42f528f79bbc85e39ab1e53ebfafeefe1a47637242cccffaeaba501aad1efae5

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
Size

24.3MB
MD5

a201d01f7db9e5210ad304155c0330c1
SHA1

f9d94e2d8737b4d74d2afd975a4b8bea21c8102a
SHA256

42f528f79bbc85e39ab1e53ebfafeefe1a47637242cccffaeaba501aad1efae5
SHA512

4439bb5a4149dec37009ae1cda515e5f2f0a6a0573324d6ce02eebc708d7a7103ac17a1b054aed252eff2bfffecb1a6dce2f52cd4b86648cbd1567ae48dd7c47
SSDEEP

196608:QP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1OpUH2SAmGcWqnlv018sUi:QPboGX8a/jWWu3cP2D/cWcls1E

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4152	alg.exe
3392	DiagnosticsHub.StandardCollector.Service.exe
4824	fxssvc.exe
2512	elevation_service.exe
3320	elevation_service.exe
4964	maintenanceservice.exe
1660	msdtc.exe
856	OSE.EXE
4716	PerceptionSimulationService.exe
1684	perfhost.exe
3224	locator.exe
536	SensorDataService.exe
2720	snmptrap.exe
3040	spectrum.exe
1704	ssh-agent.exe
432	TieringEngineService.exe
2420	AgentService.exe
1148	vds.exe
964	vssvc.exe
4548	wbengine.exe
4964	WmiApSrv.exe
1216	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8cbeca96d590e271.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3f629608babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a22d45f8babda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6083d608babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b838d668babda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003120f35f8babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e146fa5f8babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a45eb05f8babda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
3392	DiagnosticsHub.StandardCollector.Service.exe
3392	DiagnosticsHub.StandardCollector.Service.exe
3392	DiagnosticsHub.StandardCollector.Service.exe
3392	DiagnosticsHub.StandardCollector.Service.exe
3392	DiagnosticsHub.StandardCollector.Service.exe
3392	DiagnosticsHub.StandardCollector.Service.exe
3392	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4824	fxssvc.exe
Token: SeRestorePrivilege	432	TieringEngineService.exe
Token: SeManageVolumePrivilege	432	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2420	AgentService.exe
Token: SeBackupPrivilege	964	vssvc.exe
Token: SeRestorePrivilege	964	vssvc.exe
Token: SeAuditPrivilege	964	vssvc.exe
Token: SeBackupPrivilege	4548	wbengine.exe
Token: SeRestorePrivilege	4548	wbengine.exe
Token: SeSecurityPrivilege	4548	wbengine.exe
Token: 33	1216	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1216	SearchIndexer.exe
Token: SeDebugPrivilege	2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2724	2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3392	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 3648	1216	SearchIndexer.exe	112
PID 1216 wrote to memory of 3648	1216	SearchIndexer.exe	112
PID 1216 wrote to memory of 4384	1216	SearchIndexer.exe	113
PID 1216 wrote to memory of 4384	1216	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_a201d01f7db9e5210ad304155c0330c1_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4152

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4524

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2512

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3320

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1660

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:856

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1684

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:536

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3040

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5068

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1148

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3648
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
83d192fe2db88df7b3f5b61ea3bdda82

SHA1
6351852bc4e456916c908bd14a5e93a7dc398220

SHA256
439b9c7a49807003917e1331c9df9c6a5311bc3ec4a20a8f4fe61bbb597420af

SHA512
b8a5f9f480da2dfab98b6d259f7c5304ea566a89e54bf2ff1d2ee72b7cb4f952d4629cb3610875a218312fbd804539dc06a68484fdeac25ae0df8f30314aa1c4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
99afa5c174685a16e66d35f21dacce3e

SHA1
856f85c0936f4935a2407285493d57115bb9e2e6

SHA256
363b0c0d18299c4803e4be2802c61f89a75c38a881da8a3999ea65ad0cf4f7ce

SHA512
8da9261aa0b5e4ca55f75440026c52be807ce4422652766e3158533fc9707ae4b2ba00f1fa1babeebafaa292688e12e746684521f46083e3137d9924566bd1d1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c1f3f389e208ba7babde77917d7cc376

