45c1080e140b5bdf2afaa9e45dc012964f38b9334a959d223a179a0ddfce12ce

Analysis

max time kernel
152s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
Size

24.3MB
MD5

ac4d794d97c042fc0ad2002920e65482
SHA1

517bc9a965dee638f0cc3cfdeffb085fe0c04c84
SHA256

45c1080e140b5bdf2afaa9e45dc012964f38b9334a959d223a179a0ddfce12ce
SHA512

d3124c445b3008e7743a31458b665b75f3a2eed21c5b4f23e9e6fd70b9a701c0e36bc6b13241ee9575ab1578e159b0707b5e2490d5db742af560daf70e2d5afb
SSDEEP

196608:2P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018FY:2PboGX8a/jWWu3cI2D/cWcls1qY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1276	alg.exe
1608	DiagnosticsHub.StandardCollector.Service.exe
4648	fxssvc.exe
1072	elevation_service.exe
3952	elevation_service.exe
4804	maintenanceservice.exe
5064	msdtc.exe
1240	OSE.EXE
3120	PerceptionSimulationService.exe
4056	perfhost.exe
2980	locator.exe
4796	SensorDataService.exe
4972	snmptrap.exe
532	spectrum.exe
4800	ssh-agent.exe
3628	TieringEngineService.exe
4016	AgentService.exe
1808	vds.exe
2820	vssvc.exe
4868	wbengine.exe
3344	WmiApSrv.exe
3644	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c96ef495990ca9c2.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{A57FE46C-6BD7-4436-B4ED-1F7F22B87421}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_118578\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008eba7c4d6c8ada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2d2f44c6c8ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5585b4d6c8ada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc4cda4f6c8ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000299ee84f6c8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007440e34d6c8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000426b8d4d6c8ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f8e6da516c8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
1608	DiagnosticsHub.StandardCollector.Service.exe
1608	DiagnosticsHub.StandardCollector.Service.exe
1608	DiagnosticsHub.StandardCollector.Service.exe
1608	DiagnosticsHub.StandardCollector.Service.exe
1608	DiagnosticsHub.StandardCollector.Service.exe
1608	DiagnosticsHub.StandardCollector.Service.exe
1608	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4648	fxssvc.exe
Token: SeRestorePrivilege	3628	TieringEngineService.exe
Token: SeManageVolumePrivilege	3628	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4016	AgentService.exe
Token: SeBackupPrivilege	2820	vssvc.exe
Token: SeRestorePrivilege	2820	vssvc.exe
Token: SeAuditPrivilege	2820	vssvc.exe
Token: SeBackupPrivilege	4868	wbengine.exe
Token: SeRestorePrivilege	4868	wbengine.exe
Token: SeSecurityPrivilege	4868	wbengine.exe
Token: 33	3644	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3644	SearchIndexer.exe
Token: SeDebugPrivilege	4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4280	2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1608	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 1932	3644	SearchIndexer.exe	118
PID 3644 wrote to memory of 1932	3644	SearchIndexer.exe	118
PID 3644 wrote to memory of 2844	3644	SearchIndexer.exe	119
PID 3644 wrote to memory of 2844	3644	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_ac4d794d97c042fc0ad2002920e65482_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1276

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4724

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3952

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4804

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5064

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3120

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4056

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2980

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4796

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4972

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:532

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1368

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3344

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1932
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c8ecb11c2e9d06a8d708a5e9baa4d558

SHA1
112e80733ccbe34d181eddf3871fbc72eb455df4

SHA256
7ed1c6169fded63c10627aa36dfc993295fbce6cd1b594cd61dcaceea900944d

SHA512
61539eee438df4f3b83de16b928934e042c259d37639fe3107767afd0de88a0e9d8601fb65cc630643b6e8cfc06b424a6abc6b921dad2a9272efd8a9557c7fa6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
38ae8b3cec2d91942d4113dec2091d19

SHA1
47a1834f5bb8bd94c94bb7187bb3d1e47afb0150

SHA256
136a87f232626a051308e6dad2d75b1f563dd9a35e4542924ab08100529dc23b

SHA512
f87c0b6d6d4de17a616c466219908728da50d89a002771db17c4f61bc4107d2a2c72d1807e500afc42d6726ed20e59d2a615459aee1d4b4cfd095810934dd9d4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
75029cc2e25041912505c3e5abeea193

