f202c4f06cb7698e42cf12384b37eef83c9ea9ee544b247ca715d3d20f104a7b

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
Size

24.3MB
MD5

4ba67155a2808d58c648de680dd99b96
SHA1

91adb295cd2c8b7189277f78abd44543e15cd95b
SHA256

f202c4f06cb7698e42cf12384b37eef83c9ea9ee544b247ca715d3d20f104a7b
SHA512

6c428d07e353b70453122faa3f9312c56eebb00130b3c8b4aca41cb94d99e3baca32dda4999f3c3378cbad19f66f3b99fe610b993fdc00336c8cc6d34c950b7c
SSDEEP

196608:oP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018l3uQQ:oPboGX8a/jWWu3cI2D/cWcls143

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3468	alg.exe
3692	DiagnosticsHub.StandardCollector.Service.exe
5056	fxssvc.exe
1512	elevation_service.exe
4516	elevation_service.exe
4552	maintenanceservice.exe
1136	msdtc.exe
368	OSE.EXE
4916	PerceptionSimulationService.exe
2816	perfhost.exe
2260	locator.exe
3444	SensorDataService.exe
636	snmptrap.exe
2852	spectrum.exe
1152	ssh-agent.exe
5116	TieringEngineService.exe
5052	AgentService.exe
4340	vds.exe
3540	vssvc.exe
2936	wbengine.exe
3524	WmiApSrv.exe
2328	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8df7de2912d07ad8.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\java.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd892916738ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8593615738ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a617f51d738ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d5d361d738ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018803d15738ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ff37115738ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d9af31c738ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b557415738ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
3692	DiagnosticsHub.StandardCollector.Service.exe
3692	DiagnosticsHub.StandardCollector.Service.exe
3692	DiagnosticsHub.StandardCollector.Service.exe
3692	DiagnosticsHub.StandardCollector.Service.exe
3692	DiagnosticsHub.StandardCollector.Service.exe
3692	DiagnosticsHub.StandardCollector.Service.exe
3692	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	5056	fxssvc.exe
Token: SeRestorePrivilege	5116	TieringEngineService.exe
Token: SeManageVolumePrivilege	5116	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5052	AgentService.exe
Token: SeBackupPrivilege	3540	vssvc.exe
Token: SeRestorePrivilege	3540	vssvc.exe
Token: SeAuditPrivilege	3540	vssvc.exe
Token: SeBackupPrivilege	2936	wbengine.exe
Token: SeRestorePrivilege	2936	wbengine.exe
Token: SeSecurityPrivilege	2936	wbengine.exe
Token: 33	2328	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2328	SearchIndexer.exe
Token: SeDebugPrivilege	384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	384	2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3692	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2632	2328	SearchIndexer.exe	119
PID 2328 wrote to memory of 2632	2328	SearchIndexer.exe	119
PID 2328 wrote to memory of 3628	2328	SearchIndexer.exe	120
PID 2328 wrote to memory of 3628	2328	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3468

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2224

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1512

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4516

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1136

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:368

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3444

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:636

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2100

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3524

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2632
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
536b275dcb7d0ed6fc1db91c7cda1b3c

SHA1
8123e574fe7f007e4d4e28cca8b10adfbbae0d2f

SHA256
e6f12c550643187b6e9b29de067b059a7825d7ba106fdb2cc87130bbab4e0841

SHA512
4a0dcdd7f888358956ae8758941c0cb6efe0352771ffee809722a88a0ae4fc5a2d0f30fb2c0d8b406084f4c791fa353c217e9d179d50b779e7ba0fed1f31d2a8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
3833469665fa2fb0722b0e635a733e0d

SHA1
b1eb616e1bd50c309a1951278329050ff1665d06

SHA256
9685dfad0b38a931e9367576618d3048585a140e2b4ea710b50a98420f548983

SHA512
7830336d072080a0657b5f309a34c7171381b646b79bf46972b51a8cbad78557161e2d3c726b89c05a41f62c82ff5eef00bd8e4d4c723e99ade2fa1b3834ebae

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
5c5fd26a3bd019d09d03355f1972f6c1