SHA1
a9ee424fa4c4490915689adf0479e729bbd543f0

SHA256
f05634577892d009a8c5a4d2ae2cb8f709b5a070cc2d4e1d8f49bae8bed84107

SHA512
8d5c01ec8a23f1984f027d6013c1045a4225960f8b915c57adf40ce29f3c976d90c28fe49fa415cd6e0e620a2e6aaae35fe15600445ef85d61196487a7495c88

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b9824e03e51a19b9ef636eee837f689c

SHA1
b334ab294fabd22025fe6b4e79bad1266b1aa1ee

SHA256
1938950d39049859c25b20484bdc6bd18486400eebab0b57ded7f91d8539e052

SHA512
f275a56017479385eb9b61c72718bf7ee9e20256e4fc2e6f84d3fd330cee95d2a0b0b2e690c329bd715c0e0e55c16f79e3f1bda78e544aca46cf44d688289bc0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2557b6b97bf3715e3ac4b0eba383e10a

SHA1
911e4956f3d792cec5ff74e8bbfad94ffd64bc55

SHA256
38f8681ce589d1197cecca8da337772b0d6f4c1c27d8df15b316bf5ac828f39f

SHA512
f6e066390148b5185d9fce33d570768bf749a715e0ef1996d2a4a96c0e76bff14984620a1b1859341c9bb15e4370434c812d64ce2a2801007e16d7ec9472a1ed

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
887703fa3f4c324ec351e9a67decae12

SHA1
20e361acebf83a99ddaa2abce166c428b17c5aab

SHA256
8c54f0046c867b2f817f2b05482561a6db54ad098d91102d1d2e7b8017f69e85

SHA512
0bc40a3a5f93da69cb1d066d5b8d81e01c9ecd5115fa672891f481554bbca7a1d98dc06c85b314c6c099778903886c558e232efd1db26d190aee6b042a4589d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
9a4399aad8080fbefc8e6fbc56cecd62

SHA1
6f1faa1f33a05358cef3cd79734c426ccb6a3ed0

SHA256
f3d0da8bd87a204e22116f68d66c5e7de7043bdb0019703d729e650ada9a3f69

SHA512
c3497433b300a5cc383459fea39e926f830fe44ebd19bee78811eb51534459668fd934cef820c59f1b97f6d8e5bde857af4270598159300632ad3a9103a4b667

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
95175571588ed7e13e7e8c706fb3d192

SHA1
29bd4a0dff1124efbe6b4d8a4614ec8ebc3d601e

SHA256
45a6d451a1dd98993d8b9d5554304b85fcbbdfccffa2947ce2aed050a0466165

SHA512
96718c90fd2ca54e66deff2b62f85226bfc45e134caff12170572f6ccf2fcb90a594e3c1cb77c8ee06582b0e20e1fce2a5d837d05a385c29e357743e89163016

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8b8576101a621d1a9adb488b4741e22f

SHA1
1d0771c130ca37fb0646a59a271bd9873e4ceb78

SHA256
35f93283cda1cac01445e188caa9d7d99174e0c74216fde8e6d8e3117242d151

SHA512
5350b3552fb38ca1903d086bf9d6ae3aa053ce51363ccc96a40b6775723d6e31eeaad1720a711fe656e3faf01a3b2e63f3c8241a615d89e8e26e800a34ceb26f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
005ce7593cb1c667d9b469020cc234cf

SHA1
888d4487b2409c46b0b073bac45a70a1a16609a8

SHA256
1d8a7686d32740c9b99df807ee18924f4a32c3a02a9b8ba447cc23bffe5883f0

SHA512
22e4113d113c9f0eadf731ee306b13c0382b2c1688ddcef715a70624a781dab66d551af5031ad7a143bccca1b65d1cc0963797f42d036d090d672990b77c8ed8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
de2fe9c7d096371cce31beda0e03af06

