7e07d0224f7d22323fb672e77c4ad08720fc73f9fd8aa884648f8c2607b87b93

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 13:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
Size

24.3MB
MD5

904866d1c2ae42fc67ad8996c36cf835
SHA1

7f5dc53a61ed57524f7d940fecb1384e2d09d78e
SHA256

7e07d0224f7d22323fb672e77c4ad08720fc73f9fd8aa884648f8c2607b87b93
SHA512

b0e4edf90627fa7471baf8e15218d0f8a2592f898508c8d7c681640764c0e1b8c93253145dfdebbec686da19756bc85e5c1b53af3000b64c20f5ffdc4d64a94e
SSDEEP

196608:+P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018j11wl2:+PboGX8a/jWWu3cI2D/cWcls1GS2

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3320	alg.exe
4028	DiagnosticsHub.StandardCollector.Service.exe
1600	fxssvc.exe
888	elevation_service.exe
1520	elevation_service.exe
1800	maintenanceservice.exe
4040	msdtc.exe
4264	OSE.EXE
2208	PerceptionSimulationService.exe
3964	perfhost.exe
3392	locator.exe
2428	SensorDataService.exe
3792	snmptrap.exe
920	spectrum.exe
5036	ssh-agent.exe
3788	TieringEngineService.exe
3504	AgentService.exe
1984	vds.exe
2808	vssvc.exe
644	wbengine.exe
5060	WmiApSrv.exe
4948	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6a5b170b3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6cca00c02b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e13c7e1002b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6cacf0d02b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002149c10d02b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070c1980d02b1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000404da20d02b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7641a0d02b1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003abe20d02b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
4028	DiagnosticsHub.StandardCollector.Service.exe
4028	DiagnosticsHub.StandardCollector.Service.exe
4028	DiagnosticsHub.StandardCollector.Service.exe
4028	DiagnosticsHub.StandardCollector.Service.exe
4028	DiagnosticsHub.StandardCollector.Service.exe
4028	DiagnosticsHub.StandardCollector.Service.exe
4028	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	1600	fxssvc.exe
Token: SeRestorePrivilege	3788	TieringEngineService.exe
Token: SeManageVolumePrivilege	3788	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3504	AgentService.exe
Token: SeBackupPrivilege	2808	vssvc.exe
Token: SeRestorePrivilege	2808	vssvc.exe
Token: SeAuditPrivilege	2808	vssvc.exe
Token: SeBackupPrivilege	644	wbengine.exe
Token: SeRestorePrivilege	644	wbengine.exe
Token: SeSecurityPrivilege	644	wbengine.exe
Token: 33	4948	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4948	SearchIndexer.exe
Token: SeDebugPrivilege	5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5076	2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4028	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 2988	4948	SearchIndexer.exe	115
PID 4948 wrote to memory of 2988	4948	SearchIndexer.exe	115
PID 4948 wrote to memory of 3000	4948	SearchIndexer.exe	116
PID 4948 wrote to memory of 3000	4948	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_904866d1c2ae42fc67ad8996c36cf835_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3320

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3652

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1520

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4040

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4264

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2208

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3392

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2428

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3792

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:920

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4844

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2988
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3440 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
5a992c2445ddf7d170b120dfd807a9f7

SHA1
1390fe3aa79a7537037d50b3a7067e8700ab6a0c

SHA256
ad049d85cf53d1cdd39899b23ed62a078ffef49331987b8faf54bcdd70f8f6ea

SHA512
8dcd83d721b3468797e60a31612494745417ca5278dcbec8e176aa14ac0f182ade0c44f3b3a64c46ffe026943dadf9bc64f2161c3bb91857eabd334f6b173b6f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
6b07522b9aede2f46faca52dd7ed5e03

SHA1
be171c2a1925d755a37f488983f0d484d79ece9c

SHA256
2f880064f6fc29a2c212cca68aee8677c15cb1a5e66d7a31133125b157063c53

SHA512
182f9472aa5d2e2d7b52a795c60d63a43c1c7bf2f6a25692a1fcf1c10945c41a307ada4b354f6b454e6471bc37f335b80d69fc1a02898d4f2bf2658651b32d3c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e84a0d7049602e600160bfc001447d3d