SHA1
7e60bdf725f2d28929da4e2435b130b3fbb923ec

SHA256
a1904931142c160b52270947318cc4906d2d9b3d4a12630b55168cd77ab9e8e7

SHA512
84912a27c00036c9d4d33ede5ef0077bc1b61b02c7f878bc9af1fbb2e517afea83dd697a12a8c3e2b6ff3a28467038d6caa56f51554015ea91cf02e4506962bd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bff016d10ba38a71b2b04ca7d03bbe08

SHA1
be758cabb7ff7e967f6018346bcd177b24b3c2e2

SHA256
844e9a6020c926ee91a848e0f26e47723d49d36f907a02a82928cb39c2daa91b

SHA512
fc8e997fdb63d11206f37565d444733b2724dea5f1a080cbd4a69361efb06e594d2bd55715e089d66dd5a3437d6994b2f42e842f51c7977dbe5954483b908ba3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
67e0eb804cea45bb96aabc8c40600d9b

SHA1
dfab3e2b0efe06e84d1774b076e8b592f53b7662

SHA256
236fa87323b2eda85dac360a527387777c52dd828efacfeb947d17f6c4c33f2a

SHA512
2bad75a422e9bf81fa121fc6f8f7102c57c10059d80e1182ab8047ae66d755a25fa44b12e0ba29dd983423c98c88634b4e697ab1b944fee6a1abaec9d3a3a923

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ade1297dd1ef979b098ea08bcc658f2a

SHA1
ef2e9c032b47204087a47d21d4b3b3d6be0fa7b1

SHA256
b9584384b3036edd554a05450f8719a2136a5017118263afa8c145750bd3f44c

SHA512
3bea5490736d97f14896797e3952606967d93389706cb111ce45ccae80ffc7cafd60225c08d96ee6e1ea9aebb4c19b56622e9307edbfb1fe264770b423027c59

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2202041903b509313743bb08842c2144

SHA1
71b8510b4c5d8a0ce85456d39a8e3d2318f8a099

SHA256
83da757611c4fabd9e8a43f06464b5f07c1e2d7ed886a584066801f0388990ad

SHA512
ca7d97858fefc5ff7dbed0b008b03a3c1a27004886574f8b9972e016156c0ee6c7ef61336c8c8a37a56375d4a7bb72ac10514cec5a1ef04a080458620a322018

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2823f3e6686ed6e96502bc56ea6546f0

SHA1
acf4d90d3c00afe5f880f1e19221fc0e364bf730

SHA256
88681d05e16eff83ffb8e0a66e122b883d26f687c11382fe8aa3c74dafba4bfc

SHA512
6a7423f70fb82057460d93392de3844de3fb46d5ece0e246c95baab6275da84e7181e742f9c9a1b06c25ea46a7ee5d0f83e2d55e7a83920db76a824d6d9ce788

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
23c5465f252aaeb25dad24eb0d105699

SHA1
56634179e47d93e7cce7589f5372cf681ae34f05

SHA256
742a68a1ee2ca78d0bf5412842e197f456ffdbf0725193ae8b0a6f2772cb79fd

SHA512
83a74d0317f7219d48a9312cf3b00447918efed4304bc320dfe0e834639653673b86c451a2df2b77a5a92330b4412f4dc0d8155a5218bdc1deb0771c28c831b4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2650c9ffba14dda2458f2af8534b6cfd

SHA1
1748b8c46e3faff8a03cdccf3e42b40d96beeec7

SHA256
1ea61c4702a98ade3a3f8af4a5076897307c5da77cf751cd69ad496705e707d2

SHA512
409ad86c947e41feac3cf23ee5670eceed0fb15085680d2fb3da703252efa5cb7380d8b62f00a3f3faaf8f7d3a934c72f9ba5a15f4e297f5ac4b93ef222164b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f584a5b8d997f2ce9592911ae04a2228

SHA1
506df3ee74ac173696103c89aeb9fa1708a458c2

SHA256
9b1dcf3299f278438f5d4cbc51cd3095f513e132af8dec10e710b25bb59913c4

SHA512
84c32aa2deb43d83f1f37554ae24366856bd16d203420a00748a2b995283d66ccfe7b26717f7aed63f606244a5e87897428546d7c642289e66a6265d036d206f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
01c13171a1ff4f430d75dd9482ae3791

