3ca00052a0c6bedacf6fc7e9c864147432a107b4409638c7113e1ef56eb07d5b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2024, 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
Size

24.3MB
MD5

e62baf1a4e521ce4da14d91d9da658c3
SHA1

6591f86fdac7a9d1ae6a84752f5eb6e5519c9579
SHA256

3ca00052a0c6bedacf6fc7e9c864147432a107b4409638c7113e1ef56eb07d5b
SHA512

7fa88aa8bb95de25c39d77f7d3084d7d01d1bb0971a851fbac564248190811c250fc464557387d74ed19412c0d91ac1a076d8e44de2e756514f2957ce2aa331b
SSDEEP

196608:YP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018jb0:YPboGX8a/jWWu3cI2D/cWcls1Yg

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1616	alg.exe
3884	DiagnosticsHub.StandardCollector.Service.exe
3200	fxssvc.exe
3480	elevation_service.exe
2072	elevation_service.exe
4392	maintenanceservice.exe
2720	msdtc.exe
4832	OSE.EXE
4928	PerceptionSimulationService.exe
4060	perfhost.exe
372	locator.exe
784	SensorDataService.exe
4348	snmptrap.exe
3344	spectrum.exe
2284	ssh-agent.exe
1148	TieringEngineService.exe
3044	AgentService.exe
5000	vds.exe
4320	vssvc.exe
3632	wbengine.exe
2264	WmiApSrv.exe
1836	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9b857db98ed1090.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094d51da11c8cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b43be2a01c8cda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f35b89f1c8cda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094d51da11c8cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000377bea01c8cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c27eea01c8cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014cff39f1c8cda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bd17aa11c8cda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	3200	fxssvc.exe
Token: SeRestorePrivilege	1148	TieringEngineService.exe
Token: SeManageVolumePrivilege	1148	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3044	AgentService.exe
Token: SeBackupPrivilege	4320	vssvc.exe
Token: SeRestorePrivilege	4320	vssvc.exe
Token: SeAuditPrivilege	4320	vssvc.exe
Token: SeBackupPrivilege	3632	wbengine.exe
Token: SeRestorePrivilege	3632	wbengine.exe
Token: SeSecurityPrivilege	3632	wbengine.exe
Token: 33	1836	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1836	SearchIndexer.exe
Token: SeDebugPrivilege	2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2196	2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1616	alg.exe
Token: SeDebugPrivilege	1616	alg.exe
Token: SeDebugPrivilege	1616	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 4848	1836	SearchIndexer.exe	116
PID 1836 wrote to memory of 4848	1836	SearchIndexer.exe	116
PID 1836 wrote to memory of 4468	1836	SearchIndexer.exe	117
PID 1836 wrote to memory of 4468	1836	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_e62baf1a4e521ce4da14d91d9da658c3_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2576

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2072

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4392

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2720

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4832

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4060

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:372

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:784

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3344

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1972

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4848
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b6507495caaf31ef765e96817bc55d01

SHA1
802632ea5641113af7f713bdfe6f947982c6e16b

SHA256
0d13b11dcd38750edfc35c8f7729184ad7c88651d3ea10afef6b6812c8dc6e95

SHA512
ab604b9218eb07d263141f031186252715ad848158b4d3bd1fab8c97fde50edac464828be9e52c560278145adac93708bb8f3772e700d89017252ca78a35abf4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
3f99381934c598bf61c1dfaad960047f

SHA1
9d9ead70dc748f687fe8007d7a058cddeefc2bc7

SHA256
2795f348158838562533b4059c8770d9ef73fbf2a817ff6f8396bdb86741360b

SHA512
270fb9ea040924a3c75c0869db7b1cdd27296dc557751c54a1c106d29bf1648d2f80995e443054f2f9bccd661964b89001f078b16d0dd0c5748ba3afaa3ce2c9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
36e229c8e29ebaff1b9d72a7860ababc

