ef17d85714ae322ddb72aa980de6aa9d5b96c2db5ae9c9be1f01547940409d7b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
Size

24.3MB
MD5

bb9ec9fb3363c5cde7944cd4335bcb17
SHA1

42fe7f15de0e679b39fbacfa067c7254af120c72
SHA256

ef17d85714ae322ddb72aa980de6aa9d5b96c2db5ae9c9be1f01547940409d7b
SHA512

5760b24b1807adbf94fe0933230d1e478d149fe650b9ef54becdf4b35b0f858fb02b2e574926174f72cf077ccd74c7313d1f1007c1a7e981f6858421b2ed6a79
SSDEEP

196608:DP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018hTp3n:DPboGX8a/jWWu3cI2D/cWcls1ch

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3028	alg.exe
1584	DiagnosticsHub.StandardCollector.Service.exe
5048	fxssvc.exe
1756	elevation_service.exe
4976	elevation_service.exe
2536	maintenanceservice.exe
4388	msdtc.exe
1668	OSE.EXE
3292	PerceptionSimulationService.exe
3644	perfhost.exe
4940	locator.exe
3492	SensorDataService.exe
3488	snmptrap.exe
2412	spectrum.exe
628	ssh-agent.exe
4204	TieringEngineService.exe
3824	AgentService.exe
4464	vds.exe
3004	vssvc.exe
1548	wbengine.exe
2128	WmiApSrv.exe
3624	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b3550054c3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047183e9d3aa8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000937c219d3aa8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c8d0aa43aa8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013a4289d3aa8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c40459d3aa8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bf0559d3aa8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
1584	DiagnosticsHub.StandardCollector.Service.exe
1584	DiagnosticsHub.StandardCollector.Service.exe
1584	DiagnosticsHub.StandardCollector.Service.exe
1584	DiagnosticsHub.StandardCollector.Service.exe
1584	DiagnosticsHub.StandardCollector.Service.exe
1584	DiagnosticsHub.StandardCollector.Service.exe
1584	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	5048	fxssvc.exe
Token: SeRestorePrivilege	4204	TieringEngineService.exe
Token: SeManageVolumePrivilege	4204	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3824	AgentService.exe
Token: SeBackupPrivilege	3004	vssvc.exe
Token: SeRestorePrivilege	3004	vssvc.exe
Token: SeAuditPrivilege	3004	vssvc.exe
Token: SeBackupPrivilege	1548	wbengine.exe
Token: SeRestorePrivilege	1548	wbengine.exe
Token: SeSecurityPrivilege	1548	wbengine.exe
Token: 33	3624	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeDebugPrivilege	224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	224	2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1584	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 3824	3624	SearchIndexer.exe	118
PID 3624 wrote to memory of 3824	3624	SearchIndexer.exe	118
PID 3624 wrote to memory of 3324	3624	SearchIndexer.exe	119
PID 3624 wrote to memory of 3324	3624	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-17_bb9ec9fb3363c5cde7944cd4335bcb17_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3600

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1756

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4976

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4388

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1668

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3292

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4940

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3492

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3488

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2412

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1872

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2128

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3824
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e053683870e516cba601df5941e8ff66

SHA1
5ac97e75d39ecb60548f054086a1dd6e2a82b8b3

SHA256
1d0d046733ea2d9d6f6023d7f91fd17d6491db60d868a83c8f7815eda8559e4f

SHA512
1fe2d60375a685223fe36b52a4954831dca520525b415c34d2bc7ff3850b83d84eb53514230f36e748f98fbf4a93dd2ab06b81fbcae8e4ba188bd2c189d622ab

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
4f780480763b52c5b350337ea335df8e

SHA1
6d5b664bd5b138c5c9fef3c8bec8ad991190ce01

SHA256
1a3bfc041de0e20cdaeecc2b1677f2a525ed1699fb564543cc2c23f29c5feea6

SHA512
d6e2ed44e5d72eb141558d13c9877be6416593f7cdd66b2cbd7b48ddb76fdca8dac5f672508cf4a24e9bf02a6c0612eb1557d26a1c3bc9914c3d33aed883bd81

