9325a466ba28edca067e3698e2c7d6b1ae5c83f25280f81ed459601e3673ee6f

Analysis

max time kernel
152s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
Size

24.3MB
MD5

0ecaecdb6f2b93a5279d6a74efcce6c6
SHA1

15f56017befb0fed0ec22d1c632873496986eefc
SHA256

9325a466ba28edca067e3698e2c7d6b1ae5c83f25280f81ed459601e3673ee6f
SHA512

2be91bfd1ceb7c5ac5c10be749d1dc7ce49985b94741fddf9f86c40f945a529ce8758bed79c821c81acb6faf5106ac796289daf224d867dbdb05b0962420a0d2
SSDEEP

196608:GP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv0181lqmX:GPboGX8a/jWWu3cI2D/cWcls1kI

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
572	alg.exe
2892	DiagnosticsHub.StandardCollector.Service.exe
4648	fxssvc.exe
1444	elevation_service.exe
5032	elevation_service.exe
556	maintenanceservice.exe
2864	msdtc.exe
2876	OSE.EXE
3336	PerceptionSimulationService.exe
1168	perfhost.exe
2836	locator.exe
408	SensorDataService.exe
1820	snmptrap.exe
1712	spectrum.exe
4492	ssh-agent.exe
1100	TieringEngineService.exe
2440	AgentService.exe
716	vds.exe
4528	vssvc.exe
4348	wbengine.exe
3196	WmiApSrv.exe
3576	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e8ffe9e4b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d99cdc3f6799da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006bd53f396799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006862a33f6799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f14b1356799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080e5a13e6799da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe

pid	process
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4648	fxssvc.exe
Token: SeRestorePrivilege	1100	TieringEngineService.exe
Token: SeManageVolumePrivilege	1100	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2440	AgentService.exe
Token: SeBackupPrivilege	4528	vssvc.exe
Token: SeRestorePrivilege	4528	vssvc.exe
Token: SeAuditPrivilege	4528	vssvc.exe
Token: SeBackupPrivilege	4348	wbengine.exe
Token: SeRestorePrivilege	4348	wbengine.exe
Token: SeSecurityPrivilege	4348	wbengine.exe
Token: 33	3576	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeDebugPrivilege	4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4752	2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	572	alg.exe
Token: SeDebugPrivilege	572	alg.exe
Token: SeDebugPrivilege	572	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3576 wrote to memory of 5368	3576	SearchIndexer.exe	SearchProtocolHost.exe
PID 3576 wrote to memory of 5368	3576	SearchIndexer.exe	SearchProtocolHost.exe
PID 3576 wrote to memory of 5396	3576	SearchIndexer.exe	SearchFilterHost.exe
PID 3576 wrote to memory of 5396	3576	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_0ecaecdb6f2b93a5279d6a74efcce6c6_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3540

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5032

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:556

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2864

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3336

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1168

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:408

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1712

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:368

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5368

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
f8af43befe1f23e174829ae3eaab06db

SHA1
af3e431a564596c2c3b957e7e8f5748b1bbb33fc

SHA256
d661010f34759c4594f555dcbb10a3ceb9c5f01f661e87a7d16f2f50c0129e88

SHA512
d52485d13b9a8316c1127106830b3db79ad24d5a77468d4f8f9fe415e007cd4fc9a540baf7dace3479711a47f8b6f4521ff9e95cc6bb3d7ced6cfb3a464b3d4c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c0f90baaec064b82c8ee464059a89c19

SHA1
d21c6562c5dc47de3d2a289bff62bb7708a4633a

SHA256
3e02d9a0f0b3efb193f5d65b2ed95930cea278582de2df96147f1481bfd06d78

SHA512
75735c236325da082fb0e9deb547d160eaa3ba04f5086700f265277c42d744e14634598770a69b084e102549130ef66a6cc2f5c24a934bbd1fc30d6870de90ee

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
5bb9897eaa0a2ca670b78411cc59b3ee

