de23117bfacc2ffa5979f96d3907341ef7b2c7137a5ad1fd32ad47e3d0637510

Analysis

max time kernel
153s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
Size

24.3MB
MD5

90804faf1de089a019936c31d436fb64
SHA1

cb58f322ab012eae0fc18e3fa1360a5123330690
SHA256

de23117bfacc2ffa5979f96d3907341ef7b2c7137a5ad1fd32ad47e3d0637510
SHA512

1d85e4350ba751eab561a78df7069242fc1e86917e9b3ec33ed8ce1871a3c0050899a1598907a14cf343fbebcac25f60ec178d98e18ec38da26464f3e2768457
SSDEEP

196608:9P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1OpUH2SAmGcWqnlv018ZnU:9PboGX8a/jWWu3cP2D/cWcls1WU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1572	alg.exe
4708	DiagnosticsHub.StandardCollector.Service.exe
3812	fxssvc.exe
3124	elevation_service.exe
2280	elevation_service.exe
2884	maintenanceservice.exe
4472	msdtc.exe
2208	OSE.EXE
1264	PerceptionSimulationService.exe
3084	perfhost.exe
4496	locator.exe
2756	SensorDataService.exe
1200	snmptrap.exe
1708	spectrum.exe
1544	ssh-agent.exe
3804	TieringEngineService.exe
4660	AgentService.exe
3452	vds.exe
4204	vssvc.exe
516	wbengine.exe
4000	WmiApSrv.exe
1452	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\414fed3db3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exealg.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016e22368edacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3d3b367edacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c64b0768edacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ac7b963edacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022a4fb64edacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dff22865edacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b8a2967edacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dea45563edacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080f81768edacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe

pid	process
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	3812	fxssvc.exe
Token: SeRestorePrivilege	3804	TieringEngineService.exe
Token: SeManageVolumePrivilege	3804	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4660	AgentService.exe
Token: SeBackupPrivilege	4204	vssvc.exe
Token: SeRestorePrivilege	4204	vssvc.exe
Token: SeAuditPrivilege	4204	vssvc.exe
Token: SeBackupPrivilege	516	wbengine.exe
Token: SeRestorePrivilege	516	wbengine.exe
Token: SeSecurityPrivilege	516	wbengine.exe
Token: 33	1452	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeDebugPrivilege	636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	636	2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1572	alg.exe
Token: SeDebugPrivilege	1572	alg.exe
Token: SeDebugPrivilege	1572	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1452 wrote to memory of 5348	1452	SearchIndexer.exe	SearchProtocolHost.exe
PID 1452 wrote to memory of 5348	1452	SearchIndexer.exe	SearchProtocolHost.exe
PID 1452 wrote to memory of 5384	1452	SearchIndexer.exe	SearchFilterHost.exe
PID 1452 wrote to memory of 5384	1452	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_90804faf1de089a019936c31d436fb64_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1712

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2280

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2884

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4472

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2208

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1264

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3084

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4496

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2756

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1200

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1708

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3600

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4000

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5348

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
2⤵
- Modifies data under HKEY_USERS
PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4388 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:6088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
Filesize
2.2MB

MD5
eac6983a446b195b5f23c9477915e237

SHA1
19f04a53f572a28805edb307a3edc3366f861fd1

SHA256
e72f15c32db79f11787380535058b32a7aa8765dbec0a08e3bae365647de2eb8

SHA512
c2728d7e9a82da215c01f03eab8dab6dbf64d237089f4745ebbc433951357afec69b532334eebe6b58e6fd56e63007d9645f97ee520246be7d74820cffb1fb20

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
54ab226d513510c11488e612706fc992

SHA1
2aa49e352fb96dd5c8446385beaef624042ce862

SHA256
b2f622cd7041b168442d0a661554d1dc34a7781810c45b9f60dc43bc740e5b22

SHA512
ab5b33fcc4e870104ddcdc0f5693db425fad51c4640ebf778a7794019cd10f2b1fa7319c645f5c1215c78ad037c88b0e11c59a59e0f9085caaeba847a79676cd

