47800eb0cd43c325a871673f81b85b8a619ff7e9d0d3d8308009f6c8af6a4821

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
Size

24.3MB
MD5

28e5148b36b7614f255ccf934f047d86
SHA1

2eebd13d752dd8423d2d32487cb8945c91476e2d
SHA256

47800eb0cd43c325a871673f81b85b8a619ff7e9d0d3d8308009f6c8af6a4821
SHA512

19e555e9eb30fec96a53ff9ea82589f56ab1367b8d22a49a2e684e06a4ec6b5880fb76349189ad03d6d4455356a26fa4f8c09a146a18cfc280e804dc5045fbfc
SSDEEP

196608:GP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018o:GPboGX8a/jWWu3cI2D/cWcls1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1404	alg.exe
1128	DiagnosticsHub.StandardCollector.Service.exe
2340	fxssvc.exe
1472	elevation_service.exe
1356	elevation_service.exe
2888	maintenanceservice.exe
1980	msdtc.exe
4492	OSE.EXE
2500	PerceptionSimulationService.exe
2764	perfhost.exe
3352	locator.exe
3508	SensorDataService.exe
2748	snmptrap.exe
5016	spectrum.exe
2940	ssh-agent.exe
3668	TieringEngineService.exe
2616	AgentService.exe
1316	vds.exe
1804	vssvc.exe
2492	wbengine.exe
4724	WmiApSrv.exe
4980	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d70361feb4b1389a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006928a83b31b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d1a383b31b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7dc5b3b31b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c557f53a31b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a7e1b3b31b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002501a13b31b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
1128	DiagnosticsHub.StandardCollector.Service.exe
1128	DiagnosticsHub.StandardCollector.Service.exe
1128	DiagnosticsHub.StandardCollector.Service.exe
1128	DiagnosticsHub.StandardCollector.Service.exe
1128	DiagnosticsHub.StandardCollector.Service.exe
1128	DiagnosticsHub.StandardCollector.Service.exe
1128	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	2340	fxssvc.exe
Token: SeRestorePrivilege	3668	TieringEngineService.exe
Token: SeManageVolumePrivilege	3668	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2616	AgentService.exe
Token: SeBackupPrivilege	1804	vssvc.exe
Token: SeRestorePrivilege	1804	vssvc.exe
Token: SeAuditPrivilege	1804	vssvc.exe
Token: SeBackupPrivilege	2492	wbengine.exe
Token: SeRestorePrivilege	2492	wbengine.exe
Token: SeSecurityPrivilege	2492	wbengine.exe
Token: 33	4980	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4980	SearchIndexer.exe
Token: SeDebugPrivilege	404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	404	2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1128	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 3608	4980	SearchIndexer.exe	115
PID 4980 wrote to memory of 3608	4980	SearchIndexer.exe	115
PID 4980 wrote to memory of 3296	4980	SearchIndexer.exe	116
PID 4980 wrote to memory of 3296	4980	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_28e5148b36b7614f255ccf934f047d86_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1404

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1360

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1356

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2888

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1980

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2764

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3352

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3508

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2748

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5016

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2852

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4724

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3608
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a0c5745d7644fd062e36819bcef18a61

SHA1
de340d0d92178ee4b133ce45557443e1f422dfd2

SHA256
5ef559b6e027ab6f3bde6c023b1a5c57c2f35e753541cc39df91abdeaea93931

SHA512
716cb9ff26f94d648100af03e7e3a998e56c99c78ce34e009c7c50e67e16cb784c96134b03fd0ee6a160a3f143955ea4298231d32ca24e4cda0518b14579647b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
e1f5e596e7c7b95607840b894eafb89d

SHA1
6230e4b3307210850d34af1db5f17a80853f1961

SHA256
c8ad97c250351630d0b531c02f02c3f2b152348fcfb5530995d190868481e9b8

SHA512
e4eb245cb1d55e8cd28bba7b6137d43d033934416e12b6c4e92e7f85bacb19b02986f7f10c232665c5150169e8fb8f2f2266111b431a43ff255c1637bd291897