SHA1
b80be1184f581a623169cb6399eea59cf8f80987

SHA256
bfa53fb12bbb00895b1808a88a3898241a7a3e9931877706516da417372e2cd0

SHA512
089ec05c3b15c401e7cb1f66b2e8c2d8f785090d883e1c3b0625ec95cbbc2da3ce1602c2dea609700f0f539bd1304217a014efe87a17a95e94336eba87c10d1c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5f0f76466a0a26d47f876e1834648e40

SHA1
dab48bfa8e772802042a475035d6ad360b4ffbdf

SHA256
1b7fcb807b420379bfe015ba695e82732fff3ea3af149320f412cacec5a07a12

SHA512
26676c0c3b54b5025facc5f065924e4084baea31c61e0251f063d82a2344b73b4525cab97931c9d057ca673670952f4311a3d2b3f02a7a3d9385466a56f67004

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
a5fb0d7c11bf279f7f2aef2af3331903

SHA1
524364968ab56f11fac254733b687e0ea64bfe31

SHA256
64513386f90aaaae4986725ca4214168754672ca4221c1c9621c56f02aae9af3

SHA512
1d685c2a2cb62c6f69ce19327d4825965ee914b6ee2aa36c70469e3324ffe4a73b69855df7187c1d3faa1b5f8731e29824ce6841aeb438e598802a5ce1fd7654

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
1653dc32c0ad62736ce248c0841443d4

SHA1
a02b527dbdf3eb3d014835754dbadd001e846fa1

SHA256
71902e7235a5101eb1835baefbdc4764012828bc26a308da94754d904e07bafa

SHA512
159ffe08e041064acdc45c2d23bcf4d5847b807b6c692c968cab57d7d278133f91eba21c5c067d62b4531e540fe0fa4e983abad8abb4676c518cfc177859a38b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a649bfd480662651d1519b7bdc3d1909

SHA1
b146791b511f0f964fe56b38fe3c6ad92f0e7428

SHA256
ecb24c00d6b09e46d5ca8cd1a7ab79c43ba6e37a23b5d6bfa03c28b1b1963aa6

SHA512
39d640e9db0b7da0204e1099adb206dbc41fc32a8354debecf1c377c4f9c4c187eb4657b0c953150f0995c3e3cd0ff7a7bad0412ed83fc61a1090a164dbc196d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
0249a820f023d6036770691d8789d0d3

SHA1
1a26f556837c21ac6a3a7e2995212ddf0df9da3a

SHA256
12a24072a96b5731ac0c74bb5853484f2824d99c193acababc0e4c707e9ecb99

SHA512
2f5bc6685d77a6ebfe9a00b4fd727401a73dda1d067a8ba32811f873b1e782cb018285f5fd99b3d60576128959a828f83edd5f8c78988a534e8542f5e546ee2a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0ba1ea510b56d085556244e707e71847

SHA1
cd08ee26ef528f89cf7917233757bbd55aec613e

SHA256
bafdcdbc65ef1584ba2dab21f5c7418bd23f226eeabf21aee73aab041effdfc9

SHA512
0d332127e81a0652252a0229036935d6b66942777767db3571ed16b6ddfb79cfe8396c827135f4d98d3a257c5248204120ca34fd89e4fefba8bb3f9e783bf2f7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
062c088ebcdba679d4f1149ba2401275

SHA1
d630587269a899b1f36e9af9466d58eeb0aa11ed

SHA256
35290dfb813aafa7ee850084c911e8ec08494ebe1feb1bde0351fb442df3f85f

SHA512
07775633e952147982920620dbc097cfdd18b5dbf52a46884877bcfb1a885576f663d28fcef2374d10813ed703569cf6bd05a1a18d8873c0628d28511f88a61a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4770063b882f72416e1fb1ec2fa001bd

SHA1
65460781bf7a3c3358ed5b96e02bab9586c0b985

SHA256
15ecf8e1249f73244ce436bda9ee23bd1b8ca48aeef1b74486731074a815e80d

SHA512
f067b86aa936f885a7197a9b7bb33c6c3ce0565ddbf86468e782114d3b93a594d86321dc2c6ae46b46a3bda114f5f40769c8e45b4c1cc41a5575c54643c5772f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
054571ada1deb51108a60db00d1acf34

