecf3cbfdf1991a7e71397cddd2efa8dc1100b518dec66e734cb577fb1f7

SHA512
8e069506a44a4bf7c7569ec6e8b7ffd93dd9014493004f359ebeb55baec7e6a0d3aacfe7a6934432a519762823421e3550d1c14556b86f5eb1a3afab7bee695f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
eecadeaa679dd23766e95cf8aaed8e72

SHA1
5696048b973b3044399fda18af4d63afb3195b69

SHA256
c75e7de6b5559abd4695d12d5a176ecc873bf64782312eec1a57cb38573dbbcd

SHA512
56470ee8604b0aeda1b9180a01f3b39c271900a82fbccabf6afd402f46e1a01194b52a5d9592fc055d35f31d322cb78dfd173c51ec0d1acd871725a4fc5fd2b0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
50bcf31b79f7a739dbe6c9d284a8ce6f

SHA1
add50341e7b484ec9182939c7faf52ad853be9a5

SHA256
f74f603db5bc18a5f5c3975265c60beb59e1d989fda4da14e285dcfcabd1c9d2

SHA512
b493675ac060bcb07335932fbd10fb3679d30f6a830a551da402e85a999df418ca080027c985b6a9bf45f7b3d476ad99ae38cc6012578f7a202794d0546b599c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4d3f4c7d6fe588056c4943a9869f3b03

SHA1
188516383ca40cac5bce2cda26819d25906f6fe3

SHA256
acdcd0e75bd01536670aa684e97af1aef1e012d739cc616a4146f0dbe9c125eb

SHA512
0c1243159d912350d0c59a7d63a7f5f6cf2092120a04f363cefb047b7e4329bdfbd0f14bcae80aa70b130aa83908a6908cea6898bfae654a5470e746b55803f3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
337e1bc90b4a05b69da643fbc3782191

SHA1
47eb01d20a578eaf776602769a4dcf25a8f3cd0e

SHA256
a1451872bd54f7048230c955cecf344b3c819d61fb12518762b7cb0bf11f0a59

SHA512
b472aa302be7181d92e29f34628df221e7dfab905d258d0089ec7c72eb1a3ea6dea16cac68e1878207ecfaa71566e5c302addbefb0499b71372d3a26497f9859

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
85cb7e0158aadbc988a15b8a9537b338

SHA1
5180d0c961f6d00b03134df61907438a016ea685

SHA256
34406620b0fb4c74b60799c1b11afa01defe486e2d23f15c6ce42d3afe47152e

SHA512
d6fd1edc2f30eb4ba71b2710491905e14e1016b05000a812fe7f12d286ba79829b0e4bedc6a7a9776462c17cfda87ae53ff4c625642211f114d37021578a8704

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6ee82bed6ec66a1673da04bc5a1c45f9

SHA1
bc61c9f7013b45ca21a007fb9abfaa72934cb163

SHA256
999df9e04da102d1941c3debca71d68af54623b6d5e0c1070d3f0f1b144434de

SHA512
c90ffdf69ee934d8c6dbde1f531bd68bd14fe9240fd41dbdb7ef8413dcb84d8bc842da9fb9d560d5e300074672dac0771249fab5db57c9ca56c6366c36501fc4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d3f8c21c4d6176d2676e1d538af6ff73

SHA1
1a09d6dc05978ac000ec5105ec1661a4f01c4a70

SHA256
ea33228a94ea3078e6edc801b411c3f9bdd172721b337441344785cc31c42954

SHA512
65a2cc3ea180526e74f9c686e677a6a5162944f041dd2ab31ddfb1a2dd09eef93f842f3640afa389bc67b23fba46e2e596024fd920e9202758a6dff8bf7132ab

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
94fdf196a69a5429499c9aedd460adbf

SHA1
2366b97ac6d39c39a910b483aed21aed002b5448

SHA256
45f80760646d2ab355d791e2eda07bbd9ea9a503e6458becf0c1a0a181e25783

SHA512
cc06f5d687d7c662b971d91104631ec9a6ee43535084e149c3b196b2fb95ba502df0fa68bf1d3d4938a35428fe207da22836affcb1e833820677b10c8bae7a20

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
4f2d5f9f4e1f0a18c069c92c7d294c9e

SHA1
112ef2525a60777c8e55dc44b3ef90fa02fd5ea2

SHA256
8fcb00384af39b3600fa43a0ca08d020ddfd2edddbb08f230638e2a87f90f54f

SHA512
dc255dcfb97fe9586072a1cf9ade3eee015eec8105b353618b912647ff9004f5d43004e88be70166d2c0ab54f9e03870b970dc118aac8f6d90854e742d7df11e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
73352a55fd2db62a57f89074f6547ec1

SHA1
ba03ca5560668bca456ee18740b627b4627c1f36

SHA256
f2eedbab15295b2b269393cae187dd189fe9bbdd7691641fc84913b619982f7d

SHA512
651e6b7d1fb3b51f90c8d09e7adaf6c5f385e33497b51f580f56f72b963ca79d65917ec7d95c68604b9afb136273c04e50466ffba9ba5b2e2bc763c5a108fb8c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
cb9d37346c271802968ce2ab1e8f1a26