SHA1
f8b820c8779288af9da770206ce63eacafb09260

SHA256
5d11fd123307e87510885ae0379d7f87c2bb8705a5820199767e847605172318

SHA512
ec214ff0c00489a5ba6ac8de742c8e7c69e26d36084486a8bca6c9172029a15660f3aecc6c86ee27a591a3008827e5c38ec24c7dae1b0b3123cdde582d0da846

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2254fc7de96096b479a924ead734f9b8

SHA1
e97539b29595fb4bbaf0defa1d65e188fd2578d9

SHA256
b27ce87eae989a700fc3c704e7e85c8e653f3b41631e3083801ae417c7c48a5b

SHA512
d25db042f7f350ff00ee8f73b440298319c697476e94fd4729e95d969ba21c32edca6a27b014c39be169f6c366eaefa57c5dae1628e98a4ea051c0edf13a8ebc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c3f8ef7490efb9588b1966d58522f643

SHA1
d9584f16883c71911d45c878c152c6a67b101d29

SHA256
0da1266ccf66176a819db9948def2190362ee02abc32a25019052ce186d340f9

SHA512
a4436f7a7ce2eb0acc220312eaf93106e0920a64ff847236a6ac4fc8e03e8b5688d2f83abc84567c454545e7ab4796fe7dc420d788c7b7ef8e1e22327668b975

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
0c0f2eb2c2d517ac10c0f84d64f56fa5

SHA1
ba8ba5665bdd09b4b10db612fb3f484aa10e1967

SHA256
61d0fa5d0c74b107b87710c34cb69221bffa71c5bd4ec8bc15ef32518b31dfc3

SHA512
5eaff58d668ca1ebca5a5d1469b59069d76d17283be834d25bc2bc2b4b115e98f34ec0dae434bf2e2292114d326a5527b1ce0bff14ea15c2bbb2ebf5518dda09

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
afb7bb09d6a3d141e3fee91c640f4edd

SHA1
e05d6f21614b05f710f29be761ac59aa8ad2f94f

SHA256
b0ebc56316f07d1303694375b54a63e8c59a87581c9ce4931dd4dd7984579ccd

SHA512
9e2e49a81d58624e34a402984d30031c7410e2f1c2ca5bbf7e7db007b9fe0cb342c72cfb701654768534375dfa8fd1957603469df8abd480fd4969e704783093

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ecb82fbddb8b736f34854e8a1efd0ae9

SHA1
9ea14c903f4f26979bc12f9a5b9685e54ea52f08

SHA256
ba3cdf4852a38fc8fd76903b13b6478a2aa805eb6e661207f027cd91ebb7ba55

SHA512
2d8645d6f812644fe9d2c2705839bd4290562a5e862115c908a74e69843b6b1a5aa1544019ded3301a9e03c904e7f30cc3159d5fce04137001924874862a3043

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
377eba1613541f47314cbcdccaec7b39

SHA1
83c2750efc25c4cf9d88835129c5e2cf448e9b8d

SHA256
c0b79dfb63388af9fd07b771992871cab45e6ac136d8e9bd28b89216d6e7aebd

SHA512
e8f97479524c26825a6995735ce6c3a776a5e62df540acc1ac57d565fdb2b33d12ac45057f2f30b0b6d1318df0703ed43056cc59895aab53bcc2b65c6a164eeb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0f13034cae71bd2570b685ec26ba861f

SHA1
d05b7d3f2da061573ad636a906dfbe2941890fc7

SHA256
d08c232c8785b0254d1e6e09cd4ff9c2bdb4242bcb0b768ef741d5f0cde97006

SHA512
64d288589d03712ea1c0d5bbc9b03267e7cadc41a2cf9865aeca6e3368364d997c2c74ab91793128ee7502c658e29bec76cf61d60812955860f0e067ab6cfe1f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
504d62c5045899d84971aeeaab0c27b0

SHA1
910245abad57c266e3b9902f6fa951b4903fdf16

SHA256
d7c76ecbbe57d2632a2187f82dae3366718db4da25cf6480e071d7d569d91f6c

SHA512
3d81a3b92b2c985b42d81ee5927c0aed71843645e5a7e1fc4e9513bd35be9188c1f8889e4fb234d9160522c3c6b9cdc86c289ae570da622c1fda3f562e2b5654