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
7de4683ee44f0ba3f9165387c6999f1e

SHA1
8eedfbe0f28b83510f5bac054a2e8fa714678b4e

SHA256
5e2cc3b19819fd7e1333e83e07ea101c3eda8cd2d6edf5e7d36c6000314b2ea4

SHA512
829cc6c3a9645a4776a0e3718e1271a01ecc399b7b6a65d93b8dfd982af8081fa20701f8a3b1b4eaa393196186c5950fdb6b36e0fe5ebee4c11f09a316e15032

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1bf3011e7146f3d030e0d45e82a66779

SHA1
5bbc8511ec07434806be97dbf81ffd2609505b4a

SHA256
27a474ec10bbb8ef41ebcd701f8b3ae5a3fa4a96b24167c93266eae44f4edd8b

SHA512
63349d954687efaf675b3cd7e3cbb60c09c8e45c64bbb0e4223fb7d0654485343446a01c1207ec76194d7d98716d66b78ace6c8f7486c88770aaa73ae988a986

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a34870e2ef7924b78a7277c7bcd508b9

SHA1
297e6361666d3fe0ad5f96c307e08ce6229f8c50

SHA256
09cc6cc8bfab3cff7e147ee9cf5784f5375336b696a1c2ec11cdec0055033c1c

SHA512
91dea1e7a4f1e70db021fffe1f40ff18243893795d21db369a511d4afa7bd73337c5ac1fc5fd523059b1c51f599eb7ac54e228a2bf833abf2eec70bdd1725276

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c2abd851722e2122676ce059662c9784

SHA1
74d2269fccfac954ac872527006db095f048bb51

SHA256
6123b53320f1ea8d94700b39c1d90c960df8afb12bcdddbe91b3ebdb86c78b3d

SHA512
8b9980ce930719621473632495493765a8aebb967b44fbc4ea479c1881c03dd4b6e3866041228495ed5fa33e7d7983e6de31e4b08f89238c3fe86b31067b1c72

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
d0c3e3ceb70016c85c2b9e15794c5410

SHA1
94a8e062d648e9ed147060650b2c870d94cd99b0

SHA256
67ccbe2b434d901bc11177bcd27b604926e2f4e0cc8ed6bae18a28166e81aed9

SHA512
fec37cf4c63de852b6fc98ea44de55c6b1f6a3a8e4548c52778ecedd1e12ad5b3d7e11256f718c0df55e159eeec55634a4d593a0ed1b64a2992172bb5a4ee47c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2386ab53cd65d2d6ae2599b4fad4a7e2

SHA1
a4a4952f4374dcaf2ef9446c34881d27a80447ff

SHA256
cd7c9ec951d5dc4edf6a80832522e44e36a586d6fbdf211c72dd72097a095b94

SHA512
2e53d032048cee135727fe177fdbe42fa65268a9dfe056c0b54d7a08bc8c70dea98aa1ee63b41e825303eb15ef483899f8922b882b686329de6b9d06b8c900de

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
bd23242a95c5b78cc6714a5c3470c7c3

SHA1
b88ab094aa9bf063ad6131133cd8167260aa63fe

SHA256
6cc9f2531795c11b2d43d12af2935d33402d319257f29b64696f5fd585ac32cd

SHA512
bda45e9786e5e01e637fba7c01518faf6c5d53d4d89eb917e89cb2ac113a3c5b904f57ef7a5aa50afc66ba2b572bf44c0a0f2d99ff258d992b5552ce60befc36

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5a72096761e14cbb702cd2d1892f74dc

SHA1
e94cbe02db93a1b5da91ced866c389f773183ab3

SHA256
c3dbcf2059d39b96baa2880010c685fc57332fdc2facbdb0e89267cecf99a849

SHA512
88b98aab3f6c7f0b889f47c588e7e610b650e8997a66f0d62e384e766bfd4c07271d577100561312eaea6929d41e2149e6f3e49f64ed194d66fa80a2642085d1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a564faf350198d3f8a6683659e42fab9