SHA1
d480a9db3415a0a1c821070f0770f1045381cc08

SHA256
c4f3b749b0c54fc50328dff18f2f01ac2efc163fc0803f68c6239b7e576771d6

SHA512
7ab4ab539c6a1a1da7f08a929172bd2bcaa1daf790cc906cac027ba865b5ff7d450eeea38377e209d74207db4f49a212c7db9d1eb720ee6a2f63a6b891e9480d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
d86e40cb6b36f8db3f91471a632e4c6c

SHA1
1de4c9718514eb76883385830b97e7fe71bfcf85

SHA256
c4eca8b2de603fa2a0936628ab90272843f7bec16f9a88950b12052557ee7c24

SHA512
72416443eeaf0bf505600defe125d5d09f16cef3a2bc018bc857f674e5e452baaae030250960d016103f52caa0778ab78b7614c386fd6a69fee9e394e18a4092

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
5999aaf609589f0eb122c7003fb33861

SHA1
83c780b273419ed41fcdaa49dd6a4f29bd18c422

SHA256
c8e189ed8b372d0c021c7ca2a5941f588649767d365a0c715f24eec89e00c929

SHA512
3a7fcab60793f212a3cc04b3bbf6103e85c02223b213f34ea1dc82301712d196c6504c5f9f8dc53e61d43cc78798845b0629fdddf5f8264d609196778f8efe56

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
bd912105a9f318318d694f725f8f751f

SHA1
82aba303f82669c33b74fa36b974ca6eb0f4170a

SHA256
4b0f3b19e975538fa488ba7bd5229a55c098c29ca8b95735eb1e3532fa2260c6

SHA512
3ac895c078b94aab6baa0e27d8575acd9c5f5d6ed8a5231e18c5587c732cfc5a8d326f7b29e12c202ae38f3ea74b965dc042158f3cd1ce884494a025988e059c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
470ff26e64e919b959f4424d6a5da31b

SHA1
fa4c881ec271bf2ef4bc9a9ca637d421e9da6543

SHA256
3fce5cfde0bb0794d1e4ccd713b73905d9ae60f86141c664c8c63e5c6d709a2e

SHA512
7bc3b9d6c5694c99f0126a1dbdebd9b728d8293af4c6eb676332f32827d7780342ed8ab5fe0891c31aafa48510dd22b06c7a0d88e79f2e15afab8205bde9a726

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
4c9c8061442377b31df1dcb4d86f9a67

SHA1
4e6c709562a1ba96b32e648eedfaff7cdcd1f720

SHA256
e9ca620928d8a940b1754661ce784054cb726172f97d525784881dccaa3eb31c

SHA512
44b9b628908b8b0ae2df5f24ddab5b4ba886f3b66cbfd2178b1d8ffd11974cc78b67fe8598cbacda9a83974a63b935a79646354b886a46f24c4e1d3b4f9d64ca

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
f75103badadaede0d376cd8e24beb304

SHA1
bc80593dc62963e78d25c34f6645c8b9c4bcc391

SHA256
97fc2b59ec28dbb2ff231c8116225e2b73e89d0225c7f20a8fa3486cd49d7949

SHA512
be4eeee1ba1036e6e69df776fa74f6974d04463ab4bfdc73611340f2e3ecf7190a39617ffa26e59340e15c73f713256950226b3e6dd129d9d8198b6c95d4f5bf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
49bd7854e3a760d20033da83a75b0c01

SHA1
729335cc963e8bd2ef87f5633a5f8ec728f4847f

SHA256
bd317b14ce803b7f6641c30a563b8d2edaa816fc4dc006e51130523337259b09

SHA512
ce152acbb441c0f8d9ce3d27928e22704a54e766a036cc7f6746d00eff9ca199fbdb9519a1f03356191ab53e62c301bce2c99c58c156f157916b73abe4f2ec1e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
30409ad10716d7183c357dbf6109f79b

SHA1
c8598794711486d5eea2d51435e67a308df21528

SHA256
7d26dc8b0a2312c4c0eeae0c51fd2cf4a6041c933a00faf8363af05aa103c787

SHA512
58ea0ad6b2234615a43e6947fdb903fb195617f16e7483615a8fbeb7d4e177483eb3a3436aefd8c85bdd23f57bb8213206910ee170fb891c775cf796deac441a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e230050e58cb006627af7b50e04803ca