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1c8148abef8b253c98096690a7905911

SHA1
263902d3a5e388effd66506981ca373e69ac3f98

SHA256
b9fdbe25f6e98f19b99b3d43df7c0e6f2c8e600c691fb9de96a4ef3000b1e7c2

SHA512
535f1003e64364c9ab88596e1e637c9b810317d8ab791ebaeef0e4307e94cae96e0e3761f37c13c0088a9e7e317992e38bfb33de2f6089b7fd6cb45f1c09a395

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
5b5086538cb76d56bf02120f6d926361

SHA1
c8f91bdf14a571c42977050aac82b0d95c78acbb

SHA256
5a9cbe81215a5a86c09ecdd3fa10a7f1ecb9b02e87908772e502768cc267f442

SHA512
ba07dc4281e4723b1888ae60949e37960421fe181d25c34c1d2b6937a3d6c80faf91e38015a46329ffac83c516980f0a8c741455c01654bbfe9c70f818352ebf

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
bf8f4be6cbfb09899095838161e779ab

SHA1
ecb721452ea10b80bdcc209905bf00ba682f2dfc

SHA256
d98427ec915c403a89c60fb2dea9cc583e7355dec7c9366bd3c351e6bccd71cc

SHA512
bc40fc78c78e3ddb5b53741f3409a777512d8e30c6d298a815b2705c68faaa936ee75a2466f218ed04a1503414e5572caa7b67b02e0e73aa00e805fa99a829a9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
4e15b7be7af35e8c12529c75488aac4e

SHA1
a05b218feb57772dc0408a3375757b927aae22f7

SHA256
87028e79cd70b4acf8da70b49a67387363926acb85f387eb4bee6144b9370e43

SHA512
b39094ca7c60481dfc326b136809d9e20f03008364605313b999fc996c6f74c0a4193acaa8c02d97301f124f7d12db34a49d66bf519a1a28bc4ac9af639af123

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
97c7c029067b179c6ba70a9947935046

SHA1
d77e515b07962687466797a82d5d6fc84d1d5f97

SHA256
fb11a724e6e84a82376c0fe9ffa9800451195ec471b94c0df257e0ae9a8cd8ab

SHA512
6ed8130ebca15841ebdc84c7e7963932c342d12b44c8f4e45bac353b81a0494ddfd1d0118a4bc8c388db7c9126369de40e42211b500fb546913a1b891770fc50

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
6e5a8ef0186fed846a80868cef65ab5c

SHA1
848a5418d6e81a501bf94f1d967d22d314233c09

SHA256
82303ba78de25ab898e33fca3534fab93bbf07bdcf9d36977e76614f3400bc32

SHA512
d250751594b0c39b3f8a8aad020a1f1372fdd3e2e62a39a3b635e8e88c7a06fe713255985b0707d22aa15e4a04bb1d977cd4d8c7329b451380ebf14335b96213

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
fade3ebb6aa352a13edb02a0146ec307

SHA1
a4e0e55a19713ed6762cdd8271481ca9492fad2c

SHA256
1600995b42982e876cdf7f682584932f8e95f215f1a30f061902b2da60c7efee

SHA512
4c38dc59b20a0e58df36ab1a1681d5245cc6270b97f33ae2c74e3951bae51b4fb7299143423808b33828eaf5e24c89ff0b53ebda6a215f22ab50f7bb6d5e263a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
7319fecbf007301c81d9b217a0995885

SHA1
43c7170914facb38eb3e07b03c1d071365504003

SHA256
3b82ba4a1964c029de0f36791031bf4b2e06b630c1d6a02bbc72dfeb2a356055

SHA512
30bcfdebb1eda8d5149663f035c21e36c1fa1cf495a58c672d1f3633b10b55e9f4142d5e792634b88131d8c5dc328e78b23a53f90a5cf3c5ff52e7bc550a8402

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
2754cb92e746fb924159f921cee94aab

SHA1
9bf950eeec52619221114e56b8f6c68d2e74d8f6

SHA256
e294ce6fbade13d6aee6504d0fcc7b6b7875d1f6f2848f854671aff222861db7

SHA512
6b6026ae98889cf464c48d96e71af83b8d402d8105af697bc1594e28d292b1e306dbae55fbbb469b3fe9b87ebf71408b23c290deca5e54bc06a939a986ef7fb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
48453ada2237b8056dfe4f8de85457d5