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
5ffc2c26374c0074797b0df166d84704

SHA1
a7456911029f76dee7fdbe153bfcda98d05a337a

SHA256
b31c27ab937023285e66443a97dbf150cfec4a9d1809b1a5e266230d1a68cc34

SHA512
049ad77ccd0c5624ed802a2511f10399adc2dec0a05a9d3d835ac460721c79270f341c5a195b2e554d8d4eec1d6489181c501eca5554e709abd6d6ead8d5afb2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
13bfcb68bf251a81fbd20685ee673182

SHA1
29637a8e04368715446f8ce16210917569e7d9a9

SHA256
84e2047487836c5da0b384917ec8dd3628adc994e6285925d80747f28d5b983e

SHA512
82578ee08fd64291b2f08afc11f5e07ba23cf2b2f4a798cd8cf4857a6171b72f1e6b4c0df24d0d088a0eb5a0b1a563c2bdc2f885ab865ed17d8d2a2924b920ef

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6dd2f8f2768f9dbf8ef8b33161a708bf

SHA1
f802d53cb50015b149b058a46a0a624270e97400

SHA256
85aee09b0f24f95d5d39ab76dcfd3d9d4191eb08a210c5bb2b2bf519058ad49d

SHA512
8bc65e4056cba6f024f2f2e5df209c93fd85606894d715648986fdc8d52089b5ab486ed7d9ab045351dee532dc6c29b491f620412cf48b3ef3850e5752d6d0df

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
219d80a828d780033f133edd6da0af00

SHA1
08de36d1d70a22b94ba6bae8b7a18a7492af35b2

SHA256
896f02de1f478cb9d38e74e9bdf935fbf20114e852270461a4981619dc49240d

SHA512
d79de7e4c68fcd0c273746111dbcfbb0a14d2fada1734cefeaf7eec98e919be6c1f7e5ba1dfb56118d709b32c613bc5e4a4a8191f8094a3a624e417518206a29

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
276d2665a85b69d71b9f0fd03b8b9e20

SHA1
0eb2e8ac7db70c018f4632d78dd729fbac0455d7

SHA256
e995eab6f61d7563fbd5cd8f42abe8e01c6a178aec53125441ec0975ebf16ab0

SHA512
abf2ee91dbd3b445343b2f54bcf8e2d022b06bd23a57a9cf439a688a9adfc235d15b00b65680a387f553fd09c1bae58786c214764c43a81d3e51267c05b1e7a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1e3068107ace3b0dd56a377ff6c34586

SHA1
4947d822fac49dfdfc18b17f4d199819c667229f

SHA256
30e4c52052815c7228e73ebfd5fb6a5e617eb6e632427b9ac0f20feb0fc059f8

SHA512
518d627d86f183ef62df089a052ca9128e3de9cc3b27d35b25ab183574c999845f98c0290e24d7de501c3cb531c56de689b945a836893dd700fa7a5a4e6a2881

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a5ca06b0ace1c07c18ddaadc61afbf71

SHA1
b3009550f95c1d92f1181bce3eef386a3199a6dc

SHA256
c6388841130a1c6b74f405645cb59a725b50ca7fd58c4a605a30a89ed5b7ad35

SHA512
9ea80ab9c1cd3a3bb7175feaf616cf0750f36bbaa4fe8390c29e7ccd80d5a5369346d14f60329c04110799397f88c46afab4fe216230083ce6d2d73a8835ae67

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1603e19d245a161551deeb6798106086

SHA1
2e2846df3eef314b93a9bd991338d0d9111874c4

SHA256
c064543fab7177179319387e2e077adf67f829c5eec247d99fbdebc8aa9c77c3

SHA512
82b167049f186ad4912afe1b7ef8452f495d995e2de57120719af7dccda2a057d14b3a2f0b98de099b01bfa3e353710c3c555b311d7c6c4038d4fc42b78baa5f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a6e16067cdbaaf9268918910501289f9