SHA1
7f649c4873bc4f0389594210a8f346bba0fb1a96

SHA256
fce808cb8d8c52d558d74eb4373c3744ec15324eb7253702928a12bdbbd0be2c

SHA512
a96dc1ad0d2ce7e68537a00c41268cd135f5008222c4ec795c728db92be117c611aec8fc41976f9bb360a6fb8fb20f3fb002a2fc3d51ac2a65cfbbc9df79b8cd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ebc6701bb1ac56c852dd51f3250cc34c

SHA1
af9b6ba8354476b27d6f838a30dc70e765c5b51b

SHA256
1f6b230a8aa1a7f7be92b478ca98a7343c788f435d44c689b6996030e0bebff8

SHA512
3235159857d089ec307b61050ffcebe26bb9f0770e4e5dd8bd4f0cee90f6b7eee8e3145b20a4449e2dd4995c37b23d38f0662bb0f4f7a8b2a50d3ba3397480a5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7252ba16989b923d4b778cb64732ea2e

SHA1
28332347883a60c1b0828499321298eb6e5a504b

SHA256
b806646536bad1dff4778603b285ccbd946c3cf58e57fb1a4e8b9fbb47c5cc89

SHA512
6466076c284d23d391fdd3df70d8fa89a86c8173d6009700f5a0834b1346b260327c9438a356d68fb3c7cf48ee54c9b39d858cf3c542ad93d551838b4741e8df

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
801eca0c7d52e2ff2bd2510a0393e1e5

SHA1
2d72b3620796570e6ba04e300fc92917f721b26b

SHA256
c4154c9825f60169b944e64ce150a0ae2ce6708f628c9281db8a2b7965b53c73

SHA512
69f8dc1ca5060ebe6a1aa6abaa0df59b371ab997b7adcbc20ba3822378bcabaaa720e15b8c155f2329afe6acce99efb9e9e3b07e9aa85df27251f6870ebd6070

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
17be8cba6f22abccaa74aaa435e57048

SHA1
8b7b4d46e1401c41351062ad7c05c539861f6575

SHA256
148e9209f434cb18edbe5cb956eaa47000e7ef73a907243183f1bf05e3aa8d45

SHA512
7aad7c9d82bdefac1dc337b7d2822b9fcb9fe65603d10632eb5ade34e11fac0f8698210d352a5af326724fad8b8eaca9861615265290364952a2f61a1c9d3f4c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
87cd2839254192deea73710ffe7f5a16

SHA1
89583f6bafaa5cb4861aee5ead95c3ebb8704561

SHA256
efafb024db75fba617247a6bd2e7d66aa5bbef3fbe53cd4b08e31fa8e5b519ed

SHA512
e8b8f27a55aa8995fc8c55b6f62b6c5dc5858d156c526a75597a315fcdd8b8608f97c9469201e6a01c78a20175445447832d56a7199d9b48eb2c54594bc3af4b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
5405fd8d837f455e9a065bbc80aff7cc

SHA1
45f3d396865f99c22a7463b223f4199b5db2d7b4

SHA256
42b653dd5d4aa67325f03f79a567dd410732231b482fed6c501576a395f54eef

SHA512
670e2055c6fb2c2988dc6a1b1ed098dcc79116441ab5d6dea9cdf2426e34a426e983c239f6442ecbc8c1926ab9768a48b5fcc246ea29eb736b92648370b4b646

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b479b15b174beb03c76090c3076203e8

SHA1
ae0aadfef8742ab852db57e8a027f20e65d8cc6f

SHA256
141193927b8178dcd8780458dccdd2751c26e1efcb82b1b984c977387d0a6f69

SHA512
350dbc1b9f232adc904a2d15face6412e62260338b8d57623305bc8018d9bcea2e93d32b8c801d4dbac28fe162181de803d9646d3d4ca596aaa1130c512e8583

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
87755b3ff15b8fccb702e83c283b33cc

SHA1
8faa2033d073231f7d1cc5cd7659a7f8425d7e41

SHA256
119670a4ea5aee9ef9c454fd3ad1a00bff503d23be6a397b4cb6b4150574af0a

SHA512
16d6ad34eac11adac0b90a2a9487923d90dd1bd791608b06ae37843e20adb4e9334fa11eaabf56298abe17fec46fb61caa85bbb9735df199c9714f945556bc6d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
cbdcdcfa4272d5d65c54ffcc0b8be168