SHA1
17bbdb9b0de258dc3de88e4f9e5062d616a90634

SHA256
bd8080436aaf7b47a9a8b103e36271b206739ffb3d18e5d06f264ed45c2d220f

SHA512
0a4075481021949a5bb0d2599fc274063ef86de69ffc13f4a0b1fae6f7db47126edf4e83b388c61f19e65578ca2819170c47d7a5afc7a3a01555bb1af01a30b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
e269a9e39cc0b03cfd45119c4a0e5765

SHA1
dc2964b1d94b86d1155fbc519c1995971e595aea

SHA256
55cfc446caffaff92ba06d5d9393f58760033c7ac636f192097dadac968a1660

SHA512
7e3bf1209ccf8a90b0578740767082491d01d3359fb9640938eb75a79347b0461982619fa40d9265fad13d5ce4f5c28d7ea8428480742948075132dec85ed5a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ea6d483ed129805fc5ce5d62ddd31365

SHA1
c97fad0203eae74ae34a6e980d82e4f62cea823b

SHA256
ecddfc094b78a110d0e859feecdfef92873c49a233020b114b5f33b23d87111a

SHA512
8ec7bb3333825d216da0bfba3ab5835bce90acbd32586bb0ab0217bef6d38669ff8b2edf1449bf44aaddcab7bee1fcf91af49bf84b04970d36d76b994fd29c6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
2eb36f41b6d8a41b092a7677bc6b759d

SHA1
dcf5e941afc6784b5098890876470a4642d13554

SHA256
1e7fa666bfd388bc8adc40323a41cc86d55fde61129044ae9548bfb4730fe046

SHA512
5f986b086a646351166f87aa824086ceb4a9dd89e368fd84eaf74e74e4a7dd9cb4c5299d02d22d5c775a9d2709fbde4ca23a759cfb111b2fb261994f3159d6b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
abf9796f032e83831633b5cde3dab6ec

SHA1
01907283d7036a375e22eb140933555c127fe7f8

SHA256
1d3df6ecfa409e8cf90a2ac8b83d8317c2457e4cde89bffaab566ee6e7a7798b

SHA512
a93357b147c2293b802e8d1ad5bbbcb84126ff7eba8d6d6d6bbdde918c89f7713999563eb036c9484968d439506419b7dc9670fd4558589ccc13df3d6825faa7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f218e7eb706cea7a09297341cbc0095c

SHA1
92b232ebe75756f803a35febed236ab48e096a3a

SHA256
6a74c485ed3b4b90e50e90392b7f6d699b5ddb96f6f9c468ed7e4200a8bad5e9

SHA512
53551381b2fc00535eae1bb1eaee748805232932438ee48dafbe0f98eaf0bc2cf578e6d0a0979bcd40b3db4d2c022636cdea25ab560368239565e14d227e037f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
5dd2ab44f72631eec97901c9a01fa094

SHA1
962b6ec95131ad21573f84b26a74e399eaf46cde

SHA256
dd704173a4c302f28b0502fb6345eeca0d2ff2805f25b692f56100f7233ead57

SHA512
a21a96ec608e2b4345f634c2963a3fd8ff976c95bc699c2d5d4bc0802c5ad5ce6da20965685b732a88d1ed8879a475806b1f26d52aac1947ae4188ab2cc22299

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
264ff3d281f99dbbac7d560d5738ccf0

SHA1
a48dc89bbfa2e0ac0bfbd8a30cf1d0f62ce4f1e7

SHA256
790ae599690839ea66cc53bbd0584c4219066fff7d3e148448a95481418176da

SHA512
212abe90d19c83d1f7ffc0e52736dbbefc8c8c6c3f324596d53785d97246aa4b6046a8660e8c2bd1b6c62fe3ab181c880147a108f8b3b2430233afc07ec83357

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
7374257f49e2198a5ab4d7b9a627a55f