SHA1
c46330716bc5418787a962768cb1c50c99ecbda4

SHA256
c70e349d366df8beb90aa560c4790d9b83d9886e05e8020c527dea064d635517

SHA512
084ccd2fb331ed89b8f1df05ce416523d4e329840917d61442ccc3c8f8835f79128928b7224ba5b64bd8fc7fdfbe59c3ba47fb64b5844f0b0eebfea5bc321b4f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
08f5e3a799b493821b32fdeff9287472

SHA1
e6b54ed5d62339cf6b2457d6ffdcb41da88e16f0

SHA256
049290421fd1b26b6739d9d03927c053189e07926bb893a544ad2aaedeaf13c9

SHA512
b47591c680a8f188e444bf6fe5cfacf4c4a89cbcaa26596d4f60cdcc613a2ef4b0c5b4387327fbe6feafa3f66464bb410a2df1cdefee2e2a08d578eeb4706a26

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
66a05e672e4092fb20bdc0a1a127b42a

SHA1
d2a28048683feb6ce22a7a706e87d073f879d8a0

SHA256
0a4c593e98b448d004441d0b007dfcfc55927af46a9c543f3b063c14c45e23c8

SHA512
7700a6b49fa50ae195d6454ce303d09019d8585e6f70fbb936a42387735be15708cd241a79951dc08645243eb84bc240db5d5e24cf48f7e798dbcde0668beffe

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
4bb39b2d200b6c33e11c624131ddb6ad

SHA1
2536c0b49eab9864d530f7156d52db7c39d22ace

SHA256
754f4a032c318b41b3cc69fedafdb6c61999d64aadb209d49f5becfdae7acb08

SHA512
0150aaac25c643f8c9f474fcf22f67361c3ce68a41efb3fce8166141e77a59292fadad82050a70ae253b819a4df7bff2c7fd1b7886946616c782bb378063f123

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
39560d473274db23c63655db022e4d7f

SHA1
18398b249b82b095cc0c5f2fbf2aee073834e245

SHA256
1870f117a2c18cd385b08ee9b88fb28eef209b5ed5775c4cd3e4144966323e33

SHA512
4a9bdd3202afdb1f2a1d9238b6da797f1f9968edfcdd057607e71e6949de81c924623c88317ad232f19dfa9d72588bcc02622820eaf29c5a4365249a7dc42320

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
39cb2489575b3d740090a228871cc2ed

SHA1
608486dfa62c33a9a5ce1d399112696f2b453cac

SHA256
4a5b683f1b1a0c0af49b343fdd80ac24cde92124f1d446b0991afd8186615738

SHA512
d9fdf67f676da0beb08ae1b8a778936ce9df614e4c38ce538d90577e22af0deff051e6175bff4bce43f94a4fd1d4f0192f5f9f0c196bd4e891ae4d677d0ed3ac

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
81a56370266e1c5e7fa30799a2aef7a7

SHA1
0e65a02f82fc65fb224154f359fbe4a99b6df9c1

SHA256
01705892733d7a5583dd4a3fefb8ca3e98928f18f739f8f46af1e167bc8d5666

SHA512
432d1bd7984ec1052088878d425ea0a961aba015389f55662a679f914ce72b12418f2e63400fd7f4e654f4fdc684bde4596e69f0f44f2cf681a6d33e7ee95888

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c5f50073c867fbd6a5aae49ce00210a2

SHA1
574857ca7d7f46d092119f6b7d5a4363d120fcdf

SHA256
b77cd1a33dbd2312487243f41204fd5ae61775bde9a551f0d8427dc5ab384795

SHA512
c16a825e9cd009ec12dedfa63848bb3dabcc4cf1850b5f050410bfcc648042109541a8cb7fdb7b300baeb45d6e540f5a2d526304f8d2157fcd0e0f428c4f1f6c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7a8f3f44b4390069189a04e16af75f22

SHA1
efcf6c2cead2b274b2f36e5495d23a97a3bac0cc

SHA256
4d5173996078e8d51ff7656285ef8978df26fcefb9781ef7286993c754d4f243

SHA512
1f22d709fa52a00aa4c847a9eff5567ba0efd7e1930f677d7f0cfb6644ddcc407e29695b74decb7b68821c3b8b9f16ef9a5f6bc07eb860166ea34ed6ce761195