SHA1
c0ba242916c718463ae20a2cb2b5bbc122be3262

SHA256
7a266a59d1e90a2858fd70b74916698d54d81bd0c3b8948c7c596a3636514365

SHA512
457d70e7ed443987e10beefc79c2131e670f465c8ec599ea0169394895435c240ae8e49301f23ae370428445bb016578a9b4c96e4aead7800d4386946c3f5d48

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
395953f963b519e01bcf13281a76ecc8

SHA1
4cf95ca5d33e73269cc0176554da36fd81488f9e

SHA256
1168ceafadab1445d6d5095efa9e641ae7a7ef18fe6ccf21b52469d7e7864861

SHA512
ed624859b07c541004ea349bf09cb6d28eae9bde3cefd54195a0d21e34b94990c3b4ce397bd1f7b49e2f4eb5647bcbfbb96bc869c65e12aa859eaf9aca04bc07

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
37a2a1f741c472f7f587153a98dac5f7

SHA1
a0ab9374fa7652134cbed3c700df80e72cf6cacf

SHA256
5a0f36ae063c3c4b34378d101b1a2b1d3bbebff7428954c20b92954f3d66cb44

SHA512
dcb2ab890be4cc81ecb9c1df0088143077bea78763686c2c2f5772e0b0af3b8f7e2e0528755dfb27e122943114ca10b69a09c200ea039eaf7aab6e81d1b0daf6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
60ba3c5844656840d4eddd546e707238

SHA1
83689e5cc6a707198e4b806ccd9aaa99ccd3e348

SHA256
2ef6803b44126c6cf860f7b00c44b2d4df16db728095c2f515decd1f77355e48

SHA512
9ef41c97783af750550083b4fd142b12ccf127e190c4c46255310e01ed0f0e19e016e86ee02f5d66cd46dfde7ffedda8f6b7289760e0e69ed74b8981de6bed40

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8d0f50f213c5eb194f7983cb5c667f2e

SHA1
0d1a579a5b789fb417475ed39143b17c5563ba97

SHA256
3e1e6f76775989ce3813fc99bd3b2ee494812927b74c4403689774b1956f3f98

SHA512
dd8c33ab98223c7924a94a5ce6c8561d1a474fec9375c90bfe3de400ba3a7c713e5e60e187b7f866f2b0d2d597befe166708d8f0810d5f0896398eaae37aac04

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
5e9275e16c3610408e1935eb9c09443b

SHA1
4b33dde6fbdc7f0c6b185327a4391bd8bfe67bc5

SHA256
bf8b3155a7e61fb64f392c2f9711446a1cb15b3f75df93aa6fc853c55ae09e48

SHA512
72457807ff8479c7336a0b05daa2e3fdd6fc6af4a39c4b01c11f49f863ae03b0a84060a8630c1d28f823f5202e99d14bc54eacf1da738ce32b10de825c1e6573

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
59bbf0f7318dcfda93fce165a2ec6562

SHA1
65fb88123ac9305edbd5f866e611a424680f5f6b

SHA256
8f754b349c1c98cb5d5c0da7a444026f742025ee1050094451f5a28d33f5211a

SHA512
ab9901314bea71930393cb2a956e8940835f687112ac9150b0c926f2d3aa788a3fef4adf0049a7dec68d8f4447b0cff63dac08fbe0c8a84e086a05a35a6aa363

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b923a4d1b286a6f9681e2c46e895c930

SHA1
f185e8c66b4b7f6fb125a23f84f734aae865a3cc

SHA256
1b8d93db08eb3ae28d1916bdb01ef57f3e1bdde451aafc696ca15cbcb9eaaaf5

SHA512
ea91353b40f62ac9d7a4ffdc5b0c135a285de0a1fc855f770d391fe2d7e24891b87742b1e84ba0dac4914113b7e26b078dfe03e09f5724928cae2a0f34f3145f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
0845ac24a8ed7808b9978d361b66e6e3