SHA1
e3389edfe2cfc13ab6aeb2d42cdd3d7dc45a44d3

SHA256
d57373269d19534ac1cbc43e2573d6172bf2ab2a72172deafe74abe4c2e00e90

SHA512
ac5627e128abcbb876d93c52814277ba5114cb07815cb63951860f36e3ae393fe188c2be1446da16221bc3eb6992238d3a9c3996ec9c7677028e6b54cea29625

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
94d27b09c157f01cfaf016fbfc3d6429

SHA1
5bcb3b12d6dff11c09ad1e59608340548266d2a9

SHA256
9b090bac4e0d456782a2c44816c30c52e619f1cbdf306293f60b6b37d162bb25

SHA512
81ce16bb9eab66db0f990190ac50466a15429cf610a7fee40c2cd0d908e5861b6f4912c3ba016a7d0f1caa8a27014387310a1fea13ae28e97b90fe1f492d6ece

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
566b9ec07c1e83fc1955297cbc1dc237

SHA1
699993f1724c3f4e6ace998863a8cca158ddc639

SHA256
08c4455af630407a24c4cdee6b6066cbca5f90c04068726420b6608dd324025b

SHA512
0275c9cae5676a84427e9175e439b4acb4eda99836f06538279e73192a2e967f2f92ba4e11bfcf850ca544f98a53b7033ced02bd70a7bc1743e69aeb2b0a2692

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d5467f26df5a8aef10459c7097ba7f85

SHA1
923b77d4e08d3a07331f5230232d42184d42acb9

SHA256
e4053ca23feef967661cf3444359627de31872c8033ba756e061c3ff3720f1a7

SHA512
477b26c9289b1809f1a69f71cba4c5bb90da6398548d90d4cf479a250c2990fb175e717720d990f47dd2f34e784f985b92e49d8805354fabb4373bb5fc92fad9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
54063ca8eff00f5244d6846b2f92c598

SHA1
b8520307d7ffd15d7530e9c347044a16b86b7309

SHA256
62e9400380405431e20bddb630432c665e7e650df1a027b981fc263e92a1d43e

SHA512
111c6ffb16583d6fd857e76b4195b53662c1c8a062e60a857f540e78ec1a0017fd8d01a312ebda1267ed8121ed34139d1ad30e44411bdf37f6422c6d49a8932a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
bf8746baa250be08a6ce9aed7aeb69b2

SHA1
6b03098ba8b85d4b2849f04811088dce0c72d08f

SHA256
5501009a63ce9294a6d684c384c1f106d65659606b5e08d39f8773e585a19399

SHA512
0d9347a5b3810c429312916ca759db9391a7e49f0f9533e64f8831d54f94363be24f4673fb570231fcb4488e30729d95ede19fad5511662ac7d2d8025d6fc5ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
e54cd75325dcf24e5e31c0e99aeaa426

SHA1
88f9dfac0c489ed4931990d60169b45d00a3479e

SHA256
60bce2a62147062ca2c4443587a0f89ff02192413763ef2ed0f8d406f1c758cb

SHA512
10991a068d167777ba2f1ddf2d47f99cba141736cf9c6583b48ba06d3632071074bf79686ecfe85cc99e9bd8838c40240b9fb8a29a7b75c317d10009928db54e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
388c4c25b84c3049ae30040b06c4448a

SHA1
bfe6497a6950c1573f22481666fe2a8613e1fb7a

SHA256
1b460250d2124d7af7be586c7fde6384b5b3f44ba1e0295978c7831aeb8ecceb

SHA512
6c148b7d8a9d2e41ff2802d2fc9aabe203ae064f89a275aeeab2422d9ee467c82762384bab0205e47e7e1b0e1a346ac2f17dbd6ffbb51343166f60b1d2512079

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
3abe9e37afe072904e74f96f7e8ebe8b