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c72879718a502371e37e97d2a8c65a91

SHA1
635b7638462e2c17084ee3d21efb157aad42b5c8

SHA256
9471acfb073e4491ba7df2eb59f2683f0a9d7d43fd1266298d58df1848ef07fa

SHA512
176b2ef6b751e0630af19da0cabfe6f56b3e24b0ea96d8671ee5254f152845ebff164642c5f8006c23a3ed6d26cae9e1f773a33a7ec25e16051bcb303e6e110d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
b7ab7246c2d8068c116dea4eba775b62

SHA1
5bf8bc8c003afe497c4260e1dc10daa9968ed011

SHA256
0f8d038cf08b16dc6ed9d8dd5af585a3834325eb3ddbbb4cba99ef6b0d68f482

SHA512
8e2794328daa969b18ab8cf8f38cefc5dd4956754a908bf5c51a5fe025abea805c2f2c54d84621dd881785785ca82b90b68b96d1cbaeeb9382dbd456766d624a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
47bc84b2d1ee1338ff17a5e5557e48fd

SHA1
7d6d5d15f67eabd9fbfa71e7be4d425fa0c06b45

SHA256
fdd4e56d01a9e3e09ce5ec001294407a6934d72519943c99fd89c19571111b01

SHA512
dbf520938f5a38fb79ff545cce3975f4429315c3203a51654418c641a606a5d98d55d24e4ccf56581d1f9fb7aeac78008ff98b89130e355a11117ff173fe71fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
528ae83348475e88aae1de3ab41626f0

SHA1
7d860128104f765b4ef496eaa11a62d4175a52e8

SHA256
78e8a564ad5a3be622f6c218ff58cf9e5ba758b134e393939dbd87f65800a4c0

SHA512
432a725681dd3baecd27a4023c3fd78ec502b95556b9aa3b7c63bb872146628509826c3ac7ba3922642571bc92b2fed101194b3cd5fc4ca27f8fb917f9a82c59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
225dc857fbc4245f88ba0a7c67194daf

SHA1
ecbffd42f91df09bd4c08263e8cdf2d8afa9fcb9

SHA256
9da0fd9986cf1e5698403085188544078bf48ba1a6e142ef673a72a607c9c0c5

SHA512
b7cd64aef6296d2a1ed0916c3530f8fe771d1ad063c547517411765b6c0ada0664d3219f2fc77b0bfaff27e8ccf21893b5f6511fdbd9dddc30d816391b38b2b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ea7c2c1ba586c9126a0d710f6011a2bb

SHA1
ebed6403149e4f6e8723a304684db4b7982cc50b

SHA256
8efa547d1747a00434e3b37b9c66b438317f0b1497bc4592a06d840435653a0c

SHA512
39249643c5685ceff538b1e5328fe6a54edb05b6b56d1a302a7d564911965a61cae46d36db0505613ee50d21af7f637d639fab77103c0f785fafde3355b3ca0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
340222e00d05e59021908dbb27af2a79

SHA1
efa3ba2bcc1aa4ab305a6a88f38adf05754053ce

SHA256
5a19a9edd82d16639e8ce1450cca4b180a7ac82968eae7d279c5cdb17d20ff5e

SHA512
39b4ec707b430db821f0c29f3bb9373e1e40c05ee064c46b5bd6896ce4e947730c3e30af4cd5379f37c6678fabb02e1b26560866581f1ccf7a7a369d9fc3b355

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
597b8130d5edda2a345b1ea8d3379f03

SHA1
57a64beb01071c4a5cdd483e56054639820fd54d

SHA256
fec48323d96e3c76684f086f932273fb98bc5bdb5eee063bc03f29a83d4357d6

SHA512
2c64721e59742803bb813ed15cc4f2d6fd62c4087fb0e571d0288300a48354f32a71f91e0ef52e6d8b9041d0033f5c8951e8ea8c031705ff25683b3a16099638