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
d1d4d71be6d9d8b90182e19c99f26db8

SHA1
26ff450461cb221acd5bb0e529bbd13d2c14cafb

SHA256
24cc6279f8789d66ab3afaa59d9b753ee784ff0dd11e23db12da4e204ba547ac

SHA512
466207cd7ea9b477b0ab06d389f5ab6f077572c37247f6493006d784aa68a7d1a27abb33bb3b718780b10bb20f93b7c0da4974d77469ffe1c177b182c2c346eb

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
56db01107e4cd057d0284c5a03a2261a

SHA1
3c37d2bfdc1469722d5a0e412f2365ada6806805

SHA256
b6227c32aeaebc787f6313b1f9221f22f2014fc564984b906bb777a2a68fcca7

SHA512
3f6d3a0bb33cdf26d35a07d502b5a38fbb1550fd84a91fd2ce6274aad175a5c6b14bb9b59d270e0ffcf65e53695796755dc52d473933d7073ffcce7e41d39890

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
5d0b03b951a6757b115926e534269529

SHA1
b30e61430a37e46476398504ffe549177f44abd0

SHA256
ecc253fdc498a0e5932fbd2839ba5fbef754176f773ddda475c54d7227c65d83

SHA512
310cc8070828217e68d8e8e0f2a082cef84ac2a0561f7aa338916059303ffb98307df11fcabdf0765c29434e61fde945d606671d9bcdca601671d1602dbe51d3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
63958ef2be17a09e772ff395661ce8c2

SHA1
7d4df307333da5406f191c252a749e1ad9570bea

SHA256
5a93184becca6b6a974d84965f204c15b57ab6574dc8bbfcdeef849ab9825dac

SHA512
a243d643e95e67bc3d3f303680f8e86818cf32d348af4fd173393116c149bd01403fd374fe78c78d7c32a4a240cb0765bf97b40a9f85f80c93330873ab6fab91

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
2d60c8a3cd984920d6896397118c043b

SHA1
83dc84ddc5c047e27c1404e25f9c856766ab48bf

SHA256
a89764a771ab8bf4e0173a0f9651c10e6f28cc626fc841f3e84539bca4d423fc

SHA512
a6a24ca681a0dcbdc46684f04e53baa36955208862138b80cd8ac65e69abf115b3b7100fe2b84ec8fdc375ee0b1be7a20c217b1ff50f5afffef9656d1e31b15c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
70aaa66f7064756d2b870662d107d0fe

SHA1
82655f7b513391e3090ac3c7a09408c1e8f2bac0

SHA256
42211983be03c6508a3beb13293fbd01e30cfb70cb56889d31480601584fa134

SHA512
ef7b2b422fa103cf83595f60c4157b09d963697b1be02622e324d34e59b9efdb83812ab0df3471e23660cb420c672f5e30fa16dcfb728678b778b69ba392fafc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
9503ba6c06b65fdee25ec7c1008200f7

SHA1
6eb4c448452f7cc4c986abc410b5965163efba9f

SHA256
4a85f8c80ec0ac69bdcc603bd09c7f19f8a58e905af0bfe31628aca7b330b920

SHA512
5c841827df5869f5b9eaf48ceda0946c74af9a367b204f7d992c6f9722d50e2b1e0b19dd5aa3bf5347a5fd22441d53abdf06426305ae3ed56331f314860ff769

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
9d144812ee2803f473f36cbaa3206c90

SHA1
8062ed99cb80f3cde4e1a3281aebdd3660476dbe

SHA256
7ba1f91f7c142a33e91d57843950897cac0ccbe23c59c8b951d81de04ed74d3d

SHA512
db7fdf762b137e48af60139d44768e1f5d51d486adb8cd64983b8e5742af03ce2cb225097e2d6c592aa1eebf8dee8f376c656f492b9422dd6ed7af5c8fd64c4c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
02c456cd2a7fbcbca3d637b4190b484a