SHA1
41362276998f2c3b54040997cba043bb843a32ff

SHA256
42183bd30378bdaf2cbc59cfcf53127385ebffa7c6ac6a6aef9e0d14fe1b66d9

SHA512
d5b1dc5c714c0bc0c8e86991efd20368712d9cf341c92309fb45a53002f6d6abc3a77ca445146b63f7606f5cdadd566610baab4a0ff5d43e572fe840c211f385

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
288932eae341318045866d2691ca3156

SHA1
50d4f47155d0e8729ab6d4bd5c4bbfd5e5ca5825

SHA256
52405d861ade9cc948f849454f6af5eeb5d0bc61b2df5bb7bf4c633c6c001ed5

SHA512
68e76606a4d9fa1e84a9dcd45bec6a47ef0b0cf9d0c700c8860df251642924a9ee75aaba8c79b79332b308e6370c66097b971fac386dfcad564fc48202943725

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8b46418c6fdec9d474309650a84dddfd

SHA1
b3c2f647b8826655e6f8db84ca19248d8101e6a1

SHA256
2c9edcbdd0372251206bb1dcf844eba1d7e5294250959d4e9c85f12c9535e72f

SHA512
6165bf3f3f1a0d13c7fc99a9147f6c9fdbea01dfa9e8c8c733229b118ec4c3f1782d907295cb429f56fa864f538408d29621df4aa37352e8b7a02768bdf3afcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
db8655f9f31dccc0c9b62754a3c24bb4

SHA1
9278f5a40c7e3643ebd2383b15a0c4e799b620ec

SHA256
0d32c206378fd6d2cb9b41af5f9da7298a8b335d0c97205bdff612a585dfb742

SHA512
8cb819f7b00555ccb87607f9e3d959bc807b1ca50054a1f92a5f1e507ab24fd579404789ed8b6832cd184a067c571b40f64c2d515abd442e5bb1f4d58015154a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
4c644fe2193e48f36574376ff50bb52d

SHA1
518e23c95651fcd351a1b72a3b0687765cdd33da

SHA256
49947958b0c3aa76165d7c5df3dfb6d0f682ea0958dc87533047537fbda810a3

SHA512
e1dc95c2ca8a88169ebdbd2d8b1bf7537495770037321671b1dbfaa889ff581b0afa8dcc46f6f715e5f9dc9abd73027049f2aabaf26ba899b77a2c5922391f48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
01ecc4c013e3fc1045ca2efb77e8a33f

SHA1
ddf2767a5b952a18ac10ba9ad315f76267aca602

SHA256
32939b2d51fc82c5906a25a60072d20c1c612b985a18e50db8c196a58fe5f6b9

SHA512
74081eb3f204f1d16ac6ecc2be937216c19e68f259448cb5394c8a590ddf9a893e708be81a15816357b9673a9713c527530e053427aaae1a83e046df8ba2d4a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
07dd6d8a670e5e710aa2e58e2b099871

SHA1
55fe5e574aa5155ad988b49803cfdce0633499be

SHA256
1cbfc6a3830fc363d07a894f648149f0df8ae48075d34ab2a00bc5eccc06dd75

SHA512
8a02db5353e7480c7f22fe33b8d3939b60d29ff597806cd36b9748c5bc38ec143a858e12b58b11213509c261cd19fb61de802a6ed658f54e48046b491507186c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c90a60d15bfbd6ad54f5d86a39799531

SHA1
dd58f64982cca72fe0f8506aaaf2c847e6d3ef8f

SHA256
44883c4dac555324c49c62d0789c99e34e89a32d9acfb37d824fd06939e8df00

SHA512
2753e3847251c919501d9aa8c0d71b2d00c43b4bd8c077c794ed92e709096a97594b6e110f98ff22905399ea87b00572fb93a4e4bcd2d013783ff4ea1ed0e3c2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a3d208c9f5aa64a4dc98f830fdd7ea00