SHA1
1ad8ed435ab73a6b770afa5c09523a3d2062a003

SHA256
a7d6d49665f910db0ee14a422ffc537818a0cb76098c1652db923051a50476ee

SHA512
95d5bd1aec7fc08ec256c8265cb137a7ad404a395d621467ccbba995ce2cf16485717ff50283bb2de119b04476eed051e0955693a82098c0066ab9d09980f543

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6322bf78e2b6320afb320201ea84dff0

SHA1
7e6ee4cd5c5b14d31ed9ab1f7387aa8b9a718b20

SHA256
c6c07b98c1624a609ab0f1211bb0fab247845e398da1a002835a276d0eb11b70

SHA512
bd9a5c5f4cca884024e92bc7b9f05e6290d34988dffec5c1853113955076b24281a9020f1b79aec8f4dae1cb1e43f49fbd9e6674756e3dc5c4ff74ab837e24c1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c40b5d940e70d50356a3eb3334601662

SHA1
424e6647ad6c08a88ad0c7ffefd9107d9c9be9ec

SHA256
ffc75598f36a55db62cfb0886eb0946057b5a2c0c1d3f70f0a15cf8c7eb01fcf

SHA512
5787b458b7c340a5df7327f397ee6161cc662f3f344d2da3f7dd03b7b4a7d5123de92b8016856ea48f87936c1fe3ee99bb70871db50de9fd99131fca088ab510

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
0a9326a154a9f801a59bb820bf4795b7

SHA1
82e9789ef2977f098023248a458b1ec84339a33c

SHA256
50963786dd4659a8f97373081668d593e2b56b17e7ed59451e14036f129e6504

SHA512
dfa6e7aac4757e14f7da4e1763228ab20c8ae023275a4a1932695402ee27c4968b6ab2e90151647d29156ffa7e1f43966b65fc8db237d008f7534531961cc8c0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
7eacfd240465c966f088cd8b79dc11f1

SHA1
2c87e36fd5b6ea10b04af6a6a9a93d244d076853

SHA256
c86f9841fc64f6044979a9a2097593809b9f2ab3e81f9ceef16c316ae5640f68

SHA512
5138d8d53bade79cf96577a4306d7e5049cd7f7d1f018424ef3bc83e294e4356b6246512b2825abf3731a3af6ab3d4d6168b6b5a7a981ddf6dcbfe511e377b4a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2d579ae4967130f7152e098691106a87

SHA1
a8aefbfb85a07f464a1338f23c5446473c791456

SHA256
6d886b4e59cdc543dd923ca020fd25ac159d853b86a94ef8c30e7d729c6146d0

SHA512
4e47c918e5da2d3428d48d608b98aa3d8a72b145560a254c604ac82492fa454905ead6f99f9263d78ccb634199b806b5f1a85b1a9a736db3d35ab7d1f842506c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
814564179325301da74d2cb068c59953

SHA1
93f37b125a0fdd8076d7a8709c64d8b02eac0bd6

SHA256
1ba1c1de697f90b5b1a0400a6a2be873cf93c055d8fe11059e2243298e91b6e5

SHA512
b17cf4fcd91ae005c966b1503c3fefd7bf059b9c8820278729225804d4a6acb7e370b1157d02267652a0f31717359a7239ab73bf0b76de2638138503ee0e8285

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
71de486f155ac092778ee0fa172b4205

SHA1
2d98b84ccc8da43d69cb82b23f7d51633dcf7401

SHA256
6af5c2677146d9c80e2ef656312460216e674c58efbf00f3a6ed9d85eeb04f60

SHA512
1dbd63607023ded01b6e4c2c2bc712b50be439d899cbe227ea0b555cbf3a0096e9de3be2a06dad1bd5186771fc5ce8b0fbd2f3955dc0daca089389baae7fff5c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e60751f4bd3ebdb70a346c274a635835

SHA1
1499897fab020d6f54fb01a042828aabfb562cf3

SHA256
1870d2d96f9b171542f66430b0d9fb5774b68fa7303f4b56039377b5ad8e4675

SHA512
4376cf6a1720c25298e5bc8427fcfa7f3f82eda039b63c0a610e2453c755e7af1686c85670fde6f8be4644c2580f68a94e02ff494f082f892c5c437d988d6be6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bc5d11a35bf868eaa8f2e4cd57e1daab