SHA1
9cd9ed86e699b9760c140799b9651f780f9afce5

SHA256
2abc66e27a5a9b1f66acc793b086b41f3719e9e287218e6f74355d0a4c9257a3

SHA512
1384d3715ca5010d2cab6df375097c0f49f1964189162d671f28b117c5234a711bc2bdd9bae5fa05d30f20ddbac646791163dde319d0cad3e762082850c3fbdc

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
54e1fce5e43c8fdc19168a2fc5e1f98e

SHA1
7fcbff767a8b3a3f5e08f68f51f8b247160e64a3

SHA256
8fac3fd3334d85f5942506c51cfb974714e8215091a9b3f86c342cf2f5488c79

SHA512
be6b9a255580ce615681e06742a69a93b2973802841eba98185d9a4d021fc7023b83083ab1fb5465ba5ea5c4e4c3ca9b97946b45188fe280fffd425a98a44cc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
918cbdfbafc4cad1697795908219b22a

SHA1
bf23173c99da0c472b2157d7010b6d8348792c3c

SHA256
f604185517d8f6b4f1d4abea148d7f0d968985a57454a0cd0d1cd04257730734

SHA512
4ede0d8c5f526049cee35d2a0a6dea1e699a67b2e358eb7ec22fc04522e718026903ee9d814d9822c84fd777a648288ab31fe5afdd3516eb7872425a65c39f46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
f61e385e99e357c65ffdcb9bb836bd9b

SHA1
beff78ff26c8c1988d983fd55d5b0d1dbf7c3d77

SHA256
5ad648f7ea7e2a77ed67c8df78cbcab688af43944a8f30cd1ba5e458e735934f

SHA512
cf38b24cd1b5636ab56b0a8a8043d3ab81032bd285f2b2148cac00b59cc6c5d0062f97aa914761cc46a2c7aa38399864e3518a09c937df6b76208064b9a51ba3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ddaca7b2501bc0e5eb97298b375ac520

SHA1
cbeae97a4ff8f005fead0c9f677f809015384b98

SHA256
5d7aa643b5994c34e59d7f757577324b994f1440fca341932e4b6dcce7b4b4f9

SHA512
5769f48b0777c5347de40bef4c300317613d0a8d7cdd83a8e049f64a26b54898bbe1b395186c78efacbe0eea43a802faaafce2c2bc29d28ddaa04aa73631e1a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
fa36e1eda784c114e2b21152b86025ac

SHA1
b6d7c15c675b5c9702a20a1321cf93a0ecda6722

SHA256
d206d701a18b4d640a317bf4737c437c2a5b09797964028ade6a898f6c44adf5

SHA512
5b90031903e3f7e279a872ff0a1b0622da366d274a9857a50b127be74d923c947a70d610e094d4c55abe5482d22757aa3ab089515e1eb6bc23957bed70a7d9b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
7c981f2c56d7906a09874c0a42fa05e5

SHA1
245cad274f17f25301b3701ecb9e599147e6f21a

SHA256
20fad5a7fe5a0eca0c3e99051aa10aa812b17cb7bf773756cd480e34ef6a6c7b

SHA512
f6f6a7045aaadd4cb3cabd90a96e956ed1f049bfe8b62dd82210ab9b56dec96d9fa69ebc330d0a66f2ac539e4edac400272e377a8ff7828902738ad404f88666

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
eae97fcd84e4939c2b2ab97155210644

SHA1
a801ebae36178d4b1514834b4b4308858d801343

SHA256
11fe65756063e1c426495cd0ffac1b04a0f79a597e8eb73f8a903231cb1f6af1

SHA512
9d48acaf94891c0b89339027f809c765100087f6c1730a906138e3d21eed17c4fbe9acacef02a53daaa88a302ef76e07569a1f9e99df396f3dfc8c27e01eab81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
d5503d001986a97165bcdf7c4116b67d

SHA1
cb030c9d156080e05cc445d6fc22c4d3aefb938f

SHA256
755756f793cef1cadb89fbebef9c2212094f1a2c3bc3a9d550ea41ce61128d8f

SHA512
916a1a9ac14061a0060e298773cb79395a8be5ca9cf067f7f33c16fdde0765449d8b505255c436f586db4df15c9cf04b45315bf0085679cf050e35bb88287426