SHA1
4ccb77999a1d61f7f479d23010d145364c1ae59f

SHA256
664fd051506f9f7a6043ef5bfdb82d2133b0f7256b446dd06bd2b94e4a6622d5

SHA512
3fafd64f23c05b795f96d9962d8f6683399e1d82e71021763625fb481ea1673acc8f949423fd8a107cc1e62bd084b1ca84314575fe3c4ffaf63cfca43ea732f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
898fa92aa0b1108756df3ecfd1b7273d

SHA1
5a951679de119b9f9119a8f41d545468cba8ed93

SHA256
0fac131862187209b6d151fd0324f7db564f00c36971f26152e74b6a0666979d

SHA512
0e6480d54f58aee4d146a21aeab3d5f75f07663120b0e2cfb32a350e67ce0caf29aaf47a121f43c0486d75188e8fe2900eb98f452175d5184513c4cd4c91e1dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
2e15fc948c61f7ab820d24ecc04e7956

SHA1
7b0dd5fdc42280c5076e848b230bf0dc1cf2dd4d

SHA256
91b8eeca469399e09f89e7b023c5ad9bddcf23a558ef90655077bb83763c5411

SHA512
3176bbc1a7b75d264e38c70f767f2043a86ac1ce20a658e727efd2885db92adde4d4b8f5b40ef3af70eef4b34a6383d36bb96d325ae8301d87fae4cd396c357b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
ebb93abe09f80fab3b9d86e7b37378ef

SHA1
652a12862e5a889b76f7e17c972a68b18b2c9a5a

SHA256
42e01abb623f2bcb76486bd3e1f0163a5287062ee986f38e319835697a55940a

SHA512
b9476cc26c6a3958537fb8c5e4465402d26d862abc5b4daf9bad3a9ea333f0a1409ba0ae6454631e8f5cc146af7be6894145152302dabd761a8f3d0dc079db2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
21ad1cb84ab591e6dda667c23a73d50a

SHA1
9dfd380a7967edc5fe226ced15d44a9666f8c1ed

SHA256
bdaa80e67de611321082b134e9cd32c0e8664245cd99ca2a5c8cdad83969477b

SHA512
52dcbfca1d46dbb0846d57622fee258cfcc0b09f961e2ab470100e6cb253810ab8355c53a4f301b750f914dc6395537407bf3ed7ce3bd8096a7629926d35840b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
3f9e37a9ee6c5fa7d3c9335ecdb8287d

SHA1
9537749cc5ed3072892ce421a787f782ffab4523

SHA256
ffe2350e803e062da052fcb1e5936eedb454fbbd724675f99ad89f373214cc97

SHA512
089bea6e7a7a4f2b759028df2d727238845083c20b3f08bb87d95dcd16f3818aa7ff1aa56725f40621ca96b9cef8fffe904b40119d94d447b351c76b3b59dbd3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f8d8bb309f6a404cde857ca9f2e546b6

SHA1
63683693c77148082f41a817c178f39cab437247

SHA256
0b9572f7c72f84cc986ffc4b64a5fce42e149c6f231a1c269b571cb75e3515c3

SHA512
191e81da0990e0da0b53e17d85c4f96c73ab0ec8a1f6a10f7e758633b8fe72c77101b33316cfd19f7d61f2e7458df7ca7afa653e2b3111cfd987c47db2375435

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
6e90d5f5f90f7e63f381e6dd7c753db6

SHA1
4279bab03402fce666312c4d3d88ecec47604860

SHA256
6fae7a6639f64eb2d456a2fc302e6913d99526f21a15dfeefa94e26e62cce937

SHA512
f63c054d3b21e61a2eb456727a4474d9b39b030269fdfdb3a43d9de0e66d49890c4cf8bcc6d02bebc9291bc5f93719081c28284e8c40df83f9b2534144b83d0e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d6d559297aa0a726a74dc80d48a40bbc

SHA1
e760b2dd238808b9b0eebaea475a48c8aa49af45

SHA256
1b0dfe26cac04bfd605612b30c32cf8389fd7642db5400db7d2f583beb552003

SHA512
0d9d6e804e7c788c0606402c92bc0034369ea6f90b3e5515e4d444311e2ec1773b7da302a6decad03005e88c1ecf7df0e65368f82ff1366c84e26cac8832eb3f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3254e0c6e0dcbde40f44972e61acf7f9

