6598e9a6982d7939e146616d6e22777698c385e0727dc6a3ed67ebc8b98e27a0

Analysis

max time kernel
151s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
Size

24.3MB
MD5

2a8990659fd591fcbfd9fb23ea9ac3f9
SHA1

aa95c4bbb10039828a68c362d227a28af5ffebc7
SHA256

6598e9a6982d7939e146616d6e22777698c385e0727dc6a3ed67ebc8b98e27a0
SHA512

06875073141d504a6a8f0dd42462306980b3e7dde8325983b6919d3a95ca4ad4c95a1d519efdfc99bef5c6e5a4d03b2a651d36709016cbf13f319fc552f8c915
SSDEEP

196608:9P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018OIm:9PboGX8a/jWWu3cI2D/cWcls1e

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3656	alg.exe
1028	DiagnosticsHub.StandardCollector.Service.exe
1216	fxssvc.exe
964	elevation_service.exe
1728	elevation_service.exe
2156	maintenanceservice.exe
4308	msdtc.exe
3640	OSE.EXE
3448	PerceptionSimulationService.exe
788	perfhost.exe
2344	locator.exe
8	SensorDataService.exe
2528	snmptrap.exe
2808	spectrum.exe
888	ssh-agent.exe
3880	TieringEngineService.exe
2056	AgentService.exe
4836	vds.exe
4440	vssvc.exe
3976	wbengine.exe
4120	WmiApSrv.exe
2324	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\71d6481db3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd822a373f96da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064cb95373f96da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000693965383f96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009fb0013a3f96da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000616412423f96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096e1ee393f96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000817560383f96da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000013122433f96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	1216	fxssvc.exe
Token: SeRestorePrivilege	3880	TieringEngineService.exe
Token: SeManageVolumePrivilege	3880	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2056	AgentService.exe
Token: SeBackupPrivilege	4440	vssvc.exe
Token: SeRestorePrivilege	4440	vssvc.exe
Token: SeAuditPrivilege	4440	vssvc.exe
Token: SeBackupPrivilege	3976	wbengine.exe
Token: SeRestorePrivilege	3976	wbengine.exe
Token: SeSecurityPrivilege	3976	wbengine.exe
Token: 33	2324	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeDebugPrivilege	1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1384	2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3656	alg.exe
Token: SeDebugPrivilege	3656	alg.exe
Token: SeDebugPrivilege	3656	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 5220	2324	SearchIndexer.exe	120
PID 2324 wrote to memory of 5220	2324	SearchIndexer.exe	120
PID 2324 wrote to memory of 5260	2324	SearchIndexer.exe	121
PID 2324 wrote to memory of 5260	2324	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_2a8990659fd591fcbfd9fb23ea9ac3f9_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4652

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:964

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1728

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2156

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4308

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3640

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3448

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:788

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:8

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2528

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2808

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:820

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4120

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5220
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:5584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
bc326d152b7cfa2a073750fca752405c

SHA1
201efd5558a13d5979b245b0398ebf144a8da8fc

SHA256
1a765bd611c2364972b0f47f3a9ef3cc6e135a6f555d70a1ce36299d7e559b99

SHA512
1eac3789d7b93aca8ba03362e9da0aa4690f1509eeceb94ab6688cdd358513445eb30316765356c6c59210df01eee642bd07e17cc4c7ea5476ac66951e993b70

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
ca0ac60c7613336ea07d5396c6431da2

SHA1
70273df131ebe5ae51591c2fd59cbd1c5412bb63

SHA256
6eaecdfa903b43bb221ba2950fb12a4d5cd3711c362ab16851f636ed150b1b03

SHA512
039f1f52926e3053e444588bf1dc50e2b19d8b820ea8b5d3b08fa559c0c596a9cbe598def1e60597011ee0c6b9f25fc2cb71252a41b32151cfbed076c9af93c6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
613bf9eade3be3947b9ff5fb00796bd0