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
eba3af905e43c32b6631a26200dccfc6

SHA1
5e308c7b57d7f3115d673f45306b6e8aa0b95840

SHA256
48237da29d0679f3edd5b29caad7538318f45694c4e512f64b0bf43aaf9a0dfb

SHA512
1518049957dd0124cb639d76a58ba9677df94e899e1ed475091d5f44f21c8ed8fee8e9a24fa75712182cfc359257026cc07db1cd552ea1f53883d4ef2b6dc294

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ab5f6baed945d64a40d8e70e46dca4cf

SHA1
b299008ba02c00218ca80a17035e9db1ea58bba3

SHA256
9f44ebae2022e4178759e6971c35bce5fb5b85e891fc74148da7be330ea00d4d

SHA512
c0baee5dae66ae864d0980a4c77a427b7766b53b546bc4e33f582dfca85047bcf5ea45cdb882ae2fe5b805bab2aaeb18c714ce200b5cf4016a33509c3b1b84cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
2f937c3168e987a7fef48a29ec6a242a

SHA1
cfb8780e9cc9dab05ab684d95466392901c3f089

SHA256
49608ba5a88d6035a88c4b30f63a8614cba7d8fda5db4522222dd739fea52f50

SHA512
1f867e02be5add289d136d994bc1989c586eef2c47943d6af1b69ccac4f34566bf418778b1f71ced24c365ca9d5222dd21ae09ed53bdce9380ec8b65df600d49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
bb6035e39565945a1255b3ed202b5ebc

SHA1
12421bfc5b5df3d47e65128dff67e3992750851b

SHA256
967e9d40804ccf4a891a86d74b655c9e468f6cef495aa3680aee070788adeb71

SHA512
c84c249c9e3699598e4775b1e223e731884b434b7c067aa3f5fa5f085ed4b9419b0ac7d758a5d9e9ff3ea279e870b8fe41d026fcd34625aa575077427cbb9e2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
00bcb9616139d6c888350b8ce0868090

SHA1
d34e75ae0137a76e555c50939f7fb8d7c3d4b6b0

SHA256
0176fc0ceae28c6670a1d5a8e3fc65b69fae28df60ddb04ef0ffd697ff13b493

SHA512
69ecc38abef64d59a1399f611ee9f8a6ed2658a3e608209ff1b32e5cc9db636ebaa9d09738afa90bc8eb8fbc381d75e876201d35e57f7a1479bafd56d02bb8a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b350088839856f8814b9d34b4b053de8

SHA1
e4a9d156fbeb016472939aa517b7d68ee11e616f

SHA256
f1d6039fb597024213ce871c46d2d123da01dab2550ce8b280223820a5c158cf

SHA512
a3ed71a2fe74aba7c516fa743b5f3e83d6c0a594a376117be116fef01df57f47b89034cc7ef2b338a97a9fe278828340271fe9fe574cb0f093c12fe15cea93d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
1552d35b0b6d25cd6479c233e78dabad

SHA1
01d87c6f52b79a3a6dbbed4e30427100ab72c260

SHA256
5bdb4c64639960ac1637561a058fcd2db9dea912fa25a459e3ada81c0f412d33

SHA512
e7c44fbe9ac49ba28dddb74a821bff7d89238c2e30ba3a23301c591c4f1f7b1bbf724a470abb53d515e3f3a144c8b681f595e7b096ecbae9a41e7c850b620bc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
38f3a10ca632e7092aabda656386b50c

SHA1
7bba064d2e8fd209a405025ab55531e1063cbc16

SHA256
3352c60ce481b5dd77ea99c7f2de6dbbcb0645e4ec3c6039e82cf389b43c114c

SHA512
dd7405d987fb2579722e9903f1e21fac18262d0fc052128c9e35c71261e69daa927f58404dbe99d374f0b3bb09c94ffa40247a91a4cce2d7edad2197efcc16bd