SHA1
b53dfa73b5cb2332dcb29cdfd8969775f2090ee6

SHA256
59720b91e4e0b22e573f557283e7b38a4574488b550d872d0dfce33eae8ff008

SHA512
d57a7304983a7eebc5397fec3295915c02e690a367d984b25a12e7b0d03f68c97df37e4014f8ede58e187be8b283a16c52ac9e08a45ae282dc133b6b7488efbb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c9981ddaea2c532cc1c81d1162ac2cdb

SHA1
ba8295d27b99982f83ac6c3c849b12a4d4ae8fa8

SHA256
484aa295327b3735bc747b96bb089f7d1b02dc87af35c58dc2b8a3675b228668

SHA512
0ee3ddf67252ede1da5d026b485bdb5fedb44bba3726511cec4e692d1c5fdd58acec5b6fd4953372f0e7a6b4c76a53fec6f18fdfee1258da95210ff8ace25bc8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1e6aff1875c751ca968d167207de244a

SHA1
eb41365961bf78fa40df4a356e1ba90e532c92ac

SHA256
87f7bba664c5f7dd0cd4b7b1c55f94fc4777ddaf286592788b4725cd165a9396

SHA512
7f89da11632b4c161bc43474ce05f3fff38de946f39d2a4b00c156d75c80d755757f6baeb4cf8528c52d72bb1737f185cb2dda4f888fb8515c6a9c5e7e7f67de

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
485ec413ff123acbddd2367b4085ee71

SHA1
36cf9dab7e90793dce2bceb834e3c80cf520114d

SHA256
ffe4a2815d2cd827fae89f6d311ba7a00e8a87296b09f3a9e181facac4121ea6

SHA512
92c359e023c224dc4676a7691fa8c6d57525e9c24bb42d64d45698c25cddd194f0967ff860e0501e15f925ee0e353488b7beeed3ecd8753640ede9b3b6df6956

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
def33983d1fa827aaeaa0743dfe1c9c7

SHA1
5e942c38143866439fe130e993614f1c18b41b2e

SHA256
ddaebf1d3f924f364103ce313d3cbc23a25ef85ff625dd9ce5d5586e3b495c69

SHA512
03a3c4ae6dc4d740316eb2627dc1a921e8b8ac4e89776d784294cba674e6fe692351b4d99817f45ba199f51ca527c9e934aa7efcf802147a19e890160dac2cd0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4345230ee1278280f2751e424eee3c54

SHA1
2ee3b1e1b98210d5d102350b8e55de636db59071

SHA256
162de7109079d168a03806cff48bee133d1828fbeb84bb3cfea593b62a9e16c0

SHA512
63391a34831f85a0c5587cb134e57035c4796cba14d7a15bf46b232df2ec58f7c2d14ba669e89114bd319e106df15388dff95748fe0b72a922f514cd391ddf03

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0b6f8d8333720b07ddcc1c439e1ad9db

SHA1
3d80be4b803f003ac6df57de894dd9d6705016be

SHA256
5113450cb0c3fa6bdbdaa04b42d34fa99dbd6b4bdc2af81d079c9022874c0ee2

SHA512
430079230cc346de0944805d02f89d36e0a0edcca65853ec59e6f709874b56c295b12f292b1fb68b7873bd10cd474674d3f8549ad32b1dead9e745dc8a85c8dd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
26b6b1da4d26b765b9bd91ce7e8778fc

SHA1
20b3911ad4f379081a7e73e9d86fa5240e6f8199

SHA256
4b44178dd8965251b90c03fc8d8dbb4790be1ff16547b61be324941bda933ab4

SHA512
3e5f4f337d6108fe2376b32b7a5884439653bc2d398362e6080ed67204a1b7086c362cd0b224160587622b285074c4c5daa66e3cc20fdedb7cf2b12121aec475

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dde0cd66a561223c7201185f786d5563

SHA1
7948c482bd2e17436e7213bc2040e7ff28979539

SHA256
efb8d36fa4f98c63ea985d25ddd0980671dd17c398faf38061421f50b26eab41

SHA512
8c0eedfde6f2ab53a5f3c0c22a3099267308bb1c54ffeb551ab091c7e97ddaa1c12423c869f311ef4b8f49422cecfc619d27134e3f4519e29a7296d8c247524a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ff545759c373f3e6fa1bcd27c96aa50d