SHA1
4f5aa02e99c73cf92a981df27641c1e0adcaaae7

SHA256
222b1af9283db33d27f3d4eb091e9d93e8314a2cac6ae0971626b4a4d446d9bf

SHA512
bfb9d49044bdcbbab2ce351ad44e3e187ae3a785b66d297de60059065dcfaf7dfa9173bee3f9ce83141ae14f647ad4aab5e727d2b1aa316bb271eff582fbf47f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
7d4b0c1d7151b37a65831e77e824633c

SHA1
98e3c45dcee66f8c196822f319a032e62705fb73

SHA256
ade7d173b8852abafeccc01ebe1845e3c56bfaf31855691b356d1d220a482713

SHA512
14fbac5cff8f109e41b0196a9957612a33bc1a97d515323ac9024a409d14e3a3948723c1abbc37ba0ed29e151c55e85cb2a2423ca14408a3fbcfcbbb0b351fc1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
8e503c1a84070a71cc2a4b3a1fc72f47

SHA1
ffc8628adb5c630b697f2a93adb1b144697c798b

SHA256
9d37f4ddcf106122ebc057bc79ac1cdc61ddf242ed8576df79475170c07da00e

SHA512
56df012bb2382ffdab0508acf17b21e26915e54ee7af4f3175a9a7871200c3ae5d7f1bf6766fe55e9dc0cfe666096b58d166bb342fb341fe00091d96538a3058

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
5b34316b3299207335c193a1d23748b1

SHA1
fcbdade8674dec478f70ab7236bb7189ae165537

SHA256
a8ce3f634c2dfc6b9c4027cc5e68041bc432fa08ca16e8f311fc4906c9268240

SHA512
e0c33491d96106b50154ccb0fcce9f91790b8cad0743149d35fdf4fe9025b37bff3e9918b58b52dfbf3a647d5c925c3c3d42012a85fef09eb250aa1dd7ff580e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
cc1797471d3bd9e21951f88b1d8e1087

SHA1
8a6d1ba5845ee79e856ac0e7b70cc8f622331faa

SHA256
5ef1616932177e8919bd4e7b870f43e3200195a62d9ef10be441525580d804a6

SHA512
93f305055ebc4de54e0b76ed916545aa827ec47e093962a7ff418294732d20209e90ed892a5731b5f3a20c0401026fd3fb293ec66527277964a1652ea1f0f4c1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
7d849c058e4b165fb0688b73b5b2f57b

SHA1
586b43de35ad50f4db522e5ef94aa8cc7453afb7

SHA256
fd065fb8e521525008a25ec1651001b73c37befb55ac796ff6bcd921c34b7a3e

SHA512
75ed8a1f814ec4463c8f864d043559ce89ea4f7c74491d69c4c9551fd9eeecf9079474fd132bc2cceb1a349358ecff60632958f3eb16ae98cf62d30abb17e166

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4aefffef30c30c48e1262b1a6e4cb2d8

SHA1
9cc25341d951e7faf714c627b89560cb5d1da50a

SHA256
fdd535a8652efbab285e0b1e1313bca44700c65145432db61c70d4938d5f0db4

SHA512
b7b3917e7a6de3c3cfdbe546ae5f3afcb7836c54d1e1e3d7c6ba67a95dc841b7124c98c6f4eab2e87ad84ac0e60a43311aa9a66f9b2e900c8572ffd7604b60f4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
85fa015a0f83f44bf5c77d1afddc899f

SHA1
d1d795177334d919150d405603174da33a319814

SHA256
1a27f5796023b36fce07650f1017eaeaf039054223344f19e50ffc193df02744

SHA512
732bdee5cf73ec40278cf1d846c286aa7c38beb66ce9660598b209d81e3915080ac568a1ffe14900a6dea388257fb920a63ab7b4f331144303e938dbd7c24a65