SHA1
cc29feffaee1b24213d368c1eb20fb5e16557b4b

SHA256
54ae4c3e8920e449e6000730dca9f48b3fa4312a75daa65c3fe77f5b13a40c9f

SHA512
89843eeab85220d729f83cba1bdae93fc6956e0e2b5b5cf1c4f9ae5456701b1978837c6050b2572a85f707a298ef29312de0aa24f4e48393f05752084112948c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
ac3d23fe3121bfb7ad2a50aa4291b53c

SHA1
5efd9766491d634c8780d2f22172fbfe2c4061c2

SHA256
58ea980bcce971d4af4ba1554a7872ca497c9924d3c0fe12dbb20240488867f5

SHA512
83745609eba619d1d775f0d7f2a074aa6b4c1d4686e2d4569a06c04544bc2545cac8855ff1b4b47e39e379857f35532852530bcdd0d29d7a06cd3fca852788e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
8f78b94b61efae2c9628f30428ed9b92

SHA1
a840d27862b5612c44b383a7ae8d5cf9515c3d9e

SHA256
3864a4ed1b7eaaab75c715c5c40663d2680c1f4dee17340f0cb1f15a28a0c79b

SHA512
7a217c3fe33bf865eb311a68da4868b0c2fd51f34077bb8d81a027165b52f7aff8c248af1e657ea97d7a7c0488573217088de1fb0874383c832e3269dc376ab8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
4c1c65c9b49c398c670b91c79fb017c0

SHA1
d9311a99a7a9580ff037600eefc27f4311b67843

SHA256
b7bd2365f406dece5e712b42e4ee388058fb5a4859f50ac069f956c2d69a8306

SHA512
a6eb269e43a96125ac1638c04d260413aa4747391a9f78c499a5000fc0ef014a88bf684f06ab7d7c474f78697c513d2cad952e1f68ce7fecb643ea93750ad46c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
785cbc5a4fca6dc29ea10f98c85ae6cc

SHA1
31346518a21f81d64c44f8045145c0ef885e8682

SHA256
bab8a49db6b97ddd47766e26bb053b6d78c2bcd272ba1942143a9b7b35d03590

SHA512
f708ebcb39e2a2e4d79b30d936bfaacf5b844d99b8ab2126d3d643625fd4b2294284e795307bad660f2df726f322542702667ed10a8b7b9dc6078e49a4e728ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
eba7893fe615f8884924afdbdd67cbb1

SHA1
8f193a9ee6bae37cc4e3b4bf10d1de3c1937d75e

SHA256
1e0ddc4a4e6268f35608ecd1cdac9188363bbe5654da3d6fc33eb88b4709d198

SHA512
5f9b93fce3f2760cab6ed351bb8416cf01e377cd5fb849f1bfc7ed03638505f075cb1e86c13ccbcf6e6a577bdcb0acf8ad807ab6d7fd401ff4d070c2b577309e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
6ad13513db18a662b65fc7359ac4a32d

SHA1
a9a8255188b199ee800de6fa53bf6712a6418ff0

SHA256
d8d250bae1a9365e25e47b215ed4dc65a65bde3df6756815a4ec94486195d1bb

SHA512
14311d76d73df656baebdbd6a350779068ce7dc08d844abff45dbfa50bbcec825b99c74cdda75b13096ba3153562fe7563b852553dfc43740e0d0d8dd314b429

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
c00a2e21000c3569530562c25e97cf75

SHA1
e90db17cfee1708a8ce4414a5c965f066b346907

SHA256
dce40da31f57e7937b928aee4fcb4b32eadf51b84dff081d943720fb1facb1d0

SHA512
3513b693cae7aff8fa58526c420f957d373d976cb32eb0f3e2f234be68030cbb7c0a9976af59e347f8af3e106ad5efedcab65345d1a6a08caf0c33908ec343ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
dacaabe5b93b977fe54a695120f0327d

SHA1
bda4aa09755427db5be97e90962b553116a48dd2

SHA256
1efb920c7133a3737110e41eae7732025d64a884cc1f380099afdd885ec22689

SHA512
1deb47810e607d78543c988bb1668ffa8bf4fcefe29c0364cbb6a5565352e9dfb96b701d492d26b7f1e14cb2fede96dbf62120a6db9850535264da4b4abb25c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
5b6ea603b9a3834365aefe17cfb03e24