SHA1
ffbf1f911222bd0347e32f06e6f9bb07d580924c

SHA256
3c0a34c60076298485328924e34d105319123e92223cbe0fd3491eda07251c5d

SHA512
f5718444bf48fd36fed2d3e8f36c2900cfedba3ebaceb2cf4cb6415b27b40b7f0c0ac130b0b600fbd2842178ba1af915a2cbb2a048082b9b72fa4f7b1f672c34

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
a2c7cc1a9f8916455f5d6511b1d6410f

SHA1
4cb4eb1c87ffbb5cc640818919de2a9a5abc52ba

SHA256
9dba7d91240e2d0b032071b3bffe7f49701ab5f000828b64d763627974ec4314

SHA512
9b7304c33d6108118423ab4204f2020843350a17b9f9295e0dab68d3be922f3dfa325b9d906e9af1d2d154794b78ab1a84dce248351f7e5cae8aeab0fa4bdf9f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
14960930a6b2af7423f88048199c9c6e

SHA1
0cd46fd36dd888c1622fd175265da0172950094d

SHA256
50d6471982ffd5e8fdbb8beba8b36ce1044313a3c2254347e5bfe785debbfa75

SHA512
21e94bbce2a297acd06c922e8c32f4162b43c157b4c4ecddc5a052b9ea6f8d823087160962b3e383d0cded8e63fc759059defd2f3932d4258399e8cb261159e1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
3c4dbbeb77f36b7661c7ca9bc6815251

SHA1
955e59c7d2318e2925b2a185b22e2c4754040dd0

SHA256
6df6ad5576e6701ac0b041dc987dac09ac576a18bbbdf7d531a28b1abf8efb8e

SHA512
ba86411f6f9d58360d1e80b984d1943195be49adced377dfade92d5ad369bc5e5abfb74d1ba34002af61ec69f459fd0c5bc976b3f9097324427f15e2893f1b35

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
4.8MB

MD5
e19f0057705ead38b838ad4ff815ef7d

SHA1
69e1950d67421d48b8ca25d0026a94d0913bd1c7

SHA256
f36dc15c1ad4834a95984f3e708a90698504d8779cd19911fd468f7b8e0801d8

SHA512
9ee299edfdd86a4acf1216a1ccededd80a72acc4d294bbdf0860bbe89cf324ac0c2b7bd0c435eca206cf432caa72525b2e38f9e04f1d1ad9b64118f3fadcacb9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
4.8MB

MD5
c5b8892e25009bf32e68d2e7f57db6c0

SHA1
97e547d7eef3e53767963b924ff268afcdd8474f

SHA256
841ee900fecaff922a72474d8fb52576192486ac07434c517b9a09bfde7ae4f7

SHA512
1890ae68a6854847a55441a730840d861626ee559c4418d38b1c16b5740a69e51ce222ce993dcf53baa12fa7014be50a80e0a1e9b863b9a6f76bc333f3cdeb15

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
2.2MB

MD5
7de12708508ab1f97c56b28f58c0a004

SHA1
7bc622eca3c8ec6415f7c8ab69340abc392fe832

SHA256
c12d93d35f61a7b15a4deb637d4c345fc376684ae1ab4c3904aa59a46d07c868

SHA512
ca6e3483615d13f7de24f9c090ce5b4d120b27afce0b2a2ced012d59cba6524725b3034561124e453320e0d0d547d45b7b027acd833e787ec75022c45a9b453f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
5778dc6e95c4c4486b4ad7892dcd47d8

SHA1
bfe2ec05e899b7dbd525c857b6b5a599bf051e0c

SHA256
914d92192685d29293432b0e3cf751748799deacbfd7d2d2867cf43c0d7f43c0

SHA512
7d930a45c107121b608faa0812a22d3bc4db90a64b599e53cba750fec00e6c8023d6ca260a32179863584d341916488e0c4203fd34539a6258c5c08eed5d1a8a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
Filesize
1.8MB

MD5
d6a9cd999f807ccab56b52f7cfb2a817

SHA1
16b3851afa6a52459431d1f76701df829ff6850a

SHA256
789d0c9abdab755598701240cd8a19253523092054cc857eeee9b08b105c9509

SHA512
367579c70890064c2ea4ea853ce37f3198a30d88844deaddde3ed234768f568ab3f921519ee6988b42bcd7c1f2b261798edf7c42417b7c9525b3a9eeba02bf02