SHA1
b998a5e3cc10415672447f1c5120a1c4377080af

SHA256
caf6da03f392e0b3e147bf241fea1f3e3b6ffa8d48d24b951f3292db6c26282a

SHA512
71c73088ca51fc2b5cf8ff60a5e170b3c26e45d2bef5538597f554754543cd9afa0927b456c8dd83a67b8a749d2d127b80629648fa42cdf48622bcfc57100a68

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fb2b44e9bad6ac723e6f18c972ef45cf

SHA1
ac6f8c8b784c03aad62afce959a6545340914143

SHA256
086d0884308acf6af3e3607aca3e7471064b84fcf0f7f9642a3203bc1cb609f3

SHA512
c8727bbd23995d31f2855c8e970e8dcd0dbd043851ee3e3eaa69cbb8faefc95bd849c60bc0329430dd9902e632a1813aeaa98e90d5b0d0616d3126e045226ec7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3573cb6e114b4d5d318b76d234febb2d

SHA1
da3b98f06b4f41ee77c4e0231e4583c15d43f2fd

SHA256
b1d5c90d63b485a75b0551c919aabb019a7e293e7a3f4b9a5ce78debabac9003

SHA512
6c88e0d61f7d3779c4e24ac1c37dd86b77a94348029a2d7e6b0b89e404d6de06fbfc0d68aced488ddb15ecef67ccf3f79449e8480fae8e419022964b859629e2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3a9f4ff0ddd265b8c23b8070e6222196

SHA1
bb233d8406cd26a95d349982e8e3a992a5fcb059

SHA256
d78dfc6c6e70c5d35320e227c3b22280ee93e456fd229ff491f1a70a8add6d38

SHA512
e299f6bdfcf47c011ca2ba53fe44dc1f67bbb391fdefadbf3f61edfffdec95f502b670483f9d0a9dc19a8233d62ef13392c4709b49e0fab98a1de343763625b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
f019401ec6936d3451c06cf33295b46b

SHA1
1e1a10a1bfb0903f21b0a03558322deb8f6321b3

SHA256
c58b516844eabb39fd3bdfefe22997841ffa6f2fcacc8acdec874b3badaf8229

SHA512
64f2c071f8d90299f9b6ec4ac561134196f7c922d7b3fa00aad1897e61e480df13a4bba9f5fa0e6e9b3e5caf234ae4fca998fa8f9678c986b8ca6a89686c43dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
59d31f5f2a4adb4784f6e82d6cc2a69d

SHA1
e1a9974cc520e1aa5701bf4320c6baf521462585

SHA256
06bfafbd71e2180015448ecb29fad63edfadf47ba7488ab7750039686bb91067

SHA512
456bb71c0979e1052af1c1efb74529cbd3e50fe723cc6e7bfa4c8f7e7c2ce5c51fe1fcd7f74891f38066092f21e0374e273c73b613abdeae85c44ee3e9263850

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c5694185897ce43fd2104e5bcdfd8610

SHA1
87c31c00ff4560d8064350df1bbd72a5842e5074

SHA256
478079107a85ea1c46a97a646b436f8b11a415aeb04c259294bba5056e22f1ae

SHA512
0739e2255bb5f2eb9ac4bfd404ad1e9267e977128cb3b2d75edeed1a5044780d98aeed99fe7890c5e1fb876ee63e75e6bbfbf14629da1209210849ec525d1d02

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7e94a3774857a2fbfad457154417a3cc

SHA1
0b714ad1c2908a0b30cb9f47d1d4c1f03b833aaf

SHA256
453f8cf157ce1bd67aa434fc6d57c6605c1f77c03af1d6f22ce3632fa5bfffb5

SHA512
44a830b9b6017acc90108874bb9a67d0ca515905671ee9ad70363d13c6fe9777dca9eb78a77e07971eb9affb459bd5763d80bd7264f8390b71f298f55cacc92b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c64d5f055104f16a354ccdea98edacf9