SHA1
17a971e703b3e02393b4928f6c18b946dcce767f

SHA256
9f8b9dbc0dfb646e8871bc96d7e1b4ffc8788320a6639b2aa860516aa488c547

SHA512
71e583bd87146954dca91ea40d3ae4c406cb3dc5f5a1c3633a27a471ba1b3673cac0e89fde9e5716210759bef404d52d016ecf06d1150cdbcd08b8073dcdc393

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c39eb68ca6ec7559799c48b4e0ec52c4

SHA1
3e6e9c542d6a50ee291bffb9d95323e900a4f371

SHA256
86789ba6010afc95a7d46cd4c0b8d9c907828e0035b3ad4a21d89bd5c8dbb7a6

SHA512
cf4ded519d604dd657b58d38aca1945036d42550c509f6198e43225ca67bd9198a779f0ec40bf125601abc0fd36d34c27a6c2c899b55ee6c2762de2841cb4960

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0c053c7450b33768afb9215fa1affec5

SHA1
32dc80e0715c44d4de95634cd9fa0cccc2023f43

SHA256
c42159c7cd4c849ef8fd17347526963d08c25e6381dedad2119ebb69c504ffee

SHA512
19db61cc0e3df59ad07735e992bd806be2f42e501e4a65f1d62e252a5184e803a550476a726518fa3a761750433e77ed19c7357a0439887f85a772a8f50d922b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
09aba227fcfb098d5ea3a81240c6fe81

SHA1
bedde7d65092f2729ada9cecacf43aedbd9f8fb1

SHA256
56252dfbc28ece9caddbe1a15adc5ee723ea62e1e855229219ed4bc2df4a5947

SHA512
d24498fd3c9bce4112077ee8b0e78fdbdc1531c3b11b6ee36b4495abc567bec845bda0471de0a1152de2a50b2b50e07ebaac081e31b526b4c8b8ceabb19944a8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
359a9ccb98b7a4fde54f4ccf51776b6d

SHA1
f98baf6b99ae7430bd5ef393463f1e60f02ee8bc

SHA256
1c1d01036182c5de584ce9066acd2fc3bc1965a66a67072ad19bbadc7345a334

SHA512
b055aeadaf6ae6e3e231a17dcd139e5dccde6f37751caa9fe89a935294e10cacdcbae0df6f200b63e6575c5c17cb1c756cab3b7135079c4c2764ed094489c303

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b4a5ba2cfb01b91969057b2ce9eae83f

SHA1
b1ed78e26ce637652ef2706b44e5ccc8fce7718f

SHA256
c13c8e8c28f7f7ba38a339ec78fbab127d733d3840272b673bd9cf786a4e103f

SHA512
74de173440f368cb772337cb039a563a4592e558c00d466acdf29443a1ae5f75a7212a20087ea11427191f545d619f725e4b6a74b26975164ee971e25eaa774f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
3a5f27442d426c462d19b65c1116f9d5

SHA1
94158433e35ef59118cc6612f2e81b1c26008b52

SHA256
4efd35b9e11ed24d061d989ce352511f47faa910692aaa4ffd825fb5739be68d

SHA512
1c8245b210275665352394cccd8b943845ce4f7db811d34c6a27c08bf67059e2f4b883100dea4b56cc03ef1b0515de9cd93b17c7a90cc51933d3dcbc387e34e7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9f979d02d9b674d5632930a65cbacbd4

SHA1
c7d421e050fcc85cf2493bb94c8a656175116ce4

SHA256
59fd3178cbde8c7c37034cb3081d8b87bd1f53e0ab146f55458333c4db7b40cc

SHA512
06e2d865081c3ebedc5964904151979b0da796f033e5dc9d77907df3996b8fbf171cd78315796f31a34b1b5c797750d52a8e39cec51fa351690ec553d87cbb64

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ab45f87cd8dcf793bfb0b0a77e2df673

SHA1
30b06fc7783af0f88661379058cfe094cc30627c

SHA256
6b2667fd64b9873981386d8e306d0c4ecc471a6d1f457595bf41861bdc3cf0d2

SHA512
17311e3fdf6fac12c6ddf8da2825ace73030f3cb22ef48198c872d869b2954dfacd3f6f875c09e0d0f6e5995f4f4c26d981818a11e543816e4cff2ad003582f8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
63d783f641df83979dd126e9de813078