SHA1
d013a51191fab6258e03a014b11459d91ea6afef

SHA256
84142644416dcc89084462094900e314aba87abb6811b66b9a47c33c66950bbb

SHA512
64b3235e42f33b2aadd05dff99ca77d6e600732d2607a4de3f2ed615eff2eedeca88ecf91d1992365571bd0a43514b1f88ed3727272a4ebbcaf689f27e309cb9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
26b63f173b850125176ff3839839dc5c

SHA1
afe3e007f5dc945e417e9ef679081fef8196dec2

SHA256
cca07c0a907685586fd588641bc44569d1eb01b6f873ae3729ee688da4da44c0

SHA512
e6616be4c1fe0ec0b0b9b9ea2629e05fe8d18cad0d71421c6f58642810d2e3a1b43166a60e9bebeca7ffe37c2261c8334e922926c35a7093962e3029baa544ec

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
55dc23981a35621c35d5aff5e1436c0d

SHA1
a8cdb5ed6029745f1abefb60398b81ee30a28b6f

SHA256
b18eef4026000566bfabb27e68c7b1a5825739971e2a95502ef5356728b000a6

SHA512
230fd4215f7abc28a29129d899f56e2bafd13f534a70b370deb9aafcdc2e0f00f1c17f731e3556947216b32b9aa05ac9b581c1efe71dbbb349b92a05705ea288

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
696b06753bc8767da50ee7ae03c020c1

SHA1
201fa2b5b887ce16e23c12b29797f781cf7e2479

SHA256
e6e55f107ba09ea9d103b524e335e6e2de42146107b0bc375d06646d3c04e2e3

SHA512
9e25752a744dfce0d52b6bc4251f76455c61b9c862b803064dedb21628a0b92a7cd05d5dc28e48e2c209814e6c370680cba1f5d342140515d7c5cbb4a942b87d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
bbfdc8ea07c7e2f90bf8b33a0da49d79

SHA1
b86258c97b051eb8d64336ac5bdf682ce2cd5a83

SHA256
55cce776b0d40c5a4cc66a60687c7f3a7acedba0cc7c166e79e95ed998d33942

SHA512
4199dd1327ba2162925fe6f4731a8fd4dc071ed2cb2065a47c046097ff8105ae617157d1b2b9387e8fc012f8bf2b569878d27bb2a2fe0b9a06d17bf0ebf1e988

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
4f8ecad82bf114ada9d23c8f94f4c40c

SHA1
fe5ee5532da1e38d52da085aadc513b4f5ff633d

SHA256
ac8235c8fa98553067681762615aacd710f4a4449dea418a211b56a981466706

SHA512
69eddda5b1c9e22f36a95f89c457be5278520ea1275c05be94cbcb200ad29e217e01cea27366321b2ca2ebf870e7478f9540363cd3c3eff0645e4617777dd157

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
60a5f9e8ce134abced3d597c7e0810cc

SHA1
87552100adac2ae83bc961e94faa3d3bde9283ae

SHA256
b9a2cc8692bab898eb5b8ab967cbfb9b4142e4ea7a083746a301548482e4e846

SHA512
cccaa8026775a577c98a37d963bef1598517fc62b622e94e49beccd89ae654f1a29aeb0fc645903c09d52979061ffadd78c203e640e1ea1e60845a70ffa9740b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
b8962f6fffe52375b6810efd91d99369

SHA1
fd1a7aec804473335527cd8763038a6461d6ca4a

SHA256
7dfc95821ee37490421b2c4730c63e779bbbe8b412b18349ea059b6cc8acb5de

SHA512
004476f76eecd9b81f04c060e93151d5f61927f49d3e7e344e07a33c2367074b7ba42848efca99ec337b8988225004bafcda97dffc4ab12b4f0dc45e26d5ace3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
460c7e0d11bcfbebeeec3e11df34b67a