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
e86324d1c70bbf99dea538e70b985bd6

SHA1
9fe4b1d2815478db5e66da42f040d4b682fe8e27

SHA256
88635274df692db3b0ff1fd7f70df555058e87e6357a33552da00ad11205c61d

SHA512
377693b03e9b2794532c25dc762ce39b3309700cf13060f4177872b8d362a4966677b039ba3393b6e31b8ededd5113f4faf3cb4581ca0e17506aad7d5cec1e70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
211edbd864182eda37ea436cd4ed44d6

SHA1
2c8139b3bcc29c7e6cca6f7605894163bb0f5eb3

SHA256
b6ffe576d903060f92e385b98ca4c06e30497768d933795ac7d1defd9832db92

SHA512
223007761d6c4956bda72ab69835ba63b40ce67e48a61f2df5eb2fe9551767be38193cf7e1019f844b7d52550e8a2e3d6c945878bc3301907c9fba3f084edf20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
1e1e72046fb680608d67cacb669ed6f3

SHA1
5d0ba60f161ee05f0debcd4450fa6229ff530c7b

SHA256
7f0555751b02f2e8c4b3a8ed11fa6a895e84002b2d5ebd29c37b47c8405dac96

SHA512
1d1e3ba3c1925991f31bcd6aa9fed95d2d8f26b5aa784311f397efd1341495aae8a451fa4df06506623c038e9e1c4e86add2c0ab7d8a39b622ad571144cddd4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
840063966869b3f8635f716b494d0ee3

SHA1
96c21a473434711cdfda7c2adfc371e4d6b27927

SHA256
ee160d7da4f6c2beed190a5b70bb2b7431c5b086d62d952617226f3cf25d3334

SHA512
f37c01313086ea00c95dca31e950e0c37d5b0b39c014d87a40cba4b901431e398dff2eabe30cf3ddf9a3342c431b0e3e0d9cc513e403484795f111f6b2a99d1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
648819157bdf3514b16feb418bd17356

SHA1
8089e90c88a79c48f5b29e6b54612c1ba0131c26

SHA256
329988da90f558d4bd177552259cd115d47f69d7fd2a5429cb7600c555cc5671

SHA512
6c79f2e9a9cf073dfecfb6b1cac7a489d99e3dfc1708fddd38f2f9a075c1888f74517eba20022552c41a7a011eb7d6048f639f0677fbd8e6e7d18ec7aab3abeb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
51b1335d65605fb98896aa622bb0cb3e

SHA1
d829ded907d4a84d6ba3f1285cba86bdf0d4b4f8

SHA256
e3d0d6c15ba5a890d63f5ab50ef144d8c4b23b51f9010e55935bee9e4d6cf19e

SHA512
2249b2c79774ff847f6e9c959788e848c7d4dee87ffe6f2cb60c28dc4668d58969f1d647ceb1f14178c39e912e0c241ed3efc9226bc593b8e2b220f6410a5b88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
c9d11d1313d3bdc474e8353c79669784

SHA1
33f03c9696401ba243e6d2932fbabe1c5720a1b7

SHA256
d84e46e4e4ca5c655a10c80d4858fae6600588a0365d2eec8afb00d8f8dcc239

SHA512
9a54b8f58cb831cca1afc24e47d85bd6f03143cc39653a0817de8dbc612ab0b7f6fb0b78774ad2a22b6e7b09e7c53882263e6a9744e3f4c21ab39fe2beaa69e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c2b6d41e1977efb6139331a03738ff4b

SHA1
e2177a9cc4dbb08d1d5f803552f1dcdb5f38fd05

SHA256
28b0cda557359da8dc86608f6b3b907d81cf7e4bb44f3ed481852894653e0076

SHA512
77199d5f76a41a386393a2d0b5cee4bec715e3274a9554017f61a75978da1d386cb465180da4467e0d3efc3ee9bc7c04115d61f280776719eac1b7c2265f18a1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e8785c03a0dae9b9102b8dc13822d8fe