SHA1
c0d867c17ca5af9ebd0df8f4abc201c2134f9e1c

SHA256
47de0d8899926055c1972f93127922ae3822fd70a21a6c22bd1e724bf61b818a

SHA512
e753e6514e8f21bae505a37be8bde5b1e0bdbc5580ab6f4e0a32a0f08975bcc32dd35b568bf6c9b45218cbf983ac441316fec7b5c78a56c5c5d1654b379832eb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
648dd03b52f27287e78b5c4cf30dd8ff

SHA1
9b3ac2744423b7bfd245b9184b82fd3724ca2cda

SHA256
1c5aa36d7870bdcc5fdcf2b1ff1ec3be864411e320be989bd8a6824121286475

SHA512
a64a5ce185feb83081b244292e747058109321a1ee49326a6934dba2584dd6b8b5c614d783e596b6a50a4ba3c5b41805f9f89e03bc07035720b8954bad4e0dba

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
bd75ff3b835c8a4d294e9fb9f9147c36

SHA1
9843afb36cfbb2220f984bd4969a78e224aab7d8

SHA256
535eff594a3edf7e656bc1444db7a37d5557beb5dce2886cdd84496075984669

SHA512
65a2fd5d4a78d8c0dac6d69173fe344640819f624e8f45494e07d8b41d9a3b5d6a38a61982fbfe204424acc2660f0e98abeff5edf88fc8444a5ee3fb9db247f8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6e9b3bdb8924575b95c876f589815bbd

SHA1
c66bcf2d6b568e43dcf9d1e7868a4e53d2a1b4b4

SHA256
c2f7d374946e6a0ff0598e41907745ca5b4a86aa9d9073bc7c9ced3b104a212c

SHA512
667c1673c7bbe5c26321e189490f7ca4342fa91332243a607360a64327e1cca195d946b24f7c52f802d80852c6e108e613566396661c4dd472cb41b7c6e12558

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0ebc4be78aa2b7e0d9d83b66184cd9f9

SHA1
0df312c35898839daaf5e06e54ff71c0bc2bacfa

SHA256
09a99c61fd309bc740ac0a3acb93a0568cd4be08ac22f3f4556050708e787cd2

SHA512
fcd439c37e5a3bcea6f9e36bbb775737b6a628afec5ca8d9c87c0c5a45ab95f618cbfb8e94dc76c782bf0ae096510788c22c97645b524571faba1843a50273a7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
056d81306574b19a8b3c75b542ffa6b3

SHA1
00cc43dc2c206b140c876abb93980be21aba0ed1

SHA256
66171e86aeae984e5ab9dc9a06208320af183cedf3e8c7375dccafac730caf5a

SHA512
ba7be8ccfb7849d620b167c3a14d41fa05dfe0fd952561ded6ecc9999574cef296de39031cbbea9ef841e789bdbae6b7720a0db9b322567add0047d3337bdd7e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6e4f2d695aae6fa3bbd53401883808c0

SHA1
ceb70de11887d42edcfc9dfb289a16b16c66590b

SHA256
72eb44b6da450cbd170188b199eee1c577a83b61f31f1ceb3c3ec45957763475

SHA512
7530148b7112652f72a6f0559b7aab3f27aab27bb7ff8dff025ccdb2e26119516bc3a0b60ae73ff878a178ba71672483d03e46a22a389c1797161cc25d42778e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
9a0e01f1c7287da24498e9da4504cc3b

SHA1
5b1788b2cbe93aff75d56fa0ac9fde76d16f3a67

SHA256
73de23c7dcfd7543218ac3784720473213883c0d13826be16863b3c5b167cd36

SHA512
5081008cf958404f8373ca6d4eca2dbd747c75223b8e05b4e2f5ba7c48b2358f9015541c1f1dc7b3e7b465a1678e979df7ea0eb5d93dfa316486f923d510b20a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
7636ab6bd5087e2c40547dc73bf631d6

SHA1
414e4e8d567fcb061066a3d163acac7501cc59b1

SHA256
fbe0a5f51c336c7698b3cc512e4b22469d610d2fcc8bbab3d5a6bf3d7c55523e

SHA512
e87fbb9707da5553cdb4a635ab221a9e8f6979cc7325f2067c53af5a37f00f2d795e1184d9dd15473f6e556421365435ff3436c7eab48d8424388d32dc9cc1ff