SHA1
27a895ece24b47541c32b33f24d6df2de9663528

SHA256
eb0b7cd5c2ddff0403c09fcd897b07f80bbd84607514c5d5f9e28590254aea8f

SHA512
d4e791e9419eaf4512aeff27518d4856ab8841d3e59e8dcf5fa2123a1e303945141c5e7871d2a912cee56811287301fb4d51530d3678b9ab2419bb21bf9f788a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
f92fc5bbc235e830ce57db57b184c996

SHA1
281a3584d7949002d440d532423f62448f0f04ac

SHA256
f5556b8e17cbfb7b91eac94b2cdf6dbb02e79ef19cea8d281c95104289c3dd3a

SHA512
01f8dfb4310cb8d4c27f1f26583b80df03805383a0ff0468116766701e3541b7e722a27fd00a4d14105e70eeb403f69d0c2559e0a9ff22b4340b7fa59d94ccfe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
b1c3d485688beb5dec4df0248bb69837

SHA1
24414e3fd3bc0866f7439ecd82e5d87a646aea7a

SHA256
d9957323ffffbf903c3560ec185b54426705a0c79d81828e2e6966faea5496df

SHA512
82be04cb65b193913a8248e4d20c555fe982c0f7c2f533363cb07d719be821ef91a5d22236ebcff127636ebf895458c46a1b93321a55f8b63e8c077e2aad0b63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
013437bfd4d1153039cdedc3f429c932

SHA1
55f9f400fc4ea48dc14405709fa22f7cbe2a0f92

SHA256
f8c8401b93fe0da1f63f6260d8d38686e2ab83f8f7cae293918b581ee567f276

SHA512
4b0177f5f5f510f88b9a7e8fab5bcf1b592a492bff1fb9b9c024b9357f5e6f42bf72cf1ea21cf5e958dbecab4b396ccf4bbf15920e70b49bdc0ea6ad485c56d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
fdf453ffa80ba35981de573cca3e18b5

SHA1
4d314b092c6c091b7b14bc1559ea17577d3a9399

SHA256
24b731bcc1ec60bebc996c413bdd13ff675dc9489ee30dadecf1063d04e1e7ec

SHA512
aae75eabbbf8e7920453b9ff634317138a88aa2fb295ab69d803decb6945d60218ec76bdbabcb2fcc4409eeda9c8634f0e556665fee4e7e6c48cf8ca927742b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
97afb4a811443d37d1a02f6cb3b272c8

SHA1
4b9b94c6c79c1d10abeffe1302a6548ad5635c2d

SHA256
cb6e934c3b14ccf1c9b3e3e03590135cf43e5f11430100944a949a1b426b30bc

SHA512
b91b662d6e51740cb7337db170ada5f592b4ca607e7f4cf4ce0bd1e041daa2c9bdabe5db66829b6213d8906e6c477ac07fb20733454b1f171a7c1861ca5a2106

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
219315e300c2686031127800e664aeb6

SHA1
a4eec38907b0686217476ae577ed2a2d696e60a6

SHA256
39b6e21b7fef24ee796da936d6f812f566742196efa30948c026171ef1ebe364

SHA512
6493dc5f25b57e9440ef3d620ba71771e31c41e2bebe915e31136ad183dbf37d43f88d928a7307a1e9560e11a7b6984887d85572ac1695206c041e2d478d8e55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
cd5ee41e6bac04e8954c48d2c825a633

SHA1
edb0aa693f86b5d743aa18b0ff63644ae9f86bcc

SHA256
ff38a283a2bfbcfcf48a062d8b6adfa376946184442f51285951f82d9d694654

SHA512
f1f4f37792a0389bae97feeab191c815b573552f105414ea83ac7cb4a0e32ecf028339b73669d33b868506007ed6b5846862ed10df83b7372eb69a2521cc4289

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
639be1641e37f09867d0c1264c396f5d

SHA1
ef73c47c400610fff159bb2d70596120fee4a61c

SHA256
ec9265dbd0023983af9b7bd7323dc1273001a4429a11963efdfe2127a8e0eda8

SHA512
67f105e16187fceefc0609818e630d6232e6a3c6e2bb9afe5191773b2b6d94e527d2861403d2be139eff7e5cc005abdf0370447bec57b9e43565ab43c9ae112c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
925620f924a077f882fed82710a4d842