SHA1
077247cac9740f88a50b7a20caf7e30a9078d509

SHA256
a68251b55ebd5393142681e0a8049fb5f4c5ec3a329d5810e65a1c0b9faac370

SHA512
6271010198e9b1c5a7a33bca8e335f41a635935b5685646829294e9b54e3af39cee59d267ef95440b2e1e0181ceb52d17de8f54a8e366d8ed3d9830820a3cf21

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
4af8ec89406001979095bd70a08982e6

SHA1
6309f32ecb3eabd3db1bad1cd16b10e709383e69

SHA256
98b129780a18ebece640b52639313fe8490b5b1c6e58403a4976c3b1d2b174c7

SHA512
509d053b86fe276e4c28f69963e2217f5c930fcc3d050b680d36cb09dff1987d246f20e799872b4964bf5cea8ed6fc01739626647e5aa19bfb9838f52dff5eeb

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
5dfcc62e80a0b80567141a1c18e680b3

SHA1
5b038fb8d78a03aa5f8469ad5f33899a8ef3f9fa

SHA256
87643c227d9deed56022bcab64b892600d28987597ead781183a18baaad5e33e

SHA512
671a685cbf6cbb6c699d239e2115402cd1a0fa7a58f1380fc5f51a331a674a058a500ce45896c496ea7a08817fcf33a852ccb8b06c2f4ab832e309c2bd7e20b8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
bb2509a22a1fc0715ee6be2bf12d83c5

SHA1
e8569a813614f11bbffe55297005ec6d183bd299

SHA256
b6cf24eeddd2a10198bb221000ee660cb8958d237f4b874a5e6b9eddbe9c88ff

SHA512
2f1876f0c43dd608664480069d6d88618c969133a04bac61f357f74f041a71487881430ab16f7e8e641ae932c9500def7c9a8a862a8570ba971c486ce3e6bb3f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
9ad0f266b96949067de0dac81f444a79

SHA1
9f4cd308e9255aae8f0a4b8b907928fc912943ea

SHA256
7ee2e66ab16720e688a9515347e6a3122421e4bc02ed6c827d702b58e636abb1

SHA512
03ef08478a97b5032a53522fec06078decc0ddb6d011319cba2486723aaaf47406fe88f0a2544d4c1f8a2c2852fb3cb438554738fccea8e1a5ba94c0026f4904

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
e123a7293d0026004e6e9a4c9113d629

SHA1
b755201f879fe85ded148f600e4f17e10955abfd

SHA256
a387644fd3aa04d5a03a668d2b51badad3eff34b372f408ca6fe719298d5117b

SHA512
80b6d28d055140a708d3170086d80c13abae3c51feb12e8effcb492af57d5883dccd04c6c41185ca2b9d00bd48bfec7280613c3595ca5602dcdece77439c6cc9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
89f8868c66e3a1d417687c2351687c94

SHA1
528db197c7d6b4c1f8a4cceb0b4f9ea54b63bf5c

SHA256
315304e2faa168e8b2979034426d368c8e44c7a0fddb2d863355c171f4b219e1

SHA512
8450a0ff6660ec8a61197041cda93196a2ff832679f933839eb3fe1ea21df59cbce4d8e261271a298039091f758657eee75b58dae36667a4be68ab5cc0d933c8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
38f95c5daea492f574e7483978d005d1

SHA1
a0c6394876699f5968bfdfd0f963fc799e9c5fa6

SHA256
3fb6f14b7fa0210c1e59e4cede5f27c25818c5a78edfa17436f221d04870f905

SHA512
72ebb39d559afe59d167937186018b12f4b2e0b7d6820c041bff33bdae0d69ab4adf2ecb7d25cd29a0eee2e38b5b363ec12986f86a70927408759ca8492a0532

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
699babb6c70918f0a973aceab3a0331f