SHA1
76784a9e99e87eacee51975c15d25ce9feba43a9

SHA256
350851b6b244e2f2c7078eafa919e3ea35fb3ad41dd935391c01436a2e0aa0a1

SHA512
994a973bf80ca86cbfd0b64f47c04670b86ff8a96a1d30f84c432bcd377713ac5e7cca5a6052ef0ea3689e794aebe6f275c8ce95eb48169ce6149f9fbfa53b59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
80922c9dcceed31edce16307e9e99f41

SHA1
bc34e6f3e099961b8852cdc5b73598b672386140

SHA256
9172e16a68e5169e3697f9a42e988e929c1c72086de1b23ce4849bce34f61135

SHA512
924e7d9ddb5ad40c5ff4acce8c673ac01229e0c87501027c9569cdd6abcaefb837dac69eb0d3b514d148e121544234e1683db9e0170d620ef0b5ce67bf17341a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
964fd932fe2b802d8825b8c4a937d541

SHA1
e4d31bae8d0295526777220b29d54eb4388d355a

SHA256
181b33331f6cf7ffe1c8d1a3a05a1b1499e8bed1402c6d734d07b0f7f722195c

SHA512
66946ac96a3c2efeba86b37d295673632ca8143d24ac58ba0cff18138baadf738f5477ea9f35043ce5931e9df597957d36ad85af3ea5be37a811537951573d9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f7c59065f10d7c676d00dafdc8f14861

SHA1
c9e7364a22817a682eb94235fdd4f49f9196d9d8

SHA256
bbcd089aea6b0fb6ccc3ef455e85d2180b046089e6c675c5b574a9e244b0f246

SHA512
bf28501642085ac10b7d5094c681d245aa30de91bc0f6ff5701d183b2508877e6413abf8326ccee8a05b6fa296e166f4492710f4c77d110cf1723e54f03a2ba6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
67e9272ce9d2c7d883f012e49aaf50b6

SHA1
796dc0f180b4846bff9c574795903f73f646d618

SHA256
494df9302e612a97990b609d03c099a342510de75029628f22a7469bca37aa7d

SHA512
4f342ca277f8937a43bef86094e437b3377ab408304d86ea48ccde51ae3073b93f507babac22edc442cc2ef7c0b62f5bd3d304fcd98ba85cfc2f5ad83687ef1e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
118aa6154b80d9b231766f87daebde01

SHA1
6badd8e1ac67fb02f7f1618d8dc8e0880346661f

SHA256
6bfa9a0594f2764ce4137bb5e39a492dfe0c16cc96967b97324509d49ec15b08

SHA512
dce8f5b5669c0575a9d73909b856761b7035dd5cdafff947a6262bce7e26f514a057c2b231b9b9e01839d06a9b12a8d140dcc892c0decdfaeec7f663c2aef3e9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
18c577c3c4d826941a82642618544e3e

SHA1
ef77b449dce3d2869255db8430eafd815562ba1f

SHA256
403a498badb0a8ea91d652b802f06ed3b5971667e0f65c9aea010ad36ccadf42

SHA512
23a86f2299b07f7928ef3d0a9f35aab17772b9872bcb229ef954207d9704a39597a113f8d53117720e93c0cbe9b6a26a5433a0f339bb6d7998234edf0f9121ff

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
5a6cdc13cf53312a19053ae30644f225

SHA1
d5a31d354be829c8d82c57d581cfffce7a461ef0

SHA256
7f6ca3434e85e7b68c27f7e48fc0845fca8cbcfb3b1bd9e808f637c9e0bdc6bc

SHA512
946ab9d20b9b84b9a7e70fd85bd4a76862932c003e718becd5d7876bc5e635d25304e853e1fd446db0f73c934ccfb481347dd074b0187100c70cd668babf4b75

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
da8eae47b1f774c7df8cb36b571ca99b