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b677c32eb3af849a285e30cf488b5979

SHA1
705cb9aabafc8d3d08e9add7a6d7042c538c2a07

SHA256
2029a776ee78879ba2897266065fa5e501386a1ba398be2d6b8393ba054821ff

SHA512
13b1c6317c163484aa0439d70c6a9cd3bc5f0cf642177a14f5bb63a3cb3eea52e9d683c5e7f573d68084892c35e0771b5500daf5b93b49878c2d97a565901ca4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6ecef171c7c8d1e8e5559e93d14292ee

SHA1
dd5ade210fbbb4842ea40fd89b1eb8d8dadec718

SHA256
bb87198cf9b8f3f318c5d1f1890f2e496e8e39783a939c78579fe7d8cbd77667

SHA512
c16b5c1b5e75844a45a0dd7783f71b656277f8ad9b90cefc273a123c6bc90cdba199b435cd149348f12d5b4baebcc06935e284d7f763ea618c77390edcca0777

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d5ef9ac97078fd2c8ec20e4c1749af2a

SHA1
3f8f489b67262e3b1acbb62d0ff994af4a2cb2d6

SHA256
4db2ab8ebf193e648684badca779eba6b6015fd35c360aa749dc80c5ef06a6c2

SHA512
96db9324d3551bc2b02f0d91253db7ddf4a7d7365e500d15b308d893bb1dc0041d0e82316307ea4dfd756db5f0a5ee82a4ad3f7578de7d4ed39684a8228ee4e4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c4c68ca20b0a0b4f5e706a7c83cc4d53

SHA1
9b1645661f0b46e1a622399745f8b7f3145fc747

SHA256
87d9255b034b027de99950934cea453ad17fbacc8c58005a766b5fa0a409d830

SHA512
1ed38cf5656086e69a6ae71303e14f8db1b76e61d6b4c201f6fa9cd9311fa008b46f62276f783624e9d46d1f4358a0321395df80e1271ffd445e74e8a6ed4287

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0435004416eb632ff90a6585f7ae35a3

SHA1
e7b74ac502fbcdd3a6c0918d212a0e5641134d35

SHA256
b3e3b48a57013e7b499feab0d063bc686c7b633b072c533a782a414beb47288f

SHA512
feccb9dc16071f0810b2dd7e3b99c225720409227b9d21fab132b5c92e64175bcaf4941de67f833da606501647679df1cce45b6c8957fbed4ed5b7b4a8934d5e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
c914038d69a971db168aac4e3141f529

SHA1
34c0d83b6a7b248cfef1e4060416a4c060a549c2

SHA256
9c289cba27d60f8457932e88573dd742eff2401795707d3c191631897b9345bc

SHA512
b0bd62e9683b2499228acf4efedf19f1a6ab750ae748ea6e6862235f909278e454b952fa58c616c8b0199a7c2406dd80b04d340713f498774b1484eb1cd598d4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ec57b50d09e3429f17d891b764e65722

SHA1
78cb6bf51806419615d16fb872e1efc7c11308ab

SHA256
eeb887232bf0f74b59d9f5efd3fe1da06338e4a3361b9c236cbcacccecd25841

SHA512
ce8d9cb221da824bbeca81124b54c8931b6c3e9d7e39ebec05815f72ac78d45acbe6a7b67d211daa6077d7b1a84cb70324840558289937cac754c4d9a560b50f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
e6d89ca91330b5e84d343951b12d95be

SHA1
0750d7142a65508b5814374fed9a8e25f35053e6

SHA256
41f649dcb5e587cbd77f2697472e6eb16452713c453a0bf4c7363bb73807de3a

SHA512
15cfb1128cfcbbd618723528871633714a0f74c0fe571b3c89714285cd37fcff02172e47bd46ca6a529dbb3e947e6a22984ce9c02fd450ecf787d0f02bdf20a6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
eb2bede6fa7ee75da095ef078070372e