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.5MB

MD5
c27489087a02dae3b6446947ddac5fb9

SHA1
f5bd47b246e5987cae7ed899c36327a5a600c1f0

SHA256
d6690337dff8a5c67b53d26dc054f9012d0fce7536c55e033e92552c8e1b8e55

SHA512
993d538acd796876823a3ee9a0ca25c5f7c32aa71b43aaf1a73f67dc55252feacb26a590ba8d0985f9e6aaa79c2c15d87a6dd83ca7645315c7eaf323dc0f5067

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
33f5136baebaeb2692acdbc69edb9342

SHA1
e968f6c6e53207dbee7b10bb76bc562dc7cfcc0a

SHA256
8c78d2304b135d3d514a6c186bb9e448ab50ff60fb42a57bcd3ee2606b93c13d

SHA512
d30e95d445018485086911bcb6eb36036303380841624d561f0e4a04cf758da2a5aaddf2047329606a34012ecc61125b13b600ed1c99b3db62fbe60011f3167f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
58909eae37caa644335b01e62b2ff6f6

SHA1
1438dc8cec8a354424669440c7b3a0a993025515

SHA256
361463577bbda341f2d57b29308634abccaa10184b6ed480ecd46ddaaead6a6d

SHA512
a6a37f8a3785144944579544d93d2cab60ca44516bd0ead640c8cfe76e4d06f92c52ff8ad85874ab5106ebadb445fa87a364f782f3c3770538dc8698f3ab3640

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
06cc9a0e7e55e6fbe4f1fe77aeb2aa79

SHA1
93a333f5663d61dc5aad1dd85e267876505d6ff5

SHA256
b481c93cc3d0e955ca84d3cbc0fb9bb39b18c520f560a15c7dfaeae0430e15a1

SHA512
adffa376647d2887571242403d8990b1a9b8cd908cde09b2c8e4d45c7477ce11b90ca08541e839e3532fe9efca32540e250b89c84e111587f2aed88f1d77beb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
02028dd2e5f0beb5aef7d0cde8ba977b

SHA1
7f68994ea7e783b7ebfff2620a36db381ea09d38

SHA256
fefd094f87bbe8f9b05c0512475923b19aeed1a28d9734db24c5d1ee6702ca22

SHA512
a2cff2c24c86bf769e31d8cca0913ed9962e960e85dd2fc27c63f3388d07c8f7daf3843b4d6ed773914200bf21097dea6b7d5e2903281e292555b2b9db222f8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
ac37872a3c7fdd745ac7ba46abcac628

SHA1
009420dfd8702ca0bffba0b24d9c2cd8c12be563

SHA256
aaaf854f0bf0fd7cb1f278f85f83c28ea48c56c34f7ee9386a6502d241a4681a

SHA512
b884cca1434795d82b0414e05b705cee48c866986aadb29a8ad78c8657ae73ebbdce2f45dff0be7c0f7dc294c9868a74d4de25254cacf52598ba7dd6d16b4694

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
9fcb874e91f5d8db05165bef21373ae5

SHA1
e1eacc889d2c9e4963b0354c3d70187c1dc901a0

SHA256
e4ef1e7219e2f927617b8764e026b1a079f42e1d8cbe9bc251df49585e8cb616

SHA512
bd3f5488c756eac25f7d8fa4ac9791422d8af3597d9ba891b9142bcaf78dab9ea5b346119d064c6d2ed4d98f04f37ed7e4927e9ae2bc46c42c916d5e1319f25a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
beaf4787f2bfd1893e7ac07362734bcc

SHA1
596371b75ea0ebb0307b6da14cb55cf9db127f50

SHA256
9cc318f2d50e130f43b3396f03bfca69762f075b3204dcb075d41f77541bfdda

SHA512
9c43bfda80a9472a63fb4b8700babfec6278cb7967f58fd067f1086a700ead3b67c0da00937cc1c594fab8c3719c9fdbe904187bb8b470359cc53e276f5bb224