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b596574d1f95cd512edb4c6ad19b698e

SHA1
e0d93cb2639a3ead1b633b1420c6b4fb816a7e85

SHA256
969448929089486d8e1c9091698b701ee5c0ed685f58a7b72c20a642ae566fcb

SHA512
138459d61f4148e3ec560283bf83b2f0a78971c86c34514f4142d47dbb801bff529aa0094d3505ae8a3100aabefcb667b35c0017b64cec335bfc1b19288df57b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
b406c9d69c2e644fadf1e1c46cfde41b

SHA1
f864f34e75563fe9e0548cbe9264421c2201ae5b

SHA256
55a57f2f9e309556f4e30c150fbf8fc16365fa6fa478f91eb4a3ed1420c32fe7

SHA512
69b79958054f71e0243f137e9a1fe125c73573ab730875bf3375e7df2f2ec224930e6ca99fc88fdb66d360c3daa8ba99a942c3f60595256845079079938810d4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
eec5132834f76e068aaa40f89817cd1b

SHA1
ee6731257628156e416a85d2419660a1dc1b647a

SHA256
c9a72245c3b196d599cc4db80b32ccd21963021ebf9dca157f3539075306451e

SHA512
48da584a89c379ba5e42ec40b68a925a99ce29f8167086381eb44f3b7de8e038b1dac5e7b623c0177ccd9cd21c1c28819659889be6e5e941b790f02307061298

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d5eb5962cbfc2eacf8d715dcf57e1213

SHA1
154c6ee3949926b1d0290cc45ab5be3999feed15

SHA256
4532a911a8098129226ec4236b3ac5301c546d77c72ae8731622fe27264c312b

SHA512
9c3eba20d595d35f774f6f76ab31b68c5fca7b0e60f43d49324f45c7ed51f649b9d56c1335f9aa892014a76bb189e332320e27a15763e2f68efbe74a1a0a96b8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f35af1f612c052d497f3d5145d37c3d6

SHA1
c166a06f064cfc8aa7bbfdd6b30282739a99b6cb

SHA256
154021be354283fb40a35eadb3ebe458c18628843ddddb51374232addf9d8ccb

SHA512
4c3988dea6e727bd67beff6fa879a9359204f70d8a8520852a00724d316f7a66e9c46e780874a24e0196cd4b211bdce695da5acfd47cfcfea1886d0403ab3f82

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
547280eeff5f351ffa713653cc237c5e

SHA1
9cc09d15a26223c01906bb51c50ef24ac67c87d9

SHA256
419ccb1f13378fe86a8c873c908b001428b03a00c2c95d7466ba865a706fe0a8

SHA512
8081f01f8258262297675342778b6d1e8a34c515516a3af27b664f7fef330ed84a14b52b3728583f9147b96354ff649df0aeb85c8dbcb701ff7e90767586ad49

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e7c6afd0e5c33f7687518b9cad01354d

SHA1
4890e659fc0586be1d29ffa8cb68a66cdd259e3a

SHA256
dfe0bd45688797cf6a6830cf6f71319013a9cdd22bba3693c7ef2632fee56943

SHA512
1d020b5a5c1a912aa348d7d570ec7482c810e4328186d5daa8c90dcbed4ac690d8217b43135b4158cc8f5060f3d5e48937ef8bb9573e13846f903ef2c01d7a2e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3733c6da743e5d02c66912dec4b2ae48

SHA1
85ae3d08de237a7ab6f5b91d780fefc532fb3235

SHA256
7e385852e11ab354956b1bff726a841d7fdf692b5feb1519c484150c703281a6

SHA512
1e08cc8ef423ce802f876f127abb6b580e9d139ab6e3171a32909147fae044be13c952b3904c0a0e6ca93b86b225ff3048173ee1b6f7426845e691d37a9edf6c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e522c5e68af7c3c273832849f0af0ae6