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
6975b3f38fdb936eca68362602fe9fda

SHA1
fe0dcf1f68bede5946d454e46d3a721816a44b86

SHA256
650554d5893399eef37a472b9559c2e55c0564168dbe9a4e3d7ea312c659bb7f

SHA512
2bc84f0612bb8f883dbfe414b23a15314760fcaa093079200252bbfdda1e244d8ba78802b4986dd8f5d605db92f57439b7d8fc15c5fc26014ef6a1142e6591f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
2a5c5592e4ef2c4eb3506345a03304fd

SHA1
5f5cdd07c8d2bc9ec619b3e494b2a0d131fa5f04

SHA256
fc98dee70a2962b52ad1069099dfdb21644b3b2e19656742c0a945141532b0a1

SHA512
e4d45f33d6233097c3e5bf74377cba05aafc9793697333a1c849f66482d745a1fc53254003048bc5fa996ddd10af2ed3f05756da990b296abb59c5924f85a27a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
5267ac44ad79ba68c6f0834c691024ee

SHA1
a46050dc6e1d3ca0e14ace4edced84864ffe3125

SHA256
1f058a071868b20a820a1fb097946fc17f78bc2e556ebca9c5ac1aeafd9b1b55

SHA512
dac2debc6d09f8fe39263a1ca95fcf037259f6ab204b7fa3fce10685c7c85cea2a8b938ba6a50df14459b3a063b8e28b1f6e0cd97b784ec6263cfebe378c19dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
641a31c80b1501d5c50d58dad8369daf

SHA1
7d595379190d28f9cb922a8359afa62fbededc02

SHA256
1598c61c0f741681941ba426fb397cbcdcd3bfcabd85ef1eb117087ef507518f

SHA512
ac33faa8a7aada4986c6dd203822202d40ed3251b5f6125d334c4a6b04092d6934d6d587651cbdfc0b1d0001f3b56c1c8e02aa1225e4d7f65492ebad8bd139ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
7a1bbcf9edb25400b7542ebc94672a43

SHA1
22a94bbc2c9bd4d0a35b440c876d9fb4e85df766

SHA256
c125e6e6f64f247195ba6fd6cbd89bffa41f3ea9c3c21fe52647a8b02823d6e0

SHA512
4e101e2eb68d9f015c4826a5558b5cbe7d589a42b4d7297c42e7704f04d50cb4d0b20a559f5c93bd5ca1af58fa89c94cf57c418a11511e7c9f7bd5f1526619e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
59a6b6661ea2a5adcb0c2ecb164ec12c

SHA1
ab419b9b669d6eea7b145cff763bb88f3f4bfea1

SHA256
b6ac6c13d96d2f03a1d63de14023f430aa716f7c6df44ce320830a41cdfdb600

SHA512
152e5e9114eb41781936d1b9a5033f07bd626db854205e128921304b0bc73d35cf188246a32dbb27cbcbf07766b288b8b2c29a1a57f2b3cef905131fa5752c76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
6ecd6aa7f7f13349e1ffe81943e0e945

SHA1
a669f0e268eeda56f5830e29cb96bb3b31842d8b

SHA256
68b406c41976f0ff75368fa2b9a6e839afa667100266337cebedf14f9bc0e362

SHA512
d83377608113005740c2d3c7580b2ec432e1a43165ec019381b1615f2d679d576879505e2efd8c66c083009f551ffc374a51262ad6b4e843e2015f41af96c370

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
22109e9ca4d1eef07e3deb1cd8bb2295

SHA1
27bdc891c1fd7ec98384cc80d8fcf5a3161555dc

SHA256
8b5e387c008c56038d5befdc2e40e76dd4056c56e5d43079512fd5f33cf9a7de

SHA512
5eb0d434b6656cdab2a957b9ed6eff74dc55e989626d66c78b776a259c5a701c211159502eabe3dde99f9fa3ddfbedb19757a3a8fafd90ace845480c92ca9faf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
770edffd23e016355bb753334aa6a58f