SHA1
a9cbf2d29cd1a854f3372d46267917f503da180a

SHA256
1406c5eae8450455fc2faa42a339e7b4d427fa7f63b0c7f31b407f02691be7a7

SHA512
1e076e8a0b987308bbf62716028630d988b4c78e29a47a38b9f972a13739be5cf56698d46d7f0c0f4ad0112da1a8da33b42db7739aded9bb122770051341d872

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fe8124ca3348bc58681a1aa42135c577

SHA1
e2f2a2fcd9c58a1a87e386eb69d9ac7c625b969e

SHA256
acbfdf8e41e457e7e86fbd17e6b13633a7074e7422356fc6bea80503183fe42c

SHA512
b50be5b85532d0203e60bbfc459ed16332625f082d3393dc84c7469d9d5120828e3a9476779d324e55bb6d7b0f4f455e31f2448b482e43c04237fd3a3aef2605

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
51d243d8f975de7bbfe2daae9d138ec8

SHA1
b086c333bf22f77ee9f149b2e0d0adb0ed6d2f41

SHA256
c99caf65fcb6f7453427fe3653e4d666975583307f25c2cc93a19664f4fbe1ba

SHA512
00478d94c4a8b89984038e9e95f0b4fdadbe6118c0a31b29bacb328f009059c3b99b4ce3f3d1a0b552bee4aa86b754b9f1f321a2b05958df6ddb9f2e70ba9f19

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
166df4639d76eaed536a34e2cf933977

SHA1
4d7e04f13106979126716643d7d8d0f77f5206d8

SHA256
f9976fabeece2aa1a878875e5d844f9698ec9eefcff0efdbf7d3cbbdcb53e20d

SHA512
5ebabf48aa1d4c4a19503ed6f0e144fc8f952fa70c142cee13e4d0987a299c0018d92e236d8b0182b6540b1ef3a5de17c1cdf2ae59a01fefc89ab473fc207eaa

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3b07b00140637f3c80c6eb5a635d0017

SHA1
ab6d2ab7c5dd38fac8b8229e8c3f1353dd76b61f

SHA256
bbd12c3bead38ce9b62ead92cf5e49880d29a78c6e035146e4723c722dba215d

SHA512
1cff799a8652f6138c530cb03f4b359873f6476c22f596a29ff609ea3a52e46415b48ab51809540ec6d81ba837cc660837f01c68929d319ed493c344ed5f7ecc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
82d5494b1903c0139ee71135619d753a

SHA1
0756635782d6e96da872996558f9c46bec0c28ed

SHA256
ecbcac208ddf534cea7006bcaabcc01c6c71d0533ab832a7ebdc52662ded0a6a

SHA512
ebf93973ee6f819d67f2f2b3e0b7029174a800379a587deb96c864729be04e7cfc687beb620fa21a69c3f0e4d4f25cb961a8b934550a99ad359f8e27b24e0601

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a9b77530ae8d26948e226cbb0b18dad1

SHA1
d39eb35a888b60adc12dea0c7b64ab9d9838fe9b

SHA256
eefb69cc66147910b9214d3b1b40870144aa546191f1d1b433dfd01ee914a891

SHA512
3ecafa8d522f2ecf7d8e395bbb210e4c5e147fb2af4921db9f3c2b3bd427d5ced01b7dc4e67485f689b3454059874cc85e2a4dc7090ace8a06e98992f66eacc9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
709ce3b89278aa192061923f216b5896

SHA1
dc1bc0557b7832a9badd93aa45876aa6c2afb5cc

SHA256
6cc4559972eb792cae22aa3dd8a2e2124db70da7a4c8cab75873c5559ea3f58e

SHA512
87d0590cdfcd3a547b92c5e54a0c5b0edbd0a350661d7f7581161bbc2467ca41ec4ffab5adee324d63c77cf5dbed332e0b0d7c295d42fcbb860a9e493238cc77

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a33079d3ad0b87e1dbdf103a9f79ae25

SHA1
3977bd788d3cc9cf42f593f6a2e18ab3e37aae7e

SHA256
3b2f43126ef1fd5183ecf12a204af91c4a9d233e070171899adc178cde4d4437

SHA512
1f9debeba1253eecdc2ce3545824c934c5483f61547f02a73116f461d3ebf102509c4e0d5dfc2a36a1ade1f330f02ee51223a6f33e119c0d52dafef7a02c79e5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
0ffe04a7e1eaba9cbadafeea964566a8