SHA1
e615ca2bace19ea9c6688f22758d17ea3d7ca31d

SHA256
210666156e581ae35d86a8bbaf778903109f1db9ac0a875fbaa4abebcc045da6

SHA512
c708c8d4b74ac7e7b62ebd9bcdc3ea0142861e6f1c39f16028836f5f3bd6d705be6be606f37d9ed67b9f585a7f3b81276e1bf867f31a370bc0af5bd740a27f40

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7d05317641d0b3e1bf2b0923657abc20

SHA1
7394954056ef373e1dbd84ce681fe753e3e8a043

SHA256
16dd409e8b2d56abd8510c1e35748b376030e674e5adcdecfb74020553180293

SHA512
725d3462bfc07df43d7d6b6404f1a95af7c93dd9cc64cbe15794fe67b97b684c5076332e56c66c0f66fa8f1ff738031db657138e78e34c8d2756d46b0d6c9f58

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6c415ed845ac350e0a558e19ae6f3411

SHA1
908d1457a0be4bcc9948534d198917e8960fc7d2

SHA256
70212d9e0d4546de0b7d6079a0c85906004850e31354aa6155fb48f38861c4f3

SHA512
8c7c9274a7efa0af8f82da487e1e703d9a8dcc56e919bcb25262293b552532231865774653ef35cc4a108d04178f188e6e7fa6a2560b9c13c0bd4772d576d959

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c2ae2808265e25f71b160c7ddd82344a

SHA1
40acdcdf77bb227d0d3f0fe90bcd63e790f41238

SHA256
54a7434b15dfc1ee407b5df28d2cbcda6758a3635cf640fb12895e957639c080

SHA512
a7f2adf818fd73ab23d368033f0d4606596eb7e895f69288b324042bf3c9ce1c07f09ef6f0b64632336d5b60dfd2475c84c0d055e0c3bb1fa017bca7eaf1f692

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b24c82d257cdd7d4f437c8c46fd51424

SHA1
aab361d004663fa95806e1c21eed66e8ee7d2a05

SHA256
dde388f3e676dc33c9e142cdfe599badde5470fd1fcefd1bc0723e10a9bb66ea

SHA512
001fdeebe862280d3a50520aac71f7dc77d0320b3fce64f6c1ab797a0cbcf168238d811151869e08fadb84ab18c479c67d9e27104b9cd7dfbb5edeab4a5f2a63

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c4d6a1b77c1b3eac0d08c82092d769f7

SHA1
ab94b2197ae8b5e7316feb27128a41e276e08b41

SHA256
5be585aff986667add486088a5ff92797ebde79e21863f2a5095159dad1e50de

SHA512
d29b9c4e7fcc41af77f0145643f9ec1b8689de830f9dc353bb0c1547f77c2854ac52451be8f9a237fbb9df67cd7a9125360719690d9c56ce4c48caed4a8cf23e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
8492e37e0b41c299df3fbccf3e04bd85

SHA1
67a5cb545069aadff9afb2617de6ef1e524b94ef

SHA256
4ce649fdfc8348295ce7c8c0b8a2f8bb0396f66ed3e3293c150a6bd18434275f

SHA512
032c392fd0053f5bd529de1f8ad48267cd91d4c92405e584afbefacf5e525bb481b3cf9cc4960e433c18a864a7fd4212439fa0cad94fce1cd7a862f04e9d44fa

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b0f0188c1d2091c88d4557548682d5ee

SHA1
13d857b22e6d837ebe3872af4b91e024c3c75a5a

SHA256
09f940e4797c57f9c33e7559ba23d6dab1593a0cd2c608540b28a3dc20359914

SHA512
5d54907c39b5337286ef589b34e859ff6136766a68b8a5372ca90efe4e12a74ae74b72f282c99f304fcc8d23ffa451999d4c325ec2105cb237ea36768b31d93a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
fe4b3a8f595dffc2606c62db279e229f

SHA1
fc2625087ba42ac85faa90a7ecb79282adbd05b5

SHA256
e49f2109bd9cbe1eef5a74ec17b53da370b6dad03a8f14c95f616d31c8117d09

SHA512
40a9f10770d5a1fc569d636984b015720253c113a5d8bdb7976ba16b7c486704f0181e86ca25334ae5a8372d1a7961087f86da38d0d48391388cd6efbd472cf2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
68308769c91850498914faf4a2c900d8