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
ea1e0702c566b03941852f7f2593120c

SHA1
2605c33aa5d16ca03e17f97d8a27e7a369271a96

SHA256
7c3383e656c198ffd17e07c2fe457fe1b69c89507d9fba9b416cdfcdd22fdc04

SHA512
5786a982d1b1efad3ae33045c515ab52da657529b178065b8835ab8a41f10526be92007454ea8d293a0807adf76be1c15b61d69e441299348da479536e6f7a85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
793423d2827b7730ab15379ab73a8c1c

SHA1
ff68a018241d06b602dd0e277b4415c267da1d1b

SHA256
548c8bfb622a92e9b78cd120b545cf468b901b2878328c5168dfd1d8062f2d01

SHA512
0fa755f60870059beff137a4e03521eec0645f9972fc285fd483761a2d1e17abf6504deae7eb010945cabb4d4aa5f3a45d6bfdde80392d60f38ee9ee9d4b3ef4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
265113b5afd33725413ee29a244159de

SHA1
0fc53f7d9cf5cf577b40eefc314e9c6c6d41b5ee

SHA256
cc251ed7eacccdb6879f685d5e3148757f72794246d683e67fd97b41acbf5b12

SHA512
4dc5b872666490d454a033b5ab5bdb48063c06bad8dce94668fe90048d620fa863f34f3c9df59cbee7f36508108e721b3ce930ce82dea4b574a0578832e6aba0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
9385a836e1979597a36ffdcb1eeca4a6

SHA1
38100bb685fb505358dc45528e34c55d418d4582

SHA256
6ea76d21b857a0cc189a9bcfcbf9a541f72172d9d7c56477a83b60f011b89735

SHA512
d8347037cd94a555333dcb2cf9edc09395521fe0df1d1ec302bf18a48c0af72d19b8b39a0bcdf93cbf03c9da02c069c19cb773968f3845ed9784f032bae42d4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
760786ff9da55178415cf11775a49d77

SHA1
caf04825401cb023b250bd9feab20450839de545

SHA256
f5abcf93d341abd9ace86aa1cee9c979dc49165db764e37574e9f8598cb632a8

SHA512
01a43083fb3ce4b0cd3bc5d15fdcbb7df77547bbc3ee012704e834ec5a4a4d40118829b2a11518975907bbc7d07ef5255956c974dd495b5df7de720109845a8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
019ef8e4e993d10e16efb546472309fa

SHA1
05ad6e42dfc6db5abfacbed2ec04edc6b47ec2d7

SHA256
cd824c3eb5f495050c785c39c4ec7bd2479869319024c20e2a2bdfe91a100cc9

SHA512
ddab5fef6fa167739ca434a4b6ae39e54be2b1a7bf7590e721afd8a6516385134d0cbaaccb2ad9570d1323980475d50adac851603145d3a86ff24738a5bbe2a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
a4cc3df8a0f643637ff83b9c3e2429c7

SHA1
51d36ee91bbb7b8649d841d3e67af820adbcfe02

SHA256
fb3debe0cf8b8d38c1ed21e9b38429b9a5b6aad7949c9695a5337ceed1769352

SHA512
e15e63a68e6a12bbf44fabb10546bdfe7bc6141c436710435b43a7a725f5500650d7e20728617f89096260bc28730ea05e0566e0d50c0309620057e6251b6cf1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
d125bc6f1db4829ca2757b9d95338ea0

SHA1
6b9b37ae46c3fc5eda2e551193f9f0db419b8391

SHA256
baf7eae5fbf950cc268f7ead108df8bb5d97c288313510195e17092781ad5f1b

SHA512
2b17d39c079780cfa9c61cedb802e028d619643583798ec338cfb1c88cc2ac2baba941330fc8ab56412e22ba98d4c904665ba0de788c04f31d30ceee98f721a9