SHA1
88bbff23ea38a9a72befab06c7c6c3fbd6ce8d36

SHA256
6a2696b8b3d5c868aca82a3c6a8b949b001745d6ae3c534a14eb2519c7ea6933

SHA512
ad840be5001bb8d49cfddf43a4e3b8f4e53f1a15dc7d865369c9e8de05060c29b89ceaa75f0358bd7a81d98ea80b412693a6defa68b67516c40d30f4bbe94433

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
698e3acb9d68d002619b38a8f04a545f

SHA1
5f47b19b3857fb04c4970fd37a5612bd898bfbe1

SHA256
8ab7d94ef73ae01aba1e671a5aa023bdcc7e24db92778faeb7b45f99aa7a4cb4

SHA512
fde2840673824092232fb251396a0c514308be4ba78ef5711142878fed231eb722c144f8061a5f324823c22d3cfe1d11a69335f17e0e152ea3dfcc0484a46644

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
2a5fcae8b078f89801cad48a27efc3cf

SHA1
6d624eb3b68f2fc69342b405284d8a5963851732

SHA256
aa4d888cd0cd93d59f79d123db72f3ebdb95512b827aca7db30530f1eac5613e

SHA512
674548d14f2c03471370f19d6d9618d9363643334f88e46e06bebe9e61cd0f3f049586a0a4bb7ff792c411cfd50e9731caaee4423c5117affa83c0f7d7600947

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
c5894e960a7a41effe60133a38424c4f

SHA1
e3ca8b662a70e3f1e072e6a885694bb044eafbf5

SHA256
b1a115747b5efbf7ead79acd0a798e30f8b1dd010e298d3ca2368a51e5c74284

SHA512
37e8c0d9a58bc6b22999ac8fb2ee3447d6ca16d282296bbfb0ebd097204d2f18fe79604cb17df638d5ee593bcbbcb3a4dcdac2278069175bea6f003ddd693581

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
5b1ff866558f7e925f8efe6d2c47af9f

SHA1
896a50465de9adc20561d946121e2b240b6c3d64

SHA256
4dfa3f9b691ce60b586501aae865f28e503c23449b5d2bb069bd144bd22a8f8c

SHA512
2ed127f83bc16afd681ea9daacea3f2ee7bb428721bf9fe8063ad6ae1968dc4b2dd67ab902ed0785c4b0ef0b46b565e3376e41633f4538a6b8762d74effb6217

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
f0bac0e6b234ab35f01d7afbb8130051

SHA1
52f60f7b2d1f2e79c8ad05efeecdb1a811e8ec33

SHA256
539c482385799716266a2043adbf2a8d281f23a0e5a98303cd56c6df78f4f25c

SHA512
c7a9fcb44116b8dcce91a3c1b1dcbc95f807ef5b9b43e7c57accc6d4b917ae67b65ac16abc7923f892c58134474291fce3864bdd2036f125f7d532459411cbb7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6bc8bb61f83ee7b70bd9e6ce585d1dd6

SHA1
df546b451463971553d1611e174425b2bfaf27cf

SHA256
03bf0891e366050fddb19a6a2899b87a53b36c3355753387450e4df04b596150

SHA512
0dd71872064fbc91130934565e4183478f031f7eb69c00fc990637b959cd55b0e7254a949ac990678bef53d1af39b0f79f5e14f5172c4fabeaf2db887d0542b8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
137cd1b45cc75ef0b4898fc3e9a29aa8

SHA1
5635f4a6d9bc05ac204e175dcd24f871ad073450

SHA256
c96ff6e41a1a78ae94c959ab822fc78b3972a93c3de55c6e089186b8f4a26db9

SHA512
00fdc9cdd1b32829836883bc8d098bc09d6147db28b6c91d0084e1a4dde471ca4c238016641fe0472b4b9a875691ac42d668eff8fe9ed662808d538a4b13157d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
c8c83d51d56716838a238af62b197067