SHA1
3774edd5d5a16b5fc4d4b007eb24b93b7dd117ce

SHA256
2be87470ca6562ebc7affb9e3ce0f3cf99dfac24f7a1adbb3865a9123abd41e5

SHA512
fa0c27438e3049da038e24ddb27bccb334b69a20403440d714da4ec6554aad666469e13ef406b591859a88b90685af9b47315fbac3095ec3206a9168565dacf6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0039999ea8a3acf869322afb680efbb8

SHA1
9ae0bf47334880fbd4b3bea2636d42b4945a3e7b

SHA256
4902aef0fa8cea2f17ee0f5de90026293aab3887ac213d4fd46dec46405a74e8

SHA512
1508da8e8bf69ed7507230ce42588c87296a867fea722dcea2eb609bdf2bb302e9676ad7502689e0070704fdb40aa2da80ef1153c77023fcfb2f36b5df3c889c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
7d33b0ed581b26c617b8e8c2ecbbbba0

SHA1
5e19198be897fc64c10cbd25dca45eca77125a9e

SHA256
0a7ecbf2c870736873d89bdf262584b07b2815de251d38dd8c9a9dd20a58a2a7

SHA512
38bbb39deffe8d010dd35a3c1824048bca36d6d104c01289bb499068f6c65200ea7d1e101de7fd0b86702279eca41a6c459f478ddbef9807b23713e52daf832a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
1d4e8413879dd60a1ef75179f426fd43

SHA1
3c8270eb25c1e449a2d2fb39db43f82afb6ee8b5

SHA256
7e6e149928f9b47c7502ed396e06e9c3a5c4752f3877b2ce3cde1e859f39a51e

SHA512
0c70e223fa452d563119dfd0b8858834b2aef324d73954200d1dcdcd32ffd7ed708d8cc26ca9bacbf7a72df795ccc4911269477bd588ef82c97692388a36e58d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
84a90abd630a9b03541c33b6ac590fa4

SHA1
8887b59e75bf0c412d2713dc7367c68b176b1f01

SHA256
cf8545f52b34df8ee6c331ab9d9d0c13866b4e78997ec09e84e5ee20474021e3

SHA512
0cefbdd5436c59680933055886a522df6ae4f2f29e9d2d9fa5f6259df4013ed9def0adca0d29fe4f2663ec87b5634cd546b175a6c3cf747fad75530c0be44629

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7c5b26aba833138112cb697761902866

SHA1
e4c4d9eb80b027878036c47fe72f7162e6c30e43

SHA256
298e290221648d27caf22a5cda4b10e6ecf1e61c220a88edfb1e14844efc0c64

SHA512
2107f87c4d739d4118b965a3c03d1259cf8d6aff89041ed8cd31e69c599d4f733b070a8d50261a04e7f04c656c50005543ca6bee128d15a92c114967e937b4a5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
208eef9e8e2a51180c0582afe144fc86

SHA1
aee2a3185e195b102698ad4589111ea9645ce42b

SHA256
f3f799a37da59e02bdc7e68e7e16640fef1bbdfbfa6145e82d5074a9a91d2a0e

SHA512
ae1e54be2f32bcb6e9637d9bb9f51dc4bb4207d63b20128459270087d79b0add02c63b1ae70a4772c64161b0df8697551ae99b0c36e5fbaeffe8e51130fbd5a6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
baa666dc8f3fbdeb78d334634c9987f1

SHA1
b75c4d230ad285140cdf807590cd428cf9fc18e6

SHA256
c511fea6aff60bea298a574dfa579b4c188fa2d8d4dc84e4b181c5e4cf9e1b50

SHA512
38653672e71ba83ebda6044395712e5565b0edd4ab729211107f94abfbcbf403ccbd436a0899fa4d8312ba326e7a0d75f949b0b79d7908334b1335d9d6d69e0f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b06a07f2f84d0965078bdf40a1bd683e

SHA1
9a4f8f3c1caa90954019fda4ebef7a9e7cce23ff

SHA256
5af80ab199260c9676ab49ff0e8d536ee59b29827a379ec9d0c10aa0b5189a4a

SHA512
f9eb913ab80cd1d8c8d33e665995903cc19242051f413bb48c1aac7f80a8264ba0315ed0dbecd646485f4f8e0d95f896e59f3eede73e8bbd0e3163fdd0d703a2