SHA1
c88cf92ad72da22c678eadb998f6d73812e6646b

SHA256
4514601f7dbc7e7da99721a2b509148b1f8b126bc7d3fe684daaffa66fa92fd4

SHA512
d77c84ef5754c7beea3cd26fcc00d9c45f6c032995c87bb9c112ed99bc53b28483c82dad456b2dc588f7b44c104196133d47767ad3f50d825e29d10aecb1c910

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
620a502e20ba130217f10e2e1931ab1f

SHA1
707b78cf8bed8a9cd7b01e883961cbec3d5bc5e5

SHA256
7b5dce8d2b1fd82fe21f207332d21ebfbc7d51349e00b113131895e6c167ff0a

SHA512
736b4f61f49396351017f6fea00f6a8aac801b680712a183489d78d0911b91f09a98a6068cb51159e3ad4142a6d3ff5375a60643da3be739b8088b3ba9f54971

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
5479d0ff347e124796cdaf1b9a54f5e4

SHA1
032746674092720410f18c8fee11f0a21b0fa8be

SHA256
c33e5edd66ce1276350fa90e32303723934c1227581aacb7db50209aff3cec16

SHA512
57a3579d0b50ffb695ecdbc76cfb81f876420bd9c861d6ead946203402e4b70e7f37e12f27d6b19c1554c04d460ce44792b1994bfcdcb7d93513fd4b630259b8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fa056de5c985041c9861a6ed495ee7ab

SHA1
1625a8af0461583881d739ea45c045c2721c392e

SHA256
1dde3a8fcf6dc8e3e87ed066f3046ad5ab8709b1e2a19fd58d303849b93477ba

SHA512
d7a48dc333dfaca77928e711cbb3c88fa203c986cc9a68c92c3bf71e6802726eaa155cbbe6ba58d3f5aa261c96177b91bf86448985d7225f19dffc59b32eb5cb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
32417bef364c5f44ab8df34304aaeeab

SHA1
1e5decf8b4dde8d93e1c52f08ed072c416ffad2d

SHA256
90382d2395ebb799c337335cc5bad70fd6cda6ab00cd1a89e180a617019ea65d

SHA512
bfa98112c929b974bbce7a45a722cdfe2d5687e29e0db49ddd0b68da906b9e56964f29f26e2429bec632e83b80b334c3cbe9f720741d382c7b49681f5d8cb1f3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1462a7becd9572a96e18ef197bfbea2c

SHA1
d6877de45d7b378581847ba4706b333cc8566bd9

SHA256
fbd49519b3f6f13dbd785abe9c1a38e83c5af97b624cd5e99e8e229bf005b9dd

SHA512
4bad255072ed5b9f58c26610b8171326be3211e2f7de2b106cba020160df8d8fe965c740e2ac93b1054968aeace257f254ed1bc00b2cd02f4e2072c2ae19a5f0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
516e2804fb5f8516b0889c2746d504b9

SHA1
79fdb2f2698423577f81a360c62156e3a64cf073

SHA256
82f71551e891200c7b2bb31079e8a76cb558a7bee940c1ab18b6ac82f25b6ac3

SHA512
9df336cb171ef8dd90f902aad3bc76911295da6489a6191992724a4ec96342e053ae3306f5b0fd2caa0c962af734bc1085c2226df9e07c4c9520d285e98b7583

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
cef315cee8f33af139112fac46a3ac8a

SHA1
13f355d1a6b5f729b4e6c5ce9835b0883ffdfcf7

SHA256
a6df6fa5d471d6afbc3c56595f2d634adaa62f41d78867523421e0cbaa972c9f

SHA512
bf4ce423f0dfa18d907912db0555f3af56425539da8288588300fc05e68f0e55e54f9278f857f2b4a5e4e77f73432e79db5dc0ab7b816fbcb7eb826bc17af0ae

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
27244b69e31c2d466adf48b38e8fec21