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
696KB

MD5
56f10342f7b9e73b4f3e59e1ed6d24e7

SHA1
f5b86196c941b9d8b312e89f933ca221ac2a5dbc

SHA256
cc56fb77efa593879b8e5962573c8b2e4be5060b35bf5336eeb9b26565ae67f4

SHA512
a49e8bf9ea1f4a86257cdb5355771ebaaea1c0e502bf297d5409b1659b94d9884126cb96d8a5a25721f75ce2ed0a2f577dde7b5f164ece37f93d726735b81d71

Download Submit
C:\Users\Admin\.node_repl_history
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
a164285ea9e81cc2667b5c24b56cf463

SHA1
3c665a64f6ef253454dee137c27fedc42ba4da99

SHA256
f09c11987b3b93f48b3604cbecd05f328407ff0defcc1e765ccdd14f12600b7c

SHA512
c32ca2e34dec3492f5f1442dec40166705efa18142335c24305a48d19e237cc2cd9d59a255f3ca0ebeac8360f0809c598d1df6100980a5ec1393b86d9d2f1ef5

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
d48617cf9c033cee2ff84d18d0b29171

SHA1
b5ae1bb4a589f8971cc68b4d5a5878591cb7e0da

SHA256
c3278e9a2e06e28fabb456873c177aedfc8653c7e199a15c510c141ea491387e

SHA512
21b7574863417455576ca4201d005763039120113744a6b5a065ae4f5a944d0fd44c7dbd52c49dc786ad702429903fd5a443fbc4bfbcf67654d27a78bd0f9f56

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
cb1df69c04ea155e713b6fe23f3925ee

SHA1
bf48eaa895f42dead224e7514af41d73897a13a9

SHA256
6e3374335a19e4266e5dbbd29aa4653ccc917a276632677824ef6c5dce1e5c9c

SHA512
1e644f13e47665b71debe72b0d8b21108cff0fec8a9c28f1777b9bdcff917b21f9b5baef4f205286aef9104465795301c14834f7800bbe0d7414393f4b68ffc8

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
bd3bd6ecf767f1fc8e85f981868ec0a0

SHA1
9d98f26e782d4510e71bb6c939b0042a6cf7b350

SHA256
259a1b2a50681879c5aa1c18b4f871db0961163c093aa758c1477c981b0a016e

SHA512
6c1abdd6d4d8311bc67af2f0d3dc0e3c8e959c2c1fadfd62c82b8b7b1c01aa09bd02f86a6dd002ce9ab6dff4ffb122906cf944380fbd05ace4c0fb12fdaaf839

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
92c92b69139b13d06452eab88b1b06de

SHA1
97378dc54f2293192623f6e4310b6364627c952c

SHA256
7a96ec994d6f419cd524b5e7e62bf7094dbb6f4cb381fe8b0715297b1e097e56

SHA512
29a182a167333b4affd4c7cac7bbe1841bed6917a72e723c1cb04089edb9464dd5fd0143f52febef15dda5462e5be8f968685c4c446558166cda52ff55a292d2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
f5a78bd771a2aaf3610751e309a4535c

SHA1
f6ad051833461346d26ab5b81787b05204e2482c

SHA256
9b7d2f8f4eb25164d24568aece809b81ad5e92a2e1633b743ba334618fe2e503

SHA512
71a89fce11d6be93e3f92459c545ead4a3738bb2823a3887dfd9787cb0199e617ca919d4a06f26855ef32d6236aeb3eb536292c84a81f9e707d665dc4176c3f4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
7faf21c51400daf7aa08ff281f29890d

SHA1
e5c35af2bce23b8f575925fd85f9b41fa4987c42

SHA256
abadbbd96417588b5df287663c73203db333194328f58dc200f2d3d88f88a48c

SHA512
beb8586de8102cfb8b833de964a29c1964fbeea36e09039001fd578cf62a98d6df9ded0c01dcff38c39e5bc8632e1a626a95f1b779fb06ddddd8a2c1ee00755a

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
63c48f23f87664098b95f0db96bb4799

SHA1
87dac7de986f087ad2efc998cc3c37b0b6d57619

SHA256
da778424917d915e399997945839b87364d304781773d78e823ba854b20f77a1

SHA512
289160cc7ee359e65384e87c816e631d3e82baace7f2161907f1592456bb37f90b8475cd2e8037184a278afeeaa4c7a73ab27633227cc86819177b6b0ffe3671