SHA1
f5e6c31d173bc2e25c117164ab582dd6cfb56be8

SHA256
b112f2ce690b97d81635af7113aeb4f2c666bb79a948d180c70043200f51442b

SHA512
141e3b6e418cdfdc527432ab27efe875a8902a09097f02b6981cce486fa2422a63b7f8fac1530dc16694a6d14abf836cb08bbaceb9ee1461f7eb3722ae5bd07e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
cd7e9ad2fecfc951f9f0ba0ed58225f2

SHA1
bb3c27d7539dacba7981a55875ee7e20b7b8ee53

SHA256
dcc1f29b89c56f09912ade6b5a9d2ef4e81d54ac625f70a1f22464f0e34cd03b

SHA512
50875fb0e9f20e04502b9070afd8789c5e39572860827370ac6ac998e3afa2632370104518f51d2291f01d3e4e4732c9914adb0982d10657465a073fba6d4fda

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
610115cfe4834c9d3106c4cc9b869107

SHA1
3e5286bccd76a05cd4c53590a07ed7334cfb6bce

SHA256
f2fb05c4f99d4a06bc8d065f9328a5cf6dd585b48604492a8dee2f8286d4150c

SHA512
754a707dc645bd6ad4d624f7d40f88bca4e3426fed158680f4bd2e245c24ab900f37521c5276a2d7d735006bf26f30e63c1089227193c28327eca35a13601334

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
a2336b717f4e4a6aba01748ed77d3594

SHA1
67639e63b318cc974fcf3e71fb51d5afabd41e09

SHA256
a8a6359f8651da1e2ac67c0c2c2a2743d13127017cae158e263b0e5cc3e05748

SHA512
cefed2e55c5362270bfcac068abb964d6d86aea3f1088976d52fc46566321ca2064a90541e3bca57a0da408e4ccef7acc29bb123162eafc484dca6e567344128

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
fe39a45c18aebc9b66a0e3b3ceeff31e

SHA1
a84a41908f04a9b261e3956d91b9c5a26d978ff1

SHA256
efbd17043b8308b0b85e7cf42a7920d1a8422fa614123dd4d8b1737d2c3300ae

SHA512
7f2b65c21973ca17c09f8f89bedc05d6d79cbd3c598d2fd53ac419ab146ab9ef426bae1e793a87d1f7182bb1ca30f63b22359d27d9f02c8f6bc20809f519e706

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
a67d46b1ca80f107b03cb1584d029199

SHA1
af952735cd68fe7e090d832bccb36f3a3c5e15d4

SHA256
cdf3aec5e5bf840cfc9026965dae27319a021566a9f5f6d9d7143e91839e5105

SHA512
269911f63bb5cdcfe62eed3f75831c3da2330c4260d0737136c39ee4046533503e55a014933ce4b15b112f993a385f052bd455af4b17ac5078319fc9fb1709ac

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
6b828483ecae93e77564b7a6cab0e53d

SHA1
bf1fcc286a760387d7cb9f6b7c9809bd72ecafe5

SHA256
5c1223f2b8c5fd0493da56ddfdde63918fa1baa002344ff9ea3a9fd1c802017d

SHA512
069ea66f13ace82fc73e6eae488bbdb6fe7884de21bc7cc700243d20ee905eb97db8c64c71f8cb62dd95c35698776f1b30e90d99c9c1a0077e3193b0f38bae77

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
5f405ba72a2eb2d41449bf3989871290

SHA1
54b72783956824cdc0029e06323b8e55dd062e65

SHA256
1594613a09d6873a91ff53592e456f0d4be2574180a96a880a89fedbe6ea836c

SHA512
88f9a4f6c082e526f991b5ae03eea86ca78ae5f65901c9ce07bf0246e3722030729449627f4afc7f9f5a84f3906f4496ad6f549f1b8b7ed05e23e6094c8be410

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
9319ee44c85e972169096f4bd8ea238e

SHA1
3852c8a0cb41b8a1477f78c1cfc0f9eeaf9513f1

SHA256
1081ddc9ed797119dc9c6369065688b058b30e4f6dea72bb82eb67d865d5da53

SHA512
704a7f68e86c18163be9f3fe76452ba55a458b0f256e19a5942b5021310f2040b6ba85ef4a9c376a3ef9926237f46cb23d17fc1c258695c93ccf553418f90896