SHA1
a0587697beb4dc92b96ce292d42d91567d1ffca0

SHA256
acdd41c7f46fde87c21b1b6f5d44a55ed5234271814f2f2568e9a9825e317606

SHA512
bbedba5eb0825a004ae01c2d5804c337f16c499747e530f0bb440b22055fced355ffe6fb7d5afb69e9e6794621bbcb1699165ddf0095b55b1cc3785fcf493bb7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
725e1b4041390df9f80d551c77e1951d

SHA1
a79f9e98857e22b83f050fb4aedf4af9981494b6

SHA256
bd1705ddec79a0c8e04b33fcaeb1ecb7d7251bb60f332cd44e7fb2de37aa0049

SHA512
8c3fe23fa4077b4e2728ae11285b7d2443e25bec0bbdc297b7b32f7c0eef2a3cbf001be08518fae2c63303ce5f27b64d0ae99b967b47dc811f9d7cecc8b8b71d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
9cd07e6c9c2b8f9e8da70921a4ff630a

SHA1
9b90e63ca11be749868536f6cd3eee79534557da

SHA256
ebe3984e25961e84f526d4d2033ef5da2a4d7148eec184c5bbcbcb274fd09f0f

SHA512
7291a50651fede2358fe0828600ef268425d684579d8d5860f98266fe28d7536e8fab5b5d499d69f74e245595e7dd382897d67b6caaf8f2eff5fb22c6d7c26b4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
42c86f404e981a61adcb5d0b87e2d40b

SHA1
631af6853a907fdae5d165f841c97614164d5456

SHA256
5187ec24fe0526676a129817e758591a33c32120bf4b329fe2635818f3502be4

SHA512
eeb1cae09c61a7e19bfca61d3f7b6266a5efaf6c7ab82a3c8c24b358c9f33ec5d7baf3406b421996dc8f2589996564fe3ff1e9f3df3ab49765b2420697c4b710

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
40082c01d90d19e79660e86d8a42d033

SHA1
234f97bc1209db05885b71bb40e65129a2d4ce1d

SHA256
c42e40ca2d28b039679e2d2a5787cf7fd7210543a2a64eccd82d15f840519589

SHA512
2f0f7d6bff911576b6fbb40bdc77a787a628a99fbb875b9bb6a4fabd6c0e8c1abf6ca5d30309cac4f030c291c87936e04c26365eb0570fe729f9dea44b19909e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
e2f9b83fc0099f7605b916eba662f61c

SHA1
3de2304f39a4c80b253849cdaffdf2993693c318

SHA256
8b0382618451a8ef41485cb85b81ad73f1862af5697b38491234f06d361189ec

SHA512
290ba6b6c95e1bf4e2a91400960da527f8be29e5feb883f15538cdc6dc92efb6d68b5970c4b0907bbfcd62d083a79acb67e3be8ac3f610d1c76924546d52ed20

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
030f8e1284563924b44f4a78f3706550

SHA1
b3ada9f1601066fbafdffcdd3a86665202e3fee4

SHA256
89e85ce309cd9c7e3f69026e8ff5067bca65dcd2c2ab27e897d567be96c42fda

SHA512
83a6289e479bbe330fc7088c0969b493552fe80574701a5a4a2794a9f90fe3d82faf7542d4ec36660e045141da244b3e99359744a8e228f044f3584053afcfb2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d4142be788c60e649779af00e077c75b

SHA1
332e9e2169b6396b54c2545fedda7bfa806370e5

SHA256
051242c1516f7d467364c0411e099b35fbfabb59c378bca50c0fa2f6a48cf45c

SHA512
02250c8410331daeacf7a403e41454a33f0f8ec67d112affff5cc9b57e65cd85475a68c939eb329e08c9c6285f6304498d727ca5c6b54669d6df30042d4d2b60

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fb52c9d4d74779165279a5a601e1f63f