SHA1
355e0e361e789b9d4832e43e0930fb2943edbad1

SHA256
df454a9ee8f50f81aa6593026acad5c43125e3a65fdf4d19a7a53cab4f0aafb1

SHA512
1d0d23c5a619db31742146de29bd3e8be330f1582839a4d6c95d2afdb32c7522496a4874bc366e7e20c56767a6ef36c8c566c728a6006533e9f651f718d0173b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9eb5b791849ae7fdfc5bdb9f8dbe5051

SHA1
c77619a9bec1a37d11e8ae8c33bb09c6f7245b52

SHA256
01089f62f6a0c8f7b2e374be93b364fc825f6d7a0a1b445aa4558c850b0efb7c

SHA512
24737e5581141b8de21553c024471e769acd2ab657df5c577a7ce034105674c9ffffec36a6f3162a1fe8e6140927aa95395218f146d0968c37c00cba0475a1b9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
eb43e57f978c9a3517ab38a03b8bad48

SHA1
3481ba4f9296166e1c97e40e11c3b7fe3c724971

SHA256
e89f8b7e3c7074ab71654a12b0ffb27f5c745d027d8f2b6b956ae519b6826ea6

SHA512
e94a76e09d4d44bf525b7da2533658878ad8621ad238d43aee3847d1bab72e6f5450a71ab7cb357d7a440d47408cb5ff7dfbc6e8d8766c936408191c024d686a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d6edf28d6866696373b69cdca866d3e4

SHA1
8ced7ae0b050532ad52c2cff0a4afd875cfc0fc2

SHA256
4ae14ddb803f86933de8bfbe9aaa3dba7e8f7696c02f124640cb1ed092710388

SHA512
8ce4666727135c78cbb3456a6335b5b7e0f5f66a43ccae5be33314e41a1c85c5610b79d2f33b25a94a369efbc5fbaae506f99bf11bf62a4d210dfc7e4d1633a1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
03815b4390f4adaa04820c78374aed1f

SHA1
04a64069bbe2f040c5b3c1a1a3925642b5d2f3c5

SHA256
c1ae9056ebbc9d8f8db6169dd092b77ab9972f07fae22196dc3ded1e8aa406fe

SHA512
04f044729d3048bd2df87977aa77e2735f7c71f2c0a71d39a0dbccc6840974b1f2893ffb5d489bf76a68c54bdd7f0881a099c3d6838cbf40cfe2cd3ac1831848

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
73140074555af1c7c9e788d39acfbf5f

SHA1
83329fe07086648d07dd17d8f85846f58960a5ee

SHA256
cef0ff20e3248f0f315884c69f99933de3e2979db74893f8ba94e71da805907e

SHA512
c1f653ebe44fc52657f095cf4d5b95a9bf89a34162569b3146fadef1de04bf61b13aa295234c345abb4e379b7bc9c58d1721275b15560cef690dac706b582497

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
73a387294d4aa30bf5957ee39d36b07e

SHA1
e5fe383f64783824185a3ac7a3c6b80705168587

SHA256
cbebb5d6626b9dda1ac3915837fdce0c86347b794df779a6b4ba10295ee23570

SHA512
9eb634243ee821cebf667052155ec1e30927fc1985f695452695d422dc0ecfcb7724ec69e2cd62d6e2e115f1527506d95568fa4f95b1e4d6977f17640499833c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
1373e63fdeb2cbeacfa97bf9283ab0bf

SHA1
6c0165ab5313466639d87b39e0c0b70c2794c617

SHA256
2e016db2596ac6772e85d39c0e91df07751bf74c01bf0a5d1c6b718256e3fe61

SHA512
f0b264b161c44c1f5e269f3fa95d402876866688934645950b9e298c2b7129c96c38cff1ae521ab3de9b2c17d21ecfd16974dd3d87194beeb47dd570dc3afd86

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
140673884c901c35002d5d63792900c7

SHA1
5454db17269dea622d413726afcf15bb96220275

SHA256
fb6b7eaa2c7d3ee652ab0670a1bbecbec11fd453fd62e6b84c8072c911e07e35

SHA512
e773fd1c33d8098d69b2b8caaa26788ba655de4ee044adcd2e7aaa60e663619f8bef1febb18965e3ea961ecc6454849dbd1f927c7f52b3902132619dfe57b4aa