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
4f452691343dfbd4376cd30c91dd149c

SHA1
ff6b6eaec01ff2059d53978af1d3a1592d1741b7

SHA256
1897106d89212aaf9a1af24453ee270447f0fa7e8504e3d5e4d1ba1fdae52ed4

SHA512
7cd7a13c6b0600b81ce32dd16725f3f5bc9fd9876d096fa62b4bcdb84736e0107699c2517a663288d442535d8f698e25345a2e6b3ba0775bc73284799af17809

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
7c9abdc9288a04039c105ab3ae95e379

SHA1
cc59c265e27acbd814e13c2b1e130394db6ec6bc

SHA256
2017232dcff312618ae818668340fb566ad3f1a833ac961de83607f5bf7a264b

SHA512
162fb46f4da6266590ff5cd5cf94ca93b7d86651a7ca19bcf5c5714cda0f85c4f22ded848f446f3f72a321fe48f4af062ec534d1a83c143570e024807822fde2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a28588ca1605b8625922a2326d2c216b

SHA1
9b1dabd3de80da47bd1ec0da1e2d4b82485d72f1

SHA256
6fa3871c7673909113ffe54ccf77c95ad60663fa874e0587f0c3d367a9263e3d

SHA512
f340e7684999b0a135c2f6d5752eede7650930e526b1d8923589e4dd18d2d027915734bbb8044fcc509ab741b6666c3a8fb6bd9099eb547636e527ffd6a836c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3f74398b3b7cc667ef83722b848bfc00

SHA1
6725688335c9fdb72ccaa5c713ce76474ec18be8

SHA256
c8a89e8175b2c8211876e62862af100f6db8f93e35bbc6caa900060f90fa5a20

SHA512
7d67277bcc324081f2890fd989e2cf4e4dd03c77e3ac52864959be10cc244781118d81c9a1c806174ca10da8fcadbbeb87d5bcac82a5b48bda5a5698395e2a18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
71340e75600a1ae979478ce65888b4a0

SHA1
7bdb57815b8c11ccdaed561f185bc2ec567ac73f

SHA256
e312bd50e5063cd71a6d2e0364b8fb1d5c6e41d278b937048a077240687030cb

SHA512
a150fcf202e220739356fb1b23fe8879017d8d185ce32f16f2aced5e66dd8e4ce4a7250d2f59636d2896b043fd63e433d4e3bd014572ff2d59350b1f17e84349

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a48029f30069158a1ad76bedbadd6f20

SHA1
60d870f1201de8501a3aaa87a10a565c7eae7e8f

SHA256
2872d76de7ee3478cb219511cb2cf02a2760fa681ea96f5b84b05317aaa4c4a2

SHA512
15f27eeff902c44bce21ec975ecff2026e4ddb14d9e5ab9bfd747f92278ae4bb81b57a1649fafa1af0ed51d861c2c18da9c5d76ca729e913ac197eff28f8798a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
89cda528de287c679819f4d9bf12b4aa

SHA1
74de6988588531dd4650930cfdfacb67417b8447

SHA256
973f91909f3716bd9a07caad70772132e093faad1a542a84c2a14c0dae7bbf37

SHA512
bb3ce0e29e63d59f611fe11553c8153af7439b427db17e8511c03faec519eab8a66ca71fa7ff531739fb001640de007c2745e72dabdba3a0c2cc9ea79cdfaff5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
c01dfa69b52a0ec8476ea993a9cfbd25

SHA1
7ae4ca50287d55f9cf9f3df51a259d81a2fb4e15

SHA256
2cc9e96bd2b96c744c736239aaa8c7d7e06f0839fa1554ffe509504f865cf6e0

SHA512
162f254035c9818c4eb76db103703b4990f3c9062d9970ed7181f43a5dfa8529df4e6a09878ba6adf37d1a3b1e63d93e075186e1be28f54a0abfcd0a11d6d5df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
bb67d87182eefa98a43cf902d4b855e5