SHA1
6258b7588e3d27980db3cd56150a8f189d2bf8c4

SHA256
9e6408f6a6f3a45600bf3ec91c2b1e29c0f81260b99a40a5c0b3fdad2dbf99b6

SHA512
2383f8d21a9b1d410c6e61e042fcd566baed4aa33921a6bb555991251e3800404c06d4035bcdf865f03d129dec78079674d90184157f6eb4579802606b73c477

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
a9756dc86b1445d0bda6724583421890

SHA1
2a29b9a2379788da33bca097bc9e114eda40bb6c

SHA256
21c3e25d93f1834f91ddc72fb6bce4a46303443a483ecd6adf07a21f37344bb7

SHA512
461142c487a0ffa4262a355decc89b0decb9197fa263d2b2b797808711717efd5b1c2ad64bc1f5beb2bd57c10b97f3fcf58d32af4a69728f09d9bbfda7f495d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
4414bc25688c6fcc56330e8e13294e2b

SHA1
95ff0bf384653d14ce5177ce9e12341e9443a850

SHA256
b1c58285b8f9def05b8760fd479502c2248374610fc72def1658461713024cb5

SHA512
a1ae28c75d822981396ad64bb5b759e6cabb6a75a433ea2295c85c42ab9009b74c03a91b409feec09a08d69d3653df9605c057bcbf95a83a6aed4fd72dd0d249

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
c4206c274b521eba3688696be286aea5

SHA1
3a3f2a215387c1f3c56af04d18d2d87fc8c784a1

SHA256
144e8507a761c08822bf0415ca3e92b81cd6ba2059224daaf858feaca997e91f

SHA512
a9f36d7baed4d173ad4f40ef7cd933869f3e5686ca7b325a987c595e57ed55286f46019528fe540b4592bdb8942668aff9707eaf357235c4e335fb9a3ee072d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
812bd31c5be16dee6a8490e3c52c9de0

SHA1
be71df4907be2504d959301f331de6f9413861a3

SHA256
3195722617afbc55b25f449bc2cb88a70ea232e98bf906def8584738d283d7f1

SHA512
8959db278ef9fd3c4c8ce8f991d60fd22cb65001e046a7bbaa74766568036174ac6dbeaa13590f04ce0aeab0b036a712830ce9429607bce6c5330d5140ff6565

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
501c3e06b6fd4dcf38acdd666ad182ec

SHA1
d17d1c945563ccc392813aa95fd2c2ff681d3079

SHA256
149bafe9ebb8aede0d257a6790c59945e83c8084e8ff085f2a7ff217778d3f00

SHA512
54b8ea9fbc075de775011b1e033a7e294f2f3f25f1d255c23bb4df3d21aad3c3990c2465a1f8a208dcb37805855c45e588e16e94297122e85101e191e1faa78d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
7607fe364d3960a131aded6e18fc657e

SHA1
febc0147d15f0c7eeda58ac918de78db0295bf48

SHA256
48ae4ee10e5c6481f1cbf787d875222850c33c7999fdfdf2b5eaa1ca7529069e

SHA512
5397ff26615461393df2ea2764e8d440ee82d4130df147491d0cc46bed16253f2dbdf568d7942d4dba0c299f6adc44c200e1c530d12984b8249a7ea62064faad

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6ca2ff1e822df4989e522339719ff514

SHA1
57e7f12111f3311df74838a281ad54208196d024

SHA256
d5cf1a6c29ef5869d84914cadcaea075bd9a2be7dcc8059342cdc7e5fe9f1425

SHA512
c6407c315f94eeb52634e74c8ef8e45bd84a4b5fc61ad8703f768b85ee90e6038669242a8ef3c1d9e670c9716f9d5a55b8a5e2bf045b16d4774550d29cf4e647

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
a0149f5688361864d43767fd81c66abc

SHA1
5707752586d6ea46cbf1bd39cee8bfa6d5969a56

SHA256
71b9b36ca8125c4a20344a129014a77ea5995a62f0271d490a287ea0b1017b5c

SHA512
927a0f216c5538c908c62efae21c7389598d8c4ef7dcc58b3b4d7b77b9a38ab3b8872447d8d45a72fb7fff81366c8bc9e1c1702c217e7a7365ab763f62ff7f7f