SHA1
17a3a1c28dce3f82233d8b9b27dd4d4c5e43d629

SHA256
9125f7f39068d9a5982010e7ea79fc605fab1469511f1570964ffa45b6e26b03

SHA512
8866ae3163eec0ce1a32f99253bb4168d4ceff3839eb3a35a7b3d562b340596ce2591e2330a6b675011f1a4edc7ce9ddfaa4cc560defc1e719d5e8799d7e615e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e9a72fdae98792bd956502fdd6b65057

SHA1
5c99d08e9540a3aaac91cb98c4466883fcff8820

SHA256
00083262cae2ae04f10947fa3450eb71c2ef63230ec5091253ac2c2013ab9609

SHA512
abb7bfb73535c2950d7faac1ceecbdc7a2f81aa4a28632b536de41ddb753cedb0dd0c60ff835e7e8fa7931b3b231406b97e8fb0b97fc4eaca5bcd57495a869eb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
157735ce36ab9d536ca143d207b6442e

SHA1
ed05a9e3465da0a7cc5a9101053db1420b9e885c

SHA256
5c3aa409c3710e4878b40258310a63973ec5fa853ac16496687a76fce631761e

SHA512
b00f73e08498f05afa6dc47ca00f18d02cc671b5971beff006ef3636d9f2985e3d60e283e7f4013ca50bf62dd0117bc9e4af0fb95a00e70c4e9aa24d6bebdd64

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
533a4fe5e6d2a2e7fe59711c72a883c0

SHA1
b268210fa954dcd665cf938ed5730f7f891f0dce

SHA256
f3f6904d1a4910a52ba8641f0742eaa354f439f98c82d6f62bf399d596bf75a1

SHA512
1c9161ccc721d1f7efbdf4c3053e4a715796e7164cdc78bc60b22f596f2abd59b9cf21511a08fadcd3ad7005c50c3937de279dec7cfc95a3eb59c1350eeb909e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
0a223a20b73d4e38406b4b94428e9cdf

SHA1
d53c6036eee4931391cd770dc959ccbba13dcb84

SHA256
e39aef0e3630bf6ed9dfef7bc13b2c1ac25e483db10e8a663bcf711e5e9dc339

SHA512
0341d09ae0cb6af941be592af5b6c4e65adf052e106ea8d307cc9e7b1240a0c0ba27f7563e00eaab022f2e067a7b1c1a23d6cfca2427edb1c0112854f4897be5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
16f640a0c098a4eaf53c84d984e6fc7b

SHA1
496bb79cf9637b0146b87bb66521edc6acaa52cf

SHA256
efacc4dc5a4ba85f7c8e4f231cc8e52dd6f36075f1214a3327f0d190a8a5c524

SHA512
26b9075a961bc25fe3602364d8d03f5e04ba67fdf93903af9a58e0890b20b69d96d8535c682b125e10c3fe4c49f14f140f93346d584de95003867e758d368829

Download Submit
memory/432-431-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/432-143-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/536-427-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/536-127-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/856-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/856-83-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/856-76-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/856-359-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/964-154-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/964-453-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1148-451-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1148-150-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1216-166-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1216-455-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1660-72-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1684-98-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/1684-103-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/1684-124-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1704-131-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1704-430-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2420-147-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2420-146-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2512-32-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2512-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2512-38-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2512-153-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2720-128-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2724-5-0x0000000003C70000-0x0000000003CD7000-memory.dmp

Filesize
412KB

Download
memory/2724-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2724-123-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2724-0-0x0000000003C70000-0x0000000003CD7000-memory.dmp

Filesize
412KB

Download
memory/3040-428-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3040-129-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3224-125-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3320-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3320-163-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3320-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3320-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3392-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3392-15-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3392-24-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4152-130-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4152-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4548-164-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4716-93-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/4716-87-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/4716-95-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4824-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4824-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4964-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4964-165-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4964-454-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4964-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4964-64-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4964-60-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4964-54-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download