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
ed1b76e4cae8ee0ef7aab44e871f3e93

SHA1
410e644124f3e6d003a216ed4eafd335d4ab07ea

SHA256
a8c2831367dcf9439c6cf1dcc69e57e55880ab0c61ffbc88fdd4ef804bd70f97

SHA512
b489e391f8f866cdf6dcdf1bd9a781718c269d246b94cf5f0fb95c76b341e04625e8ea9849898d80539c5128643d00f0e889456375465c375393decd7c5e11b4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
8dfab73b57f4ceffc8dd8e09764cbf46

SHA1
b10aaced0f89e37783a66c0d5466cf1c831a80ab

SHA256
b3ab6ab460ded8d525eef2720a03a5c65e5fe6a24c9fb836a5ab623fd24cf4ff

SHA512
499b9dc56ec086bed2cd4b8c4131ed45688af392acc975ffa4c2a24cf50619e619172c30234205d76c62c6184e5dcf8d9f6751be7b8db0949fd79cdb2bc0a6f7

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
5ab7f199ced0e7865106d5fd6be4faba

SHA1
8d3a465cb438c4cf8c2efc0600d9fd7f8cf68ace

SHA256
acf28d5ff6fc7a64a8fab4feed68a0044e8bbf8e7434c3eaccde0ef7f8f30c9f

SHA512
52a013f52ff9c28bde9e6be89ddb04d98695fcee2080d436b973fba1098106d84c83551b041ecddfb60131023249db6cd29b41b6e239ecadc91f709b1029eb5a

Download Submit
memory/368-86-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/368-133-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/368-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/368-77-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/384-0-0x00000000023E0000-0x0000000002447000-memory.dmp

Filesize
412KB

Download
memory/384-3-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/384-7-0x00000000023E0000-0x0000000002447000-memory.dmp

Filesize
412KB

Download
memory/384-54-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/636-120-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/636-170-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1136-124-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1136-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1152-360-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1152-138-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1152-147-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1512-99-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1512-31-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1512-33-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1512-39-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2260-113-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2328-399-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2328-175-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2816-102-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2816-103-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/2816-108-0x0000000000690000-0x00000000006F7000-memory.dmp

Filesize
412KB

Download
memory/2816-154-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2852-125-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2852-134-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2852-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2936-168-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3444-394-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3444-165-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3444-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3468-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3524-396-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3524-169-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3540-395-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3540-162-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3628-383-0x000001DAD1AD0000-0x000001DAD1AE0000-memory.dmp

Filesize
64KB

Download
memory/3628-440-0x000001DAD1AD0000-0x000001DAD1AE0000-memory.dmp

Filesize
64KB

Download
memory/3628-400-0x000001DAD1AD0000-0x000001DAD1AE0000-memory.dmp

Filesize
64KB

Download
memory/3628-371-0x000001DAD1AF0000-0x000001DAD1AF1000-memory.dmp

Filesize
4KB

Download
memory/3628-367-0x000001DAD1AE0000-0x000001DAD1AF0000-memory.dmp

Filesize
64KB

Download
memory/3628-365-0x000001DAD1AD0000-0x000001DAD1AE0000-memory.dmp

Filesize
64KB

Download
memory/3628-431-0x000001DAD1AD0000-0x000001DAD1AE0000-memory.dmp

Filesize
64KB

Download
memory/3628-437-0x000001DAD1AD0000-0x000001DAD1AE0000-memory.dmp

Filesize
64KB

Download
memory/3628-387-0x000001DAD1AD0000-0x000001DAD1AE0000-memory.dmp

Filesize
64KB

Download
memory/3628-450-0x000001DAD1AD0000-0x000001DAD1AE0000-memory.dmp

Filesize
64KB

Download
memory/3692-16-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3692-78-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3692-23-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3692-17-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4340-160-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4516-43-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4516-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4516-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4516-109-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4552-62-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4552-66-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4552-57-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4552-55-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4552-70-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4916-90-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4916-97-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4916-91-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4916-146-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5052-157-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5052-155-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5056-32-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5056-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5116-381-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5116-151-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download