SHA1
08769d5266aefb34d1b75bd6f68736be1ceb09d4

SHA256
4f34a3adbb04276506a53145ffb1ef89bed5c237133dc94f8f9899bce78ed602

SHA512
a0da9a1f051d4d48f0b4ce278e5cd9a7970e1c63da982bad4bc0fa34fb36ae314bcb0c5ef4c43825d6537ca24b45bb35997f66d92d570e98c1d0128075f8e971

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
972d42b8f64e436e5d9e6d3152234e0b

SHA1
7a57f5ea14251e85c007a4f8bbd95d05ac07d42d

SHA256
efea39965b1c943b7b7a120e113f44e328822573c24ac549255acf649788c3b2

SHA512
57c4e9985fb24fe899b2f9b9abf8cbafeda7ef391cb1464d0d59906d1ecf398793826bc5a436c7f05207e5d3a31e2a04731fd79f6badc59abc1278e1044daa03

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e7b47ed2eb5b201828987ac508541994

SHA1
314c997ef621e76c26c0c91571b24ec6e56f6380

SHA256
5682a54001b70264503f4be51a92c84e6221f552de559fb90d867c9a5f0078ca

SHA512
74b2c705b9a3eb67f34abee77ab162f34b0d4c5f8dd1ac029b39b5dc4232ea7100a747ebc75ea84e58b1befc0970dce57100879110be482527af71c47d261794

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
11b554d1b99d1476bd1a6e2cae297649

SHA1
a116cb6638f3b10ebb3ec0f238a6f4ff5028ccf4

SHA256
b92474d4442cf3280688083fadc6dfa095ee00c3f7d8b90b28021840acdda664

SHA512
85bd46b6d1c5e2578bf1d15a288d19acd05d32f94f544ee74b6a242bc90efd4b19f28a8ef18600ad0751cf8e6fa74a32c4832cc178e46efb81b33e5044c2ee44

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
397c266cd9578b1e8efce720725cb522

SHA1
d9e9e905be247a62b06994e207f35ddf898b956a

SHA256
ddce6e4effe20881e4f4c420004ff21211fea484b14ee23f1ed58995798d295e

SHA512
b579fe0463fc3969aa69cd9bc69c1af2f43d2072f01fbc56c84dea166334cc84bae413a2f1060642eca2efa6cc98ac09a31b3aa5e61ef33c7bba71cab0c7eec3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c81a55049eaa9b3f3e37bb1c8a8993f1

SHA1
6b71b97dc28df8def787a3bad626dd9662748485

SHA256
3310fc133bb2cfa6827fad67d4c3bb836b78fa09ffdb4604bb7f6068f7421567

SHA512
1330ac900139bf4c02aaf2a0f10da13ddf4a9b29c3acd759dcf35f427108e21d09a7da842c90945f18b19c32cae95ffd333c2e63b6794c6d0b00aeb0c7c6181e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
fa09a2d4e4a781f825a73de57e918d21

SHA1
a446916f783074aa8a4b641fbd0f8d3047048ab0

SHA256
d1ee471519a03be7bc69abd2e8a39c15780f7389f4d5321536ebabe99e655155

SHA512
662ccdd91b4f771aa33574175d27e58e37c6b1d267cf50d6a16ce8e9736ba538911b74984e6e7481b7f536fe657b77aee46bcac4311f389a5a676bf6b899a4f7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f6e5aa1ccb99d026c236225b4b3488c0

SHA1
cdb3a43c00e8f0bace7e40e91998469a2b2e760b

SHA256
4ed56963b6fa650c7674885ea30bfbc6fc1e7c952a9e6a3aa9219bb63db63b14

SHA512
cf267e14a533232097ffeaabf08272a9d65bab0d199203cb97000859f25ebe283ae5437cd3c7c092965ae7e0502af590c150f949052f9c44a279a8e41de3b5cb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
eea70c1773c360f3eeda4eb4f085fbd7

SHA1
13098495e770b549a91ad720eb612f559fa0daa8

SHA256
c439089af2ede69a100f2ca36981ca305079189407daaae4de5e1329e7409da5

SHA512
7bf14dbf82c58cb24649b4701357bb17f49bdac1628efeb9b8c2d62cb597caba733a1353b828411162c1a623f870efa89a04feb8cc07b9998d596e45940f54b9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
7745aff6164b6476cb35d9e490ab96f0