SHA1
957a5d0f085dd5eab8977c29e564f9953c61f048

SHA256
8e4a6636c0e1fcc97e39da391ce260fb7d3962117f9a807a1e1e8c5ad20f80a2

SHA512
6e904eee040f03809b377a4815ccc54804ae359dfd1117dfdb96dd49e4bcfbf47dc382d00ea3a167744c346e1595b6c340c1e5a623e5b044f5da90f7347515e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
62e87f05b67abf9a1efcff786ac62872

SHA1
954fcc5408d76f155dd60ca2c1bf304fceb5c6a5

SHA256
e527ab92d5385f34e7c2ad58f1a35d4339ed78821d1aad600db11e5e7c2033a5

SHA512
41fd343ef700d58ccfea14a3804b91ef1b5cbe241ce495973fe1b4dbf9277c2180e5cfdfda96764f8abd8791781a1efde95c5c162893e81f7c961b437b4cc07e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
206ce2b383595eefb3cbc868da8a968a

SHA1
4fc3dfb578a4adbafaefcf5196e978ace0e4d48a

SHA256
39b784cf75b0148d5954020d030d32a61937e598f9446668cfef11b3544d3522

SHA512
7805d2bbee7fc19d54fd6813ebb4bf7f893b63db1255d8b90cb1cf3058742906bc4c153335ac4c6d90190820cae8e1cb99dfa6d17c499ff63d8eeb9fd47ed57e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
b0a2f8f019400708cc1765a439e79558

SHA1
4e2d4550c8b0b7eaf5e1f8478d0cbbadab213994

SHA256
e9116b913043eeea9346e3e2113271a6efc75a8d7e7b77f87fa2f422fe068a30

SHA512
46650d1a39ebf23f507a13ba0d49326f2009b62f5d12ce6d7132f77f4aff7e34e31d2763c99f2d4673f91118b796edef5cd1f6986dea860357afe3155c70bf7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
3c5e873ce3b879a8e5b8b68a3cfacd41

SHA1
ef860e234033a7f4363f82358b51063345e5206d

SHA256
884a2e7ee78cca77bf8e61c99ca0d6ef87fd68a7fe17d8926182530ba48426fe

SHA512
2a1c139b959436b96e68fa28f0e55069081f922a17a48c404c2d8251deefc71e3a4e93b11520b178ce5aaa55bc61080948336295cd19df97708dad9c70a20aef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
f62a1cf4f76e4f7d805fef6f68c6c47c

SHA1
b649a2c4aa3f59f5a3b31f9eb8cf1066f658c237

SHA256
9194fffaa10ac139a50aa34a8894b127d2a38948f40bde8295e83f1a30de96e3

SHA512
8c2e7c04a119270b615daa5d322e64bf3126f106cc61b7e0d27d8953aa2d99a87281fa3f56dc590daf0ac9dceabfe75dcaa491a1c40de125cc9602d5979800e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
0172a8b2f913663f477f15c08b0e33a9

SHA1
3200d76a01a811169e4b00249a4f28eb124d8b9b

SHA256
0247cc31087c9a8139651aa2a3c7cbf20247b4e9e337262d7cc6eca70aecda9a

SHA512
835af33dfb91cc20b64968b5d2532459b9dde6f8ba51f7b669b859a2a0f178babbeca3056d9ceae464274c786dc412763f7f7529eb2ba5def6d738da4c12faf3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
a217848c264022f49ca5cf6796f89914

SHA1
22b7a7cfb3b130c8732db2ef24f4f5757d8eb842

SHA256
510b2cd5445dc4953126d5c31c3de0bd3c82af2fbb7fc6c8803b9e3b250cb710

SHA512
7941b412c5f907ee21a134ee23171f9d234a3e40b155cc95a30da438c13da6bbb74230e8fd1741844a2b4f6ca8c20e545bbf8ccff90748f075a2fe5d2b2036b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
06dd6d18b84bae075f207682005a2ca1