SHA1
235a6b09b6ec592aad8aa1f3fc42965f158a42e7

SHA256
f3b3caf47e4b619940650bb354950774d6dadba145febba2692798b34f1eaeaa

SHA512
cd087d86eba07e0f04cd8b4c41ab8961b0b1e89a306f34f41582c3f9cf09269e07cbe07ef8300dafa991392027af745d424cdd3b84bfee743854850c4d666c9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
3c16d0646db3ce5aee148c448c9389ae

SHA1
eacf530b880555a656d457d09eab02993fac2ca6

SHA256
e68939f4e186cbc766c83a7610c41c4ccbd0454af5183a30d71873ecad058724

SHA512
045ec3545be2bd758e6a7ef2b1b3c6167ccb776bcacc9e374a89ffedba1ea8080f142f5c6e14db0e6858c8a430d28fe470f7aefe9b7520a8623ebeb1dd388dc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e580ab451a573fce32beef931d1b92ec

SHA1
aa7fbeb6b124fdaf5240dc823a007f4607228075

SHA256
998cd6a6af7ca35c2c8de960db194a83c1baa0475acc6083cc2cdf74d3dc4f17

SHA512
56af6e7658a87ddfe77dfe22a2ad30cebf0cfba16a46ce5d9c93327f38c2bc16404256de04afc40287ad3d08437563393f2eaa55cd278639b9056aa6b3185e8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
bc2921a717f9e11b073c5c20b2f1a813

SHA1
b15e3501c88db841ba61ff78d19a414257561c0d

SHA256
3e44b648d2a9dd7690a977662890abec496b1805fdb16b74765e712b71a015df

SHA512
e7223fdf65cb28cef37504b83a5be1d02cd8046cbdceaee6f630959b779bd9c2a88078c8003ab29d53e5204436ecf740a8b3403d1e6e7fbdea9efe04f3da2a75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
11c9a2c7982c23ac8a9b6ad41ee3167a

SHA1
2f7c0087b5e7f5fc179fdce39545d958bdc428eb

SHA256
28434df96d341fc7932393cd1d31dbd711fdd442367bdadb8a17c076d3c96dda

SHA512
82b0bb4996cfc548605d6b1995da190ba136c98886c2872328ea3070d51f53564c26e9b8be0839eccab10a850c4752b737062345e175ca56223b7a6ed52826e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7fb00a50492fc4e50c8e5719bd412c5f

SHA1
b3f06719dae85d352301eb96085db231a75c1fd9

SHA256
a376dea915ddeb4ea1891af9ab6308a9bafb233b8efc0ac6ce28ffdff7f79ace

SHA512
08f2a96234cca95103ce0ed24153ee9506f0da9a873d9852b1bb23fb94eb7082559396f687087813634e5007ee87b293fc7eb15a64d1e0868db093dc9a42cf99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
1974615ef1f9586096843dd5ba45b417

SHA1
9509f33a597b426115c2cc0cf895596470a72c1c

SHA256
540cc5855c510eeebfd19a6522b4985721517d60b8cb3f662650fa910ab39697

SHA512
a83e149c609318bbb9994be55453928adf56864ef8503f85a6c715abc6519bec1a331bfebc2fb1ed9c6ca9108d8902906f60e2bf519568cf9cfe4963cb9d18b4

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
16be83d58d959a8ae3a83d501efa2556

SHA1
1809f0ed2f4024eff28630be6b89a8c088b723c4

SHA256
2ed334f65efc2f103c14ae8ec73dfe319881df3e8d0934934f2d8f274e889e29

SHA512
049809dda47c727980c684274da60380098c4ee490da8b07dd68fac32b39561c3efa26276cb6e4c201f7c7cbcd00d80eb15cd67c290cc43acae1480cada39521

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
e8bda13916b756f2c7e21f33d169407d

SHA1
56272be3b49edf4a0f3cb24262e9f2d5b99e0e6f

SHA256
a4c60c27bc8a2c224f21f0924d1d4bd4c5b5645011a35eb320b1457dab0a7c24

SHA512
8cec359ced301c18e2c15e85087c2c080001d32f0c3340b0b23a621d723574a6e3bd91e610451f4efd938d90196ca398c3b63f5228bb6a7915a1ad27ad987303

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
c0e4ba250d4b916b2b313de682642ea2