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9a03dde8f7e38ccc79eecd5c5d47a780

SHA1
d951910678a2694953813afa0e593e6567d65497

SHA256
8e69964a01494c7d8b9f05b9cde60490d26553d392cfdd754a088832de37854d

SHA512
33b09f30556f90447162ab37df0f4d82ad59d7e6ae95e4e0f33c16247253cc759b3ce36314e0c325a44d42d0ffab17176ff88cbc1cdc660d804d555391c43cda

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
481fd73c91458bdf046b6348be63b9fa

SHA1
cfc2bbd32323a5cccf5e4d1ba9a95c3c83a75480

SHA256
5f03a073a3add2aa25728a4b290bd5c6e5711f81f8d7aa72f0c33f4b9f0e3295

SHA512
2e1795865385fb0a729be225a136bee23a6dc01d2fb0b4423ae17fd1ff59e045dd2619645eece560a5070b77ea5d0b1550037fe9257a1f12282df6489533837f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d027768de73f8e46ef3baae889864118

SHA1
f397240f818c8acdf2d7868ccf385045ae63da0c

SHA256
32bf4052d265656e58dc5ff7b8766e70bb1b482bebdf71cd599d0ee782eca5f1

SHA512
27bff09c721d2bf2529fab48ed5c9429f4955f66d31aa26646b5c7cf25e64020ef09282feaf3bd57fbd3aa74fd1839641a6b93f1e615f6a0e9ec36c3e342f768

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
98065fa28b78526ba13e8ed04367d0fa

SHA1
25cf744e552d6e35a73804d4f70c57607de50705

SHA256
fbae64c8e1ef0c009bcbab35494e5964f8bd815b234c4bd34822630b2ce284df

SHA512
1bae3d473975592749e1662fc6ece6bfba5eb7943a75f600f86c800c56df03b4fdac10f93be585ad491ec78c580190210155c049ca49fd00294fd08f81823b97

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
5b846b1ca9ab97a916df1094e30c033f

SHA1
5ff5c90b7581f158d89201b148a579abec8846fd

SHA256
c3dabd1161dcd0d6095912d66c924212093d71a3180a5c5fa334d03c0e31b874

SHA512
2ff89edb7ccf7a01c03b439a08edc143b388fc47c21cb24058ea731184437e48b4efd313a754917a45e9aadf7720b3bcd201e13f669c0dd68edff611bf2baee5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
fb91072285af3a986714d1c4a47a8cff

SHA1
ad9a08d77b5c7e3b2cd4a8b4a3a04ff9454223ed

SHA256
de165c88e405e2d7c02fcc74f59a63bd772b1e45c5a2e43cc0802c7c0a915b85

SHA512
a83ca4bdf057aaf51aeffa85e9f704f474d82877e7fca2075b1f1222a6da0f35327204d4758e0cb51deea5fd94165747ba3ee3af46b513fcdbe41922e191c5e5

Download Submit
memory/404-5-0x0000000003C40000-0x0000000003CA7000-memory.dmp

Filesize
412KB

Download
memory/404-0-0x0000000003C40000-0x0000000003CA7000-memory.dmp

Filesize
412KB

Download
memory/404-12-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/404-91-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1128-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1128-23-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1128-15-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1316-154-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1356-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1356-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1356-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1356-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1404-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1472-119-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1472-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1472-38-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1472-32-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1804-467-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1804-155-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1980-153-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1980-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2340-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2340-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2492-470-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2492-158-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2500-161-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2500-93-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2500-89-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2500-83-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2616-148-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2748-116-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2748-395-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2764-100-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/2764-105-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/2764-99-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2764-171-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2888-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2888-60-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/2888-54-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/2888-66-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/2888-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2940-139-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2940-465-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3352-109-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3508-358-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3508-112-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3508-378-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3668-466-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3668-144-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4492-92-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4492-73-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4492-79-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4724-472-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4724-162-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4980-473-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4980-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5016-120-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5016-463-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download