SHA1
c9f42779a4562b9ba55bee37ca2fe37395877b4c

SHA256
cc6bd2b99d1113b0c7406a331bc40dfb6a2b699804fbac776a477fea8ee07823

SHA512
3f8c6aa0a11cefb53c2db36e0c4840a817e2552762737dd0956182c868a9d0dfe2dd5c1cdee1a73dbfcdbcdbcff8d1645b38dd9b0fe2a73f155458ae69c02a14

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
9ff6cc7a40c8264e439f2e69d43140c1

SHA1
dca1c700f704228cbc8b6b16c5c5bfbce8ee6760

SHA256
3bb67e73febcf6595f839a083b706de4587c69a38b8f30ad75a58f215ef44857

SHA512
13c3c160078eea37d9a6b15303a5e78b4c6460e1c31b185fb98374a04ee65b40eb55860ca5faa444a74393230ef82c6e88c5454e75b5776285c1165e169a07db

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ad678a4628914a39151d210d74dcab43

SHA1
58ef0eaf6ac2ad5c849fed85f46a5e56ed9325ef

SHA256
c53e89515d8174e01e2d759cf0c846ec865f01356185afa07081ced2241e053c

SHA512
6c99d32ea0a0bf7a5372ef637398a7c3f5a9e8aace91cb1a1b85312838028c1e291fe244ff6e890be262f52fe8716cfae0e7e67aa53158c555c90f48029457b1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
04ae937a23924b3ab35cc7b84bb9751d

SHA1
2e3fb2d8f50abb5d6b074b52fcd3dd7811901bed

SHA256
74e6a7c1752e37a8f4635cfbd56ac7386ff77f1a68a044f5c2fdcbe63d24a218

SHA512
7920b52cfc4b98ff8a42060a2bd0bfe696c0e3f5983674ad58620f64cd73308e830dd9616f58a77333e3a46c7aa815a3564f1b97b50eff49c5a968770924eae0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
d71865413c4c8af37d30751c5007f35b

SHA1
5fb4a0ab542af09ed2c23eb637edec15a67e7478

SHA256
3aea7c4804fe861b7b4d03961fbd0cf603b92188a4a15c1bf4a0c6c4074dcd52

SHA512
a73e5f0aa0002efab0ee88873dc6419c97763d9bc3fdb40861066db7985bd21f3a03b58dafbe31f9af720b8924f40e29d92f82a17a904bd4c5cbb55e7abea3b1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
ebef1b3db2ec628eef3d7730e6765add

SHA1
eb904958df0f6f598a8f8ac2cfc2c87f1650ef72

SHA256
b5e9828a5f86103145d82bbc631b4ce632b006e273596dc151b45acc185a7766

SHA512
52e6527429d750e437267e7e19cc700597c3a4d09ca0b253d3c07a4399bcca62822a27dfc2765893c4fa7db94d31288c6516fef700233f6d849c97659dff4769

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
ced773b105660c2c53db0dc260721ec5

SHA1
0e9aa3d4ac19713817da9494f70936ee1c5b407c

SHA256
7e64fcfbacc7b9b87941a1318cdb09e725f430db157e1aa2bdce5dfa24311b50

SHA512
6ffe9ff0163b990e185f0880830c22daf5dbbd69ea1a8832fbf19ee24d4f5fa220b39e2c548016979724dbd84194c5582649ebc9640697c69ad890205ec375af

Download Submit
memory/516-6-0x00000000021D0000-0x0000000002236000-memory.dmp

Filesize
408KB

Download
memory/516-7-0x00000000021D0000-0x0000000002236000-memory.dmp

Filesize
408KB

Download
memory/516-2-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/516-67-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/516-0-0x00000000021D0000-0x0000000002236000-memory.dmp

Filesize
408KB

Download
memory/1184-157-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1184-102-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1184-92-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1184-93-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1516-256-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1516-265-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1584-295-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1584-303-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/2164-91-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2164-27-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2164-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2164-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2168-59-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2168-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2168-39-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2168-45-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2168-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2320-141-0x0000000000570000-0x00000000005D6000-memory.dmp

Filesize
408KB

Download
memory/2320-137-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2320-198-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2328-503-0x0000013B76940000-0x0000013B76950000-memory.dmp

Filesize
64KB

Download
memory/2484-20-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2484-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2484-13-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2484-75-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2504-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2504-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2504-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2504-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2544-194-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2544-255-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2544-187-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2792-271-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2792-277-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3104-153-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3104-212-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3104-221-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3104-145-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3440-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3440-166-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3440-225-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4276-89-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4276-77-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4276-76-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4276-83-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4276-88-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4452-268-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4452-199-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4452-207-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4596-49-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4596-56-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4596-50-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4596-120-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4688-222-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4688-281-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4688-214-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4700-172-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4700-180-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4700-242-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4856-290-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4856-284-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4860-491-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4860-252-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4860-243-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4896-122-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4896-184-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4896-130-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4928-118-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/4928-171-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4928-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5000-240-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/5000-239-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5000-235-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/5000-227-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download