SHA1
77cdf0a1c1436821b75bc3c82f810028318db895

SHA256
b022ecd4bf91ef1623948287681103a953e5f06be91cf1ac01b209a3bb078e80

SHA512
6f06358a796814c1862a13fe17252ce82509acfe8c05a29d2a990ec31be3b0452838c8c6011c0c0f7fa7c0f4147d12c5a919c48001f6f1c286e1a4ccc2db6acf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
30b395972d345adfeed83585bd26786a

SHA1
aef61c55320c75066da491639507edbb9b72c92c

SHA256
43fa7ad1fd98e84755ab5674d6d4e9dfe4dcc85e83b9d09cfda4492728833a10

SHA512
6a58d593d0c2466f4e374fe89b5fc189be213e62e0ce61e201a748db9282037003b48d3705c52797a7733302cd5f91161dcc3cec480c534fa3404946dc3e83b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
16fd7edbf6e02c17235802bd884a06ea

SHA1
ee25133dd79c28fb91a411be8a929dec067a5fa4

SHA256
22f99d2619a323460a352cc3f8c7e4adf9d8ffc0d59d59c59d14ce54458a6d90

SHA512
19ec22bef91afb3ea5a0c6cc4e4dc93f4662b6215b2919afd25eb98cd5b4f28d4a0dd535781e1cffc90ba9d5325cade6d8f8c6d7f6751845610b4e3aef059927

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
30335fd8661a1ef38735a11740d17036

SHA1
e2ea4a6fefcd5e99c4684bfa073ee43de971eec0

SHA256
989e20144d3f20c371ec6fb00434c78e1bcb90bf6e36602943de570a9b3a98bf

SHA512
f232175f38020309ea3dbaec0b700ce72dea557b16d60fbc0073703820f0c242966349448942bde1401cd01d3df8ae24c1c6e243de7cd38587c36749e8f035b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
828bab5df16dc74c13eae1014f89a6ad

SHA1
51a3056f57490ba3300bdb036afee79312261d8c

SHA256
1c0cc621fe352066fb6e002e36ae5bafcb0f9e976c4890474838a56f0190cceb

SHA512
09863ab37239458b985d7f583fd4f5f85e001351593ca9e8e2b0d11d2b3fcd0d789bd0ef22a808ed5cc8646b3a2dabb04cd4213cb8f749ff3cf19fce03ad19f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
0267ecb95b7e7b02a548362d2d62f05a

SHA1
ace23cd5b57d352c73c2f1d0cdf1c42605052037

SHA256
5a46da8d9e88e7cf061b467c2871f2b8168ee599d593254ba9a9042b50144f39

SHA512
70b561c0fb4b8848c277783024a79de7a048a613b4b288662c67fee0b5ac6485fbff48ca6426b3f1372433a35524ffae2e45659c997dada3518996df3e63c1c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
03417aaf2ea94d298ea03ad8249bba9b

SHA1
8d3cf16e419449e2d708cadd4dbdde067755a49c

SHA256
524c26241222f49c310d923f5c4c45f3d50e997ef7e6a5c5ccaf255a0df32a8a

SHA512
bdd8053248f71d39a90a4ad6a301c8a928fbeae2d6071f76bc94c4e6f802c462cc235b5cc5a1aac9c0458405ce2e8af90e312cbab320ad3c4423771b45de30fa

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
70b3c29100f1630b935a26a337755aa3

SHA1
518a53bb3878b03d6d181db95b99ab528d28f93a

SHA256
8d9d8748ac18b8b83ac198098d39b13dca09a55fd4b62f872c9c3a4df9fae392

SHA512
15c83916f938f6420d666a5adea2baee0c5d6c07451ba8206eb581a045eb91dc7480a85abb2820fa882de1048a4fe8dc12ee9aca328106981fd7601033e249e5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
01b2e4db62b3e4400ab423b32943ddfc

SHA1
40cf56944e5ae21119ff53044eefedf0c8089728

SHA256
ca83cfe818ad9d03cd37635cabeae4dec23ac5b7682d135027e9e074810d96b1

SHA512
ca24003e5f916cd84865615cbb96af1c1c3ef926e4f37b6994da94353e4fbe296220c76a3f641c50499f023b8306030dccf48c3ac6e21f780405a62bb68f9419