SHA1
72c86b06146de736ce6504d98d3d339a226bf07a

SHA256
8c435e44b244b3a722f449285344862e36b7fda5900ef5b368499e9c9800d061

SHA512
8f1a5632b4daeade7a7cc0df7a1d6b70eb21330ff3084e7d1a5507b935df8c4541ad502dc6010b2f41da4970633e78cbf6303cbdb811322c1d0e35c993025a70

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
efe4f48d7020ad22dd042d835fe46556

SHA1
a3bfc6142ee4723669a7cd839cb1f56e534c3d9f

SHA256
82c8d89bd5b276431c2a86a8d9a0e9b4c83e1690b0e8d0992c1ebd38956d410d

SHA512
b40eb89a230b8f0f8b78fb90de89d269333779d1628f6028a4accc278cb21dcc18b09b4c7d3df42ca25b2374ef16569b907b01d690d267c405b202101d480397

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
9fd038c85530a984961efcfa1acf6316

SHA1
1c397f5ecd9116eb26cad7a0d6235588250b826b

SHA256
9d047154a98a86a55e9da8efa24d2d4a4cb2c234ac5690e4bbef0516ec36a819

SHA512
3623bd16f0fd3b31fc7676561197eed7eb587f2dfcc9ad9778177f193ecbcfa55d6d12a2576fd7aec8db53d3c9cfccb242eb85bd8e183ac32532e521e67ba0f6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5b31f92d4411ce2dbfb90256810372fa

SHA1
e613de21232986d408fdf9b8acefa2f2fcb02a65

SHA256
69143f855c1d4048d5c17fd244c08edd1780cbd6a72d01ba38b5d1654b63b9ce

SHA512
13c962127b7e5fd3283395df79580cdd3f97289f236319c3bca63488e720c78aaa516a471e802295e2de4467732bbcef5e15253de27038831a3d08a384de5b5e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
b2b67200250336f28c450fec876ec5fb

SHA1
3f3aa1a431adee9c2428216dc9a8a89c20ec1e18

SHA256
d7e375c78ec597d8431942696b0d000e833a8120fcc49d29f27f883b6b92461e

SHA512
056377b79783014625515fa610353cd40545c36868b994de91724530f7b3bb542d3a89da812d65a14429f916473eafc70542f2d38e1ad267a4cc82e8b691b8ec

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
84326d1b1693950c865eea393c000b58

SHA1
a21ad807cb2de4c7c74b92c5f124757de9d6e42c

SHA256
86c3b73cc1dc0d40655f7f46802cc9879610cea21293eef09d3647a20e7b6a8b

SHA512
be41ec4fca5eef8a06c9bdc32ee445114ca718850856c51fa0758339d96af4a8986d864d5baa71ad5d68ec3cca5f47a2fa7dd20f829f76008a754db88d2f44a4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
a5a33a8df65dd6d8bccdcb44283e4f6e

SHA1
6407879c5e2576c0fcd265ecc2ae3a5a11d043e4

SHA256
8c4eece70372edd6b25e8c4b4f7b5b50861e60b5c0032e8de87709db88cbe56a

SHA512
8df3116cebc1d804bab702dc7b9ef8df391b2412abb6739b02ea6c256d0a248c059b9a8324f973a57bef2470343658071bb7f94ee552a159db5bcc32adc57bb7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
747eda973fcbb2ab9e54abc9263d7343

SHA1
d13aa84aa715153bcf1768c9e4e2b576e9f8dea1

SHA256
155947e04f8fcb8643b0a5cee85d8eb8571b61d2e0b3d646b6a213d767e7fa13

SHA512
3229287d3c53a4243563fd0ce6d2bf4d25013a1a4b68992d470c9a45867b9a82a24b4ee36b595dedd3ebe277978c95f45b6a9eb750ceaf28d3ffdf8dd85120df

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
ac21824ebded2ea674767edf3df25355

SHA1
8f1ec8b301eaa94386f20aa860696eb9d4520205

SHA256
3c32244009e7e107d6545f647d58b702905d7dcfaa3d8d49ac947ec729cbccc6

SHA512
ec7437654f5c0d0a6ab0d5b95d46529555f49e01f7e5b10419d2be7d8e3ca8dcd4a4f145fd68db467db5daeff56fa9f290e78a0b6db1d8c3ea26134bb37f9d82