Download Submit
C:\Users\Admin\.node_repl_history

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
23d3bf4a7e74a227a699f6f9e6d03e71

SHA1
cf91e7f26f3f92b2265857f361cd2c6070c4a303

SHA256
eb5a344f8cce59cb4293438562bca4de6826677b11f8c6e714dc3146d834e868

SHA512
16bd314251d4237722b4e56cd9e4023237575e0f519c4d8091fead318d4b3939a3e9777ff3a4c37cf49dea15aa0acf08ad48f0fc3a60c93c08c59fee31ccb1e0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b2a9e0543e508007b4b77d65b5d25110

SHA1
70bf692b9d3dc6a99e3040565efce34b68cc9544

SHA256
740fe3fe0d891070a8999adf32347f4430d29c35b261d3382284d07778c36e0c

SHA512
1335949189ef68c42df2913e51029ad350357f74ce533fdca20682b09cc39762a7f9b5a66a53e39dfbee4341c9aa7d6be3974d1b254750350fe0e2b362632ad5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
75bef57fda4c7ce888530bf3fea86b61

SHA1
c84d08bc9e259bbd87a593b1475b14dc121ae5c5

SHA256
840a64952c5bad9303663371fd6524bc67227f64f574f03878a39bfedd874dfc

SHA512
30462c0ab72c0222aedb63126f0e01a17d9613f5a363f884f4bcb3e83d1d217f22ca5f50a28a67c214e983a3024d560aeccf58573d92922e1f522b065813f4d2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c5f9be0657432a6db8c5d1fb4e585e72

SHA1
2740cf4bd75604ace7e52116110dcd1fef64d806

SHA256
d1ab676dae0ada41529b905a799a01194f8d16a042004677237b2826fcd0e895

SHA512
c66ea5d130e6cdd0287578e08f519bcba490cbdd49a27ced99574a7db7b8d83c9593d160044046edbf0d87ff460bab7b9e0637df88d0bec0761907016b7d7405

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
07d0f0951c0fe7f3cd6b646f2533c21a

SHA1
0e30e5e20272c87ebd3abed75ad86656b77f34f5

SHA256
91733a5fbf4650459e906aec3d60d742223f00d828fe5f896b62cae83fa0e4f6

SHA512
53fba7e497e0ddf88c598ca60addaafbdb278af748765f5a221a2d75df224bc4ffe49d04dc8630be819fe7297d776817012eed80085346437085ff6e6a2d867f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
cf3b95033d5c73c29a8dead8ff8415fc

SHA1
75004798e471d01863dea26bb0722ca26a85348d

SHA256
43def95d2285d342761ceb1a10d65bcb8001abcc7ff7f12c35672e2f495dde25

SHA512
272b25627f916a2900f652cd14fb94c7807fb98ca7eb33eb5d7bb3e7d7ea81f38bbbd9f06a247f5d1f67099f1268b55945bc8d29a17198a9c25ab5e4c7315c6c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
0e1534e20e5b01fd9edc2373376cdf5d

SHA1
2ef7c1e97858d6f4c854563f70b0a2870ead05be

SHA256
6d073e2d5a4471aca76330c2978e9afb1dcfec6d44d781e7b55b4373dbde431a

SHA512
7d5421fe2a94d6e0b1ee08b494d940984b0343db1612b77c4055b27c32c5c2c68a5a84521a9754c35ef885ad86f6497b13c84c0db736c28d280bf9e251a1ebee

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fdbe317ea16b04ec92a9ced06d8a6f8f

SHA1
ea67e396100ef284d388b6d135db8fe9011063a1

SHA256
4916aed4487e49e85f6ba76a809ce735c40aab8430bd20a30681c1b087838899

SHA512
2bbba43d4aece57e97769ae6a032daa86f093954b5404ab0b047823a4a1a398c8d457e985304ccdac525065c3e3ed53fe9c9453760e32107ab6cff2cc63c86c4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bc69d1758fb5056efa25675a8c8f6eb7