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
12d78af866920bf4893a0fb452c99773

SHA1
6f9cb807868dd2435ca08e2fcdb8cf202e11bdcb

SHA256
15136e724dbbb19e5da03b4f1e25635bafdbc8964af53302e126bd2e3599cd34

SHA512
b72d2e8495ff7377463adf30bb55db6c7aab6452021d814e2667ce62141217eda5b9327fcb961e159ce5fc037d4406ca56dc48ada01f62b2662f52b3546660d9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9a07227b01007d76fde004603c0fb8e8

SHA1
ac9631a32c836448c4a10fd93ef24b08912d265f

SHA256
df0b74f8f7e18be279708bb208da08c49ce9813e2ed63041adac5855651b2689

SHA512
f4c2a8fed2cf9dd5332701005f18bf71832e731c535ee39d22fa216f56fb7c6187ebf85490d599c9a679b5390c416f5b22a9455f4a25273f23a94e39095be40c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
9e5ecff0e3646963c4ba394e34ad037b

SHA1
eebe025c5c4431b583baa460f63cfb3d0a6df508

SHA256
a79bd2e66f0de1980cddea58e8dd7e9b321c8a3ec89cce2fe38e3f97c17a0d5c

SHA512
de6323e22a4ff758120573ac265f5dc207d86d8a8c02d5219dab66b1d3566b1b6c206c5ed1a5a1844fda635fb0cbd7029614e05dc59ce49ee521cb609739f0b4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d13651b6bdfa70cef2e96392fd3df3f5

SHA1
2fe7ff57b4b1431c8235e88b7fb1c551cc763d89

SHA256
00813bbdc4fa953b45f6c12979b43b6ffb791dabe86b8ff69559f4f5b8add482

SHA512
aeb395eee2642a9c360a89fcc7670451bcabd00f53f63a4eafc4a168e5fc91c60f5c2ed37a64375b1a44e2e71aedbe2e6e04e8fc0576e74c8f6e13b920e55f09

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
8a04053b85808f930edef5d8ebfdf57a

SHA1
3114715c371b42c9d3cadd66fc1d654613e1246f

SHA256
b986dd989e38c59e6dca2a430b4cbb6013ec30ea8fbe81eaed2ef750eb549171

SHA512
830e5874f1c15cd3639a2d9c28bd2bc4a7efd4cd680b680d66a7967cb22b7fc2b0d54e5778585f0dd889c497447fbc0ce6183fdb4febe2868fc3077b3072afbb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
c456d82cddb739ac2c2d6e7364978b38

SHA1
cb392fb3a31e294972dcbe010792c39f0903cf90

SHA256
7cdf471496c08144857ad5ca3d0369213339cdc0ddc7d3505f8dee83bcda47f2

SHA512
6588a552b7df83201d6adddb0e81bdd0b1c18b432d771cc099823268c6b859b929b1984a81417a49bad3440ea825cc897d22a9964e80e37acddbb27e2314d2b0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
5e6b1ce0e9622adcbeeeb59a3a4ef7c9

SHA1
410718a9670f4da7364534e901426f84f1d130fc

SHA256
2598751dd70c52791cd6e328faf9da50fac5cc9b0c59a2e7382a2c2e95d13c42

SHA512
71d1166d18ee02332ca98be27182c5475ff4a7088d75659aea13d63c92afef47efd29f418e638d84254607c8bc82bca69951d942d59b8618a65e0a7c71dffece

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5f08f4df86d78492a104f10c165c6c4b

SHA1
2fbe9cb55094f3c7287b8da48525a371cc98956f

SHA256
e28a979dafbc77112652bbaae3ed10d9be6db4e1b110dfdb7b91f216428e1dc4

SHA512
f041a525a0c2319617f926d30c69829b2107b6c94527727fb840fe765345dd72ae34c0f2c869a86bed432a184c99d39e865df89474799bdf051fa3b1cacc28d6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d0fe13a5df41730417248ad60331c228