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
fc89ea5712f2ba48c50040d820c7a14c

SHA1
c5c74284ef4cfce2b53c8339dbaa5cf299878873

SHA256
3e895bc43916a604ce15f6833023dab1a063334a2b5b51cd995876d400021125

SHA512
c0ae07c68733f2d6fa15eea44fcdae5e1c6270d81171165fc3d30a0e8adf585565f2504eae17e04557bba0e757f760b4b9d330473385ebc0bd50357d70568649

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
eb743df7b8e36db8cfbdc5ac1fb051f0

SHA1
484f23e2bb094c3118a39ac0750c6efe2c5d5408

SHA256
4ae39604634dead943764700558e1b5a6eaadfe6eba72311c32cb8a98e632b2b

SHA512
3a28e950bff2f644ebfe62e71bed58f1f61e9a99b58c4d0ee17348d669da0cbd4a611fce991583b31b4f70f4863cffea558fee3f2ed2b156206991a377f6e386

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
ca2681ffa5abcf80869253aea34410b5

SHA1
39fc1e119fa989e1848258359823ac72ea3121ef

SHA256
aeb72940ac4ee75f9252b9b57c4a46066f71e6f4688a2728f416df70801d274b

SHA512
4c0c421c53115215a919c3e9d5edba9a64518e63aed4aa2097c9b1e92d42f4619c28751f0ecb7651a5d878f8b9b8a20df0d4829def2afbd23197018a015ad463

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
abb8481c56fe5fad8b2da2801380d843

SHA1
e01e114005467a6ba3dab6e242e8a98e6f15008e

SHA256
b2ada2ce0308a7dc5fd8a8b6d5590abe8d6b5d139341075d6337a7279f4ac24d

SHA512
5c454c2dc95a0601860a7a3048ce73c713b6df0e8ca71aa96cf2744581a072920400cd4bd33ae763fc7dd3a79a81404292be9f4e1062c62438c7e67b76ac5c97

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
4707cb14a945eb6f091f803fe6349f2a

SHA1
1e3433963e45f5304a540c27433fbb594543db2d

SHA256
c55e83cd50e5419c2920af1634d17f505b10cbd6157fe54c90ab6afcfa8804a2

SHA512
a7a1503db7c0e0bad6178850274fc1392de7863a594caab86dd411edb9d50097a77de2a85489f136e40de4bad59a4a8676f2577ce2c9ca126808d96965e3295f

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
a71ce123d782b8a12966cabce2b62661

SHA1
c2a4df4a42fd4537377bf6ca247cf8b8fac0ddb6

SHA256
f992a21b868e274dbd5759c866ba9151e949144232e42fb85faafb34c6530130

SHA512
7946bef2df86b73fe61ad7f08947004cc1b22eff17b367180613048ab4f512a8770f64d3fa18559f430a8c7d639d0d4554de1aa8a2fa91a677d9b8a53f67221b

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
f1b25322187a0ea0cb8782e070e367a8

SHA1
a4e2c9c20301f40656728adb15a52b9a536b8625

SHA256
72f9fb4c71a1366984bb12876d8a3b071618941c55a33f8a62bf2c84dd63d618

SHA512
0ba4df34901c5c157d35c134a72debe11f13f3ac20ef2ebdfb8805fc91efd4f7db4fde3e8d66d5046fb5ed25016117910505bd84d929745b032beb17c82ddb09

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
5ab4b7762028a1f5c3c51ffc41a8d3e3

SHA1
a664ae6d91897c345137ebdb450d9a147ed8a943

SHA256
a6f5fdfc295fde103d22ccaf6630aee16bd56a1fd832a210c79310368656748f

SHA512
f3ef793fdeb6d86eb54dc668905d1470ce363840b78d85de34ce284bc79a3c3ce67a8c6178c70b43e25549f030765a8da22047561256fd6aceaee79834f490ef

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
cd1def7dbaec070e4a7975e421ca8a15