SHA1
32b2a1ff6ff55f7817bb1d43fd83cb47e55971b8

SHA256
bd292227f372770889d8045f1bdfda6b9c2cd38a3ba2b24cd0b3995fa679ea40

SHA512
d5418749be93ab92719fad9d22c396ea52f527e7e219d38079652e272293ec281a05b485f820f453f934e9eecb0beb524f612c9faea570dedaa17cb0ef7e2f78

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c062840e37971fb0e4daf41405b1fca5

SHA1
2e01b8dba25c7d8f20ac761d6a9ed96fc739648a

SHA256
50271abfa8af23fde32e3529d3a787011c4e6fc576773b07886734def5ccb2fc

SHA512
13b950ebbd64130fb6921ab06e735e1f12194414fe32d19bb1a8dc28ad935e9f815bba381675996213c718c11d4183d3e7ca7c35f83718d78090ca5616d7c097

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
5cf379372e208a018637e06c0a92b9d1

SHA1
4bcfeeb3455b3e513c8d6af432a48acae1f95ed6

SHA256
9b2bd3eb8f1782932feb7caf49bf82c9c110a95e9db54dec02adb4a4469a7d55

SHA512
eb46ed788fd8abb98e17944c40fde76a73aea7673b88dc56d15035ace9dc37691b3b9c2d9a81d37f25a895b3c8df799bfba04d31e2f408efe6a75bdcdb88e740

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5797448197f6f2ce1d0172986b03e4a4

SHA1
fcc931817a22af8510445abef96f44392a251bac

SHA256
383456a61155bc28919906b8b00f9ddaf1c9f003bfd3db0ae51cb95287d3f531

SHA512
5e5552d05ed0da1f8986f3966173ea29ce1df2b56102b8bef99359195b140fb2d2c26604601c480b35776695cc491e37ed5828d2b92b4cf5af1cce2de082d5ad

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
01af35bd6ae41df3c9a020cbd869730c

SHA1
8a62569ada2f264b7622f79497b6924de5046d96

SHA256
1d3a75c51bad09c929b8a8252b901f2658a1dc8423f5f15fdcfd1b6d8289cab6

SHA512
b714d4cc9289db9d2454309b29ef2d12a6e49b5ac0a9cb9647cb28627cf45d7b9a8f0b134b8b211fc72ed4efde0ef63bff1fe89e6853745aee5344a6b11d5ee1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c210ad196db8b457aa143dd1df28bd5e

SHA1
b87297a007b48454b7ab6c4856f4036552394e38

SHA256
eb4c5e04c06de3a9e57237f09839104e3c4f720c51ab66fdaf868c57a41589c7

SHA512
14a6129ad88ce797a20eec7284361a322d2a34de7354d8ba85f11551982dd9906e04ac1a03733460d3e461fbe257c1754defe245879f7e5ac6ac6df78166bdfc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f80514354c8673ebd4984c09aee8f51f

SHA1
c05768424e2e60e6b52d61e1b3fa375dac428233

SHA256
1564a3aa61b7c0613a88cbecd4102087294e9e5d2ee6bbd161d358d44344a796

SHA512
e7e9ed5e5079cac292e8d78575eb9755944a635ad58ff64e3582d562036a1992a4281851f3a764b0a5fc399124f1868c78404e491962888902af629298e108cc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
62c59c61204e8e09d61d241cbe3a3c64

SHA1
eb9d33b327e3da42372068ab54e0fddefc2bcf18

SHA256
b5ff213bab4a2b080ea8449f60925d14134fe8e46c9a1d9a834e229514a2c9e1

SHA512
7ac3c021f9a4b155ef77cbc491831a35edb0766dfcad824e805c954b07ac4fb1b66c0e2315c4856d54ccf129368db96c930ac8208e60588a4b3bad8a4e6b17a7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
840c8ca405a986354a41c550ec6c1bdc