SHA1
c46737c6adc9df65e355874c9ee6197cd247401a

SHA256
151a7aa062913d761ceca22f976ba52054530714ecb696a3480f2532c1bac4e5

SHA512
f58979460b995c8a3d1e05c5b60b3a2cb76f659f5498dbed832c566a1341952fe30a300ccb87c18ca42032415ec031aca6aba5160f5ca4f375088ed2cf562dda

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
46793c0d0b29ed34903f9d2aa82205e1

SHA1
2032fd40e9024ea550aa3cc380e47f964638a0ac

SHA256
e02d7c9dd8bb1d877aea0bf63764895c48f634a378d7d77deb7a50d5f81ae93b

SHA512
aacd505476282e04249a3af0ef56701aa137ddbf259d20208b6cedec88fd4c3a3ed7ad42e09ec867369e69df00eab28150e85087dfcd2a1ed48ec468711e242d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
82c9d59a897794daf130b11f5e0e1597

SHA1
2ecce6b3f26a32517580c359f25c22f558b939a9

SHA256
527494129b930155314b7e96878c4591d98d775c92a80f79be71b8d0ca2e5a4f

SHA512
1d6ab180ec3ad86a405fe521c64eed2775f7e3865e1ed5d72ef4fd2c666c8ff326f3b83859b49c6f95f935f10dc5695433c02db2ea4e25ca85c14fb3307f1852

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ba2bd8b9f686fcb368e5e5ccb5695acd

SHA1
8b74d48b8a500c2e52379e9b59aa3e41bbba71a9

SHA256
da74ba334c049821efb7cf1bc99ea1466a93ac2e684bdea3d7171120ca843b85

SHA512
6740968aed99c9ac77901435eacc0163639e3c7a5ee71c695347711d188a173769510eec133733ffa872805c5d16c0e1cedf325c9d8d8838a097ce024e040618

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
e4ee94cabeb771a1deb9e2829924d74a

SHA1
f198340b79669dabab63b65e5c9b1d186bb314aa

SHA256
512d50bf55ef3b0d6608fa90b9bb963b4fce53cf1fe4dabb379c169fefeaa9e1

SHA512
74fa41b81fae6dd8773c73124018179f451523ce50486cd272e507bb7b67eaae152ad1e13cd636057398ba574bc625ad0f68da0a8e0a16aab91013ac4935a221

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
4f50758f1baa3218a71ede73d10e3819

SHA1
e7002467de142ed1e89cadf7052ecae8049bbacc

SHA256
8d76022e29e1634b60e9747d03073c4553fa60adce10721c33c09a907558c282

SHA512
0883268211b3c416bc00fd1f732daae58dd6474814d233482877cee2868a0faab405128c5f8ba9574b613edfeda71af387de76d8b55681b64f4a99285acd8b10

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
1cfd4e443065b0e60da4fdacd7cd1715

SHA1
812080b93227b6a309784cfc96b890981b53b00e

SHA256
b2c4597362e9c7aec98dc7d2412d415a22068c99453b296ec5e58c348581c434

SHA512
71ddd54d1deb4a5c255d92743ad1dba348ee4d678fa18acc8007b517b8759653d7c4964a89b410b49bea763bb5a48b2b61f80013ade81fc97fe3b1395e4c57f5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d6da00f032b86845a8264017aae441dc

SHA1
9f89c2dfa02fee815456255b8cc9eed21e26bef1

SHA256
a6bbf65015e92671f562897278d351a841af857072eedde53e5f4f9f8494bf85

SHA512
65933751176bdbc427ee0435bbe565cea6f4794b35c3527b78a187b1f3b23fbd324a7bc63c5685473a954c4dae09df6616f181704de747d4063b29236be69c31

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
379936e2851c9b1a84c0eb79842d3c73

SHA1
91e6dd620a32a22896fe4c7e41c35c2ea3485628

SHA256
bad27381c5103b1c0d7b95181cce7571b73a56e693846b44ab5d85260a532da3

SHA512
4e8ba1c2fa9d577516e0a0f4c887c911c7d627d7524a7bd5612514a820ee771b3808ce3069eec84bb17027fdad58f0b4ea8c241bb19d445f0f996dcda5b51fad