SHA1
4f996417637d70adc9c2654bbbf9297bece03c65

SHA256
074a0e5b1452dc7ca2a53bc27926ef163163f395e493ce9e0d48bf24925d57df

SHA512
696b6a2a2be9445424a849aaa19d058689b37f39451c2e391acea1aa89528bb0ef0272f3a8b167452979d83f0fd1632ad470a9210b77730b7de8a9c307f3458d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
6e8f25035581bdfc5f8bff02cb79f77d

SHA1
c7a0ff45179528cb2b97089ed7938299af63ea20

SHA256
7734eb308a2983d6b845b4ae9e6081f0a988e0f94a0f9938f5bc812190c074a5

SHA512
cffd5fd0aee18c17454f110c0852a130075f879b8ac978646f81ce16fabbacc554b0e05cde8e74fba507ce2fab489390d15901f9e3a4dc78404ed31a8aad581f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
394ffee1601f49c5ece14ab180ad53c0

SHA1
8f4b1400302eaa1317e6016f7fc2f16dc80e1cc6

SHA256
cda0dfbbe5a6b60768aa2019a84c4db2a6e9d7d9d7bf625cd219923ba85be87d

SHA512
d60c3e6432bed6d7eeefe7dfdbb2362c12b49371065282746028ae64250c45cd951e3c37f4af94c7ad9b24a6256c97f2a9cf96afd57752a940cc0404a28f2221

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
55cf01fb5f1943da3a23001cdbcb1b6f

SHA1
e3ba8a48267421023dee61b0708a1486271679bc

SHA256
021f6e45cfbf31167f8cd1cbb40ee15c8061f9bee4d028cd3883f368f4935499

SHA512
2a04759b74bfe8cfe7a1cb2022d7915e55ea23658b92108fb2349be965e66fcc7ed811f57c0a98f412e2be0d71e40369a28ec3db9d82822b2f544268fa095675

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b110196f44780db883bcf9739cc67d3d

SHA1
eb21138390dcdd78dbadcd515233714f4aed077d

SHA256
0d180d67b2f1781357980777b3798f080ea8bef0d457760ff6df8c17b7578738

SHA512
89925ee352c81292b9fd034aaed1ec5964dba91643be33310bd309cccd42496946c6edf4f43489432642f78d55aeafd5476b332ef0df03fc3eb1a0d158e3c221

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
ddcde344fa2e314f71bc341ec5466257

SHA1
34fcbcf61deb3e264157405747723eee79ec4469

SHA256
7f9c500b2519f4b605b22141fb612ee4c06ba747617c1123b2cb571965945cea

SHA512
c013ae640e0edb48aec4b058dabbcde6100b144647b1e043a0e59455bbdd9cb40bd58196075723056a993ca99d343428d24933d52e3134fc33f18b688a9ada33

Download Submit
memory/224-5-0x0000000003DA0000-0x0000000003E07000-memory.dmp

Filesize
412KB

Download
memory/224-10-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/224-96-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/224-0-0x0000000003DA0000-0x0000000003E07000-memory.dmp

Filesize
412KB

Download
memory/628-428-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/628-140-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1548-158-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1548-505-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1584-24-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1584-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1584-15-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1668-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1668-77-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1668-83-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1668-162-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1756-38-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1756-32-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1756-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1756-146-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2128-163-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2128-506-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2412-359-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2412-128-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2536-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2536-55-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2536-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2536-61-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2536-64-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3004-154-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3004-432-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3028-99-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3028-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3292-93-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3292-97-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3292-87-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3488-127-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3492-126-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3492-363-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3624-166-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3624-507-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3644-102-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/3644-106-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/3644-100-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3644-322-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3824-430-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3824-148-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4204-429-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4204-144-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4388-157-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4388-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4464-431-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4464-151-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4940-125-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4976-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4976-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4976-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4976-150-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5048-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5048-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download