SHA1
ea058321578904645c1ce837b05978ef1f81375f

SHA256
fced3177b5dc04b6a47ae620027c917e2627b623da52a17147cf5598286c21df

SHA512
0bc343d47884700d1b083897ef8d9ec553eecb5891733fe86458b3b4eea76a6a3dc05b458b4bd716372431f84a835c1329113dd0764b23b3ce3d9565ff686d21

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
87539c1b59b5fc8bcc622f30082b6a9a

SHA1
dc7954d87db2cea286c76f74def4ffdb6459f9b1

SHA256
4447f7e43f4de3379c423ae26e88d7ac4cd2658b45b1604a5c69437630ea295f

SHA512
bb07ce376a91744958a7c7935f5bcba653b1a0e54f6a7a56d86b4fd2011f55678638297c78e90e32b9581cf0f2f57f1e764aea8b578c9e7ed3afe55d14b915ee

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fbc67b0ffc0f546dcb99abac112825fa

SHA1
756ef1aac10ba89aefb1eea95d5f5f7595de9ca7

SHA256
bfc84001a0710db8b3c757704e4c6120acbbea4729a122e96f762d6a470cf8f0

SHA512
7833af9db2e68a79bb174ba932860d1b018a53e63d4c521c14ac3832db7159bdd6fbaead6b2002759a977fa3d7135ac46801abae039665fb5925451bc0626db8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
d24caf1dbbb709b71a8e0439832c8778

SHA1
11ebe0e73c2464c8084c5c4f20d6ebd1e9f5f08d

SHA256
328b0a36a2d53f443686c5f2fe4497cc81b849edc20c70aad3bd43e6e17aa2e3

SHA512
e7a2dff0c6f0cc6e99267dc25f94277f2fa1f0041fe1ad20f418108dd1b3ad5319829e85cc8214ea89af63a84c272fa6d1bb34a2f32388326fb3d3058fec8b53

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
4c381b08cbd7cebdc004d8722f5e0bad

SHA1
8ec0a7bf215006bc1299a86371986436d49881b5

SHA256
608fa1d8000720289ce5931c1ed343af9316dc35e15b9f42c1289ad1fdb214a4

SHA512
55ff6c3a5ca5eee519cda032770319a3e1daa4bff1c2aaa2b2399b1ed762912f29597173c2ca8bf13013ba8b6147f5fbd7e1933977bae2dd737841e30d47aa5b

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
5421b565171c3e847e7461e60e476106

SHA1
a35cde65c053b03dd4d92f1e9ba0a763453d2b24

SHA256
a9f8427bafccd8eed85d13aeedf07e2992bbfe4a6d54855d6a9d76d8e31aa97d

SHA512
de19f98e01fa7ccaa07608dfcaddc8f02076b7bac1dd6d9efd60f661d9ed410d7dcdf111affb0f146d80da5108b76da68974b27b7e22fc3214323d4d94060bc0

Download Submit
memory/408-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/408-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/408-140-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/556-73-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/556-85-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/556-80-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/556-79-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/556-83-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/572-19-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/572-21-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/572-12-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/572-100-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/716-426-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/716-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1100-403-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/1100-196-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/1168-238-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1168-126-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1444-50-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1444-58-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1444-56-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1444-163-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1712-349-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1712-164-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1820-324-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/1820-152-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/2440-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2440-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2836-250-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/2836-129-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/2864-88-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2864-199-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2864-89-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2876-109-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/2876-222-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/2892-25-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2892-31-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2892-33-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3196-453-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3196-251-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3336-226-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/3336-123-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/3576-264-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3576-454-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4348-440-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4348-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4492-177-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4492-371-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4528-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4528-436-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4648-43-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4648-46-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4648-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4648-37-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4648-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4752-70-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4752-0-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4752-7-0x00000000024D0000-0x0000000002537000-memory.dmp

Filesize
412KB

Download
memory/4752-6-0x00000000024D0000-0x0000000002537000-memory.dmp

Filesize
412KB

Download
memory/4752-1-0x00000000024D0000-0x0000000002537000-memory.dmp

Filesize
412KB

Download
memory/5032-61-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/5032-67-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/5032-71-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/5032-176-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download