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
764c0c9b484e74e0382677368fd19201

SHA1
90b7aa3b1e4e23f68aeb8294bbb1ab2fd0ae3456

SHA256
9d9979672fdb08ac988ed5c01a4d196ce86ea2f260adc64a5636db343c0c2709

SHA512
7e138e51dc1101fe234637d7294183658067a672913b0ca14927e89e51b0a6d11c1df0d890cae081bfde0f9a2754f4d2731e7b15785385a08ae71ccd136f3fc6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0d14bbf00301903e1564b92099f4a27f

SHA1
4b64bc5582eb7ebf535a3bcb757221f9fde3e466

SHA256
158a3126742d73d7308dc89e117fbc07d6c7e38915d5ce85159a8ce92b65763f

SHA512
a976fbb7f2fee663a4e7071dc167037668dfc397f491a4861a899a4df1a22d968900f9072c663ffa80b902a496ced31e942417f2e55b92c3f69f00ff6835d98e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
6f68609c4e611354291165a328ffde0a

SHA1
2a94c2a70000b0e4c9cb019764275e72585efefa

SHA256
c20b8cbdcca3f577fe89b2bee312ac985d5866d87ac5020cf8c87a08f9d1eaf5

SHA512
3aabd00aea525f60a6b0433fe2df7b9c32bfd4fec332d9846b68e2f11258bb44357d8c84c3ce6b5bbd6657b5d5a882a4c320ba60d2123b7d37843fb0f691f3f0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
c43cca2d82ba7ad2adcd703c20c298b8

SHA1
7e2e3a752d4f3f2d10c64de27bc113badfa84b2c

SHA256
0d8cbab6bad5e69b8dcf094b890525fc9ca91f2287134cf91347e3c14f4aea5e

SHA512
95cd6585cb847d1c125cc4d4bfc604e54c2db4adf77828677cfc59bedba89f45a69ea29779b0823856d3703c58a99a616bb41d33009720d9d96f7052e4935cf8

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
87511ffea0125a04f3a433230e5c2279

SHA1
1f96a7b87f2d0e0f3bbbf36368d696f7b85eaeb2

SHA256
949a5a3550f99bab6b0b4e2426a8099af16d15409552a7fd0566ce4be73dedb9

SHA512
3db6455c0f62714b10c65beda648ff18be9ddc33795e2d542aa9bc5001ab02c074da6be1caaf2862c1b7c5103255418f1191c593285ccd8ea795a19d2ff63278

Download Submit
memory/8-158-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/8-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/8-368-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/8-370-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/8-216-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/788-197-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/788-133-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/888-199-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/888-189-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/888-259-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/964-119-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/964-57-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/964-53-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/964-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1028-26-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1028-90-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1028-32-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1028-25-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1216-43-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/1216-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1216-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1216-45-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/1216-37-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/1384-6-0x0000000002590000-0x00000000025F7000-memory.dmp

Filesize
412KB

Download
memory/1384-7-0x0000000002590000-0x00000000025F7000-memory.dmp

Filesize
412KB

Download
memory/1384-0-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1384-66-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1384-1-0x0000000002590000-0x00000000025F7000-memory.dmp

Filesize
412KB

Download
memory/1728-61-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/1728-129-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1728-69-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1728-68-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/2056-230-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2056-232-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2056-225-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2056-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2156-74-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2156-76-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/2156-87-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/2156-82-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2156-85-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2324-295-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2324-287-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2344-137-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/2344-143-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2344-212-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2344-202-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/2528-233-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2528-162-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2528-173-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2808-246-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2808-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2808-185-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3448-130-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3448-184-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3448-120-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3640-171-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3640-107-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3640-115-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3656-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3656-73-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3656-13-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3656-19-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3880-272-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/3880-204-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/3880-213-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/3976-268-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/3976-261-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4120-281-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4120-274-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/4308-100-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4308-92-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4308-157-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4308-91-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4440-247-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4440-411-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4440-256-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4836-242-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4836-234-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4836-354-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download