SHA1
b6c750b64d4e748860bb6b5295c368fd5ee7476f

SHA256
702b8fce27bbd0740b311f66fd92f9869646d8ae73e929d047d7ee230137d35f

SHA512
7874939610bede66e7723b245860f607ffa963e0d9602a1364cefd8699cbfe2b572b8dd5c732b8867dbdcd6f662c6c6ef218522d61eee1180a02ac204186c218

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
e919f00add32481053a84058fc89d3ae

SHA1
d8ee6d0aa5cd5045d13070fa9f033e8a0cce87d1

SHA256
4e78a9246a188d01236590d2dcfb25d5d5bf28e287adae7eafe4122809327951

SHA512
722da9b0d8678725f9f22ecff458d5bf095562df483b6ba42eea779ad361b7ac41bc52a61306691d7ebb695b88590e0fbad52549a31cee11681ab87e2eb84498

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
25a48b9394ecb8d918df9f6199f8c5b3

SHA1
a299c73ed2c943dd9449dc6bd8a94c10a207dd23

SHA256
b3806b21924926152c3c9a0b781d08adbf5d980b5e0bef4e86d680ba7ca73b4e

SHA512
da2b77dc2b3e76982dc9621f1f06e1dffb3615723901ac7c8a7d406ac1ae0ad9e1faa1ffe044613ef1eb4cea74266ffc1d632ed5fd693418520d007d2f3966de

Download Submit
memory/532-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/532-136-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/532-127-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1072-40-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1072-32-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1072-33-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1072-101-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1240-86-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1240-79-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1240-139-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1240-78-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1276-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1276-73-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1608-77-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1608-23-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1608-17-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1608-16-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1808-376-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1808-163-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2820-165-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2820-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2844-445-0x000002A162F10000-0x000002A162F20000-memory.dmp

Filesize
64KB

Download
memory/2844-378-0x000002A162F10000-0x000002A162F20000-memory.dmp

Filesize
64KB

Download
memory/2844-358-0x000002A163940000-0x000002A163950000-memory.dmp

Filesize
64KB

Download
memory/2844-356-0x000002A162F10000-0x000002A162F20000-memory.dmp

Filesize
64KB

Download
memory/2844-365-0x000002A163960000-0x000002A163961000-memory.dmp

Filesize
4KB

Download
memory/2844-364-0x000002A162F10000-0x000002A162F20000-memory.dmp

Filesize
64KB

Download
memory/2844-457-0x000002A163960000-0x000002A163961000-memory.dmp

Filesize
4KB

Download
memory/2844-440-0x000002A162F10000-0x000002A162F20000-memory.dmp

Filesize
64KB

Download
memory/2844-385-0x000002A162F10000-0x000002A162F20000-memory.dmp

Filesize
64KB

Download
memory/2844-465-0x000002A162F10000-0x000002A162F20000-memory.dmp

Filesize
64KB

Download
memory/2844-395-0x000002A162F10000-0x000002A162F20000-memory.dmp

Filesize
64KB

Download
memory/2844-458-0x000002A162F10000-0x000002A162F20000-memory.dmp

Filesize
64KB

Download
memory/2844-426-0x000002A162F10000-0x000002A162F20000-memory.dmp

Filesize
64KB

Download
memory/2980-116-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3120-95-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3120-153-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3120-93-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3120-100-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3344-429-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3344-172-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3628-154-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3628-363-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3644-177-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3644-432-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3952-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3952-45-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3952-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3952-112-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4016-157-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4016-158-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4056-161-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4056-106-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/4056-111-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/4056-105-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4280-7-0x0000000003D40000-0x0000000003DA7000-memory.dmp

Filesize
412KB

Download
memory/4280-0-0x0000000003D40000-0x0000000003DA7000-memory.dmp

Filesize
412KB

Download
memory/4280-62-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4280-3-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4280-6-0x0000000003D40000-0x0000000003DA7000-memory.dmp

Filesize
412KB

Download
memory/4648-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4648-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4796-122-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4796-351-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4800-141-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4800-350-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4800-149-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/4804-67-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4804-56-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4804-70-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4804-63-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4804-64-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4868-424-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4868-168-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4972-123-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4972-171-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5064-72-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5064-134-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download