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
58b02b6d5b22f52068fe435ceb179b8d

SHA1
3d3156bfadacf3322449470b65ea773ea6369fed

SHA256
82f77dd2b4e7dd2a221edf670a1e8aa27fc66fcef676d56c85a4ce18a47e757e

SHA512
40ac7a361f011cf807210eb210c576c746313ea7985f2201fa905c0ad627cdf51b044a96e3b0b53362fcb92095190f437ddefa8e4d4d7a9334f10f0d8d46b518

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
54ae6f334ee015432b97ae7a91bd7aa3

SHA1
a125b3bf4de0302b880840ec45be00eb123c33f5

SHA256
177bfa3df93d3410026ff47a3288e786bda213dbfdd7806acae1b243c3a6ea22

SHA512
22300563fbeccccc67802866bb125e53f9730865506025bf2edc1e3c6e16fb1f98c9e1485369b04d3aedf5da4c6902e6e484d9d6ae0172974cb80bafefb8dfd0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
bea71eccb11136ef6fa91f0d55620f95

SHA1
38e9e17464998cf4485596db4cf8834fcd351b7c

SHA256
7f6051d93e3cdedc55e5e4c1a286e566d5b6c2db269b7b7c4b4fad4ed2c04a40

SHA512
776c331b72f74796732e4ad1cd98cf7ea2e29ae8c3eba11fcbc37d599ae5cebeebc0fe06bf7ffa7e9746b5315b40e1cbc5f4511859708dc175d33e2137f70639

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
d150f1b5822b8a03b011a6f168b38779

SHA1
5328737ad28434b54370748d83e570c9546a057e

SHA256
2fdf44ed4fe8f225fbfb367b0c81c0ff270f6795f4448203f48d27f0f4ecd371

SHA512
35967d5a126dc9981bbb5231ca773ed9395d777687b9c773da74bd506fad364b439529a5d1892705fdcd400092de7a2fec3354a492fe3e96feeb8691ab5e2200

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
485d1cdfb65784bd529f84394025974c

SHA1
1896de31e5e5320706aca02021d456efdfb8d861

SHA256
67482d1c063eca8582f622f85c7c65e025d88c6f8c2f01d454a00492745b176f

SHA512
654cce1923f265d56d35341d7382055164cb734f4b8b2ba1fb1edfe9fb6d9d104f9ae45f839a6a4fae97b89869bd7c0741c991b181ea9c65ca4b07616d4e33b9

Download Submit
memory/372-147-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/372-139-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/372-205-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/784-162-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/784-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/784-218-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1148-208-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1148-215-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1148-274-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1616-19-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1616-12-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1616-76-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1616-11-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1836-296-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/1836-288-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2072-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2072-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2072-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2072-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2196-6-0x0000000003D60000-0x0000000003DC7000-memory.dmp

Filesize
412KB

Download
memory/2196-2-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2196-68-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2196-0-0x0000000003D60000-0x0000000003DC7000-memory.dmp

Filesize
412KB

Download
memory/2264-283-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2264-278-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2284-193-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2284-262-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2284-201-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2720-93-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2720-101-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2720-160-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2720-167-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2720-96-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3044-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3044-233-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3044-232-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3044-228-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3200-37-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/3200-54-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3200-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3200-49-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/3200-45-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/3344-179-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3344-189-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3344-248-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3480-59-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3480-52-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3480-51-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3480-122-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3632-270-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3632-264-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3884-26-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3884-94-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3884-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3884-33-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4060-137-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4320-258-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4320-249-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4348-169-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4348-176-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4348-235-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4392-84-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4392-79-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/4392-77-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4392-91-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/4392-87-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4468-445-0x00000223AFA10000-0x00000223AFA20000-memory.dmp

Filesize
64KB

Download
memory/4832-174-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4832-111-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4832-119-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/4928-125-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4928-188-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4928-132-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5000-415-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5000-237-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5000-244-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download