SHA1
c24730ada0212fcab7a4728d946eededdcc92b1a

SHA256
b85d9d47ba5ee55054464ab9d59422b3e09ac752fe757df218da098e77cef1b0

SHA512
6b9a47d66a0bdf1e33d40882cd7370a6a0b4de58dc4ac27926b17a97882271d607803f375fcb811d7ba60bbc650e9568be215d0cd856507c6ecc3edd40e0b609

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
144db0ee1cebe46c2d13400aee1f3f1c

SHA1
769781828e71d2e11101253123e1259d89b97008

SHA256
fc0a8de981b5486403cbc501a19857190284220d53006e6bd4eacbadffe59916

SHA512
b25d7a2d2df04773e1899914dc4e68c91be849c43918ece907ac19a5e6bd78dcc1c45075f7959405e3c125c83f57b70dc671d8f9e0e444caa666c2801c936676

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
130ee79327f23c63d494a49144eb03b7

SHA1
05ec426eda09dcbd8ef62854535e96a75d358031

SHA256
fc02e7a60f214772461e1562ade74e57010c418d509b6ee5d8570c2c5b282e1a

SHA512
2641ecca529d7c33d2dcb7007fff8f6057edcd270b01d24ffd589befc3d5a5c0f28752bf9f7f2bb862efc3288d89e0d51779b0810dc196017692e40f210dcf22

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
a066a98366de33948fb452f0d5252105

SHA1
18b29ec1f0cb44ed2aec839e17007b6a9a3a63fb

SHA256
7c0f5fb8b121f7c04f9678d344690566773e179031083a1e9829782b099f44f3

SHA512
35557e36730b4e64179dca4d5fbcb468d52f6c3c9514e3df2cf7131ee570a985dbfb7bf9254926e686ed679dd49ee325bbf622bf12c43d861b5b075ef48e17a5

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
1a208d2ebee5bb4c50e3cb692617a8d7

SHA1
c4933a806b4b7a8747f1062c1efb90e60781f23e

SHA256
0a8d0a7e8f144379f21e17517eafa50c7c90c94d2c7e9c04745ae21240a5863a

SHA512
95feb4312bceeb2213f2ee60b7087c344e4a1da01bf4dc446424bfcf2c46681ee89adc7ab39b86df3fd3be4d0df362263d4113ef434398e7a485373fd686e943

Download Submit
C:\odt\office2016setup.exe
Filesize
5.6MB

MD5
368ab0e29cf8cccd180f6307c2c164f9

SHA1
2191dc278807402ae37e036fb43f82c2a59bf6e7

SHA256
9c33271d407e9219c9d9861e092652c41a833880be59c77f00e646ce0a7b2037

SHA512
634f533d9ef713c33f67e60298538f66266cad41a7e97864f3dbc2b12abe6c38038c2b6f0a742ed7efbd2a616fb931c0578c09eca7aa362649379a925d298c50

Download Submit
memory/516-480-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/516-239-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/636-79-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/636-7-0x00000000024E0000-0x0000000002547000-memory.dmp

Filesize
412KB

Download
memory/636-6-0x00000000024E0000-0x0000000002547000-memory.dmp

Filesize
412KB

Download
memory/636-1-0x00000000024E0000-0x0000000002547000-memory.dmp

Filesize
412KB

Download
memory/636-0-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1200-152-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1200-338-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1264-226-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1264-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1452-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1452-545-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1544-434-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1544-177-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1572-114-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1572-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1572-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1572-18-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1708-164-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1708-401-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2208-214-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2208-100-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2280-82-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2280-61-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/2280-176-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2280-67-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/2756-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2756-400-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2756-140-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2884-83-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2884-77-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2884-71-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2884-84-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2884-86-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3084-238-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3084-126-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3124-163-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3124-53-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3124-47-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3124-55-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3452-215-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3452-469-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3804-188-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3804-449-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3812-56-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3812-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3812-43-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3812-37-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3812-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4000-542-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4000-251-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4204-472-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4204-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4472-90-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4472-88-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4472-199-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4496-250-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4496-129-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4660-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4660-200-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4708-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4708-31-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4708-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download