SHA1
3c1048a1642639eadcdc9c8e3edc01d61a669f3f

SHA256
74b713d000cccfc3a81ea7e5aef944bcd961dc21d79a487eb93704016b77e9b1

SHA512
67c8649ca4f448dc53784f02794ff5b822364f37a72c2c25e0a35169d22e27de496e570622a81ec1fe5ab3d65f1b098d6257316b73296bbb02798cc95a683667

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
56f6f16bac5ac40ec3dafe9bc5b73afb

SHA1
b02b368acfa4c960d2ef4a8bf97dd2973edbe88d

SHA256
62c326bc002275c139754c6c9c59a772dc860d1c16cbcc7261e5f2add3be7286

SHA512
d6cb74a5db25bc72fe23e568ac2b1f44ac3e6a11e06b234af76af07723a3bc1986231b854d98443a8fd1a1be5255fa0df950bb37866660bd92fbc4c4fee673b2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
07bc81405c3566a6b94877b4ca197e05

SHA1
09dfdf5521a775abff7b753ce6b630eb932fd9d7

SHA256
f8be7e5d563aff6c3c788e5aadb2b20401dc0a0bd0fc7cde81224c9ccd93fef1

SHA512
a9a7e3444a3358e52203665057adf4f6592c0c4c2ccafd16db142317e714c144444f73858bb996a07a3a54369e9529e8b5615539c911bc5152adc5f46e48cddb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e85e7e31794e64b82806048aa2f33831

SHA1
dcb83665f22887fbf1dff1fccfd764e3570d338f

SHA256
28a23b9e022e580b12d9e7dbb4d4740da700458ffdb78a28b3cd94d37d2046da

SHA512
c8ced45909490378689d7c7c3e7d071774ffaf1d1cd7d4b91064121109501b3e88785812a8f16cbc6dc313278c702a2d7899d8b84d2e8f734af07b3fb5c4aa5d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
83e5f2f3ae0b2f6e2c898a8d35d54f19

SHA1
18d68af7ef5d30dfe591e418510cd1f0d0546cdd

SHA256
abc79c5b31d7a30294cf7274ca1d331ad1863adce1843ba95c5bd4a43fe9691f

SHA512
daf17ae97070fbd07237ef609dffc98acf72507e999c166e208718f9c48cc018b0132427696fd9c885fc03ef216dbecae0cce9347abf927876296ef3f2b4d73f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3468edba7316e4314b4977bf02302998

SHA1
24ac7bc9c1cd5f5b0939631cd6e3fb345d3cb6e6

SHA256
a0a330acf85b97e1391ab7ea0d4ae320608df382c1aab166e3c60bf3e50fc64b

SHA512
31230b5e569f18459158995732bb224d304225ecb3b53204e4a9ba6b583a264101d1994187ed787a9e379a577cc8bd08dc3aec9dce7f3528b7ca8fd7844cb1e7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a7c8b8366e76c400df0815c24e3d0e13

SHA1
3ce8189f7c731929c14f541a0dc65e619e9732a4

SHA256
2942531522cb86e11adcf0585a95c1880d34a822964b4f5ac72154615003f524

SHA512
d049acff55882478b6821b16b82329da2b6d0de71350ddbcb5dd5257c85e95c5b846e5d81229a800a78c6cc554eee2e7c370c91c39caaf5e5732925dab92325e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e955e4399adf024bbd7b62f9ab470774

SHA1
2119c73015db38218ec03bfa9a8ae03407e7ada6

SHA256
8888710a22e9562f88e0c46b2e82905fb14c3a0b5e0c9c8ba1d30cd91bb62b2a

SHA512
ab57577f0940b2b27647283b2ce38a7f583489e8c2878c98cd94f18421b3d01aa55e928abad36c2051353d84037124c7e6715dbd3f19951b548319a0f71c71b7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6d0795be635f02f1bba4ee2888c23ac4

SHA1
6352b9eb7b0299aa3c9f1030ef6deac08bd53b96

SHA256
ae32c1b411e2a6c32fdf8fdf9a3368a6eb5e623b60fabe78a82d5be1de0e6359

SHA512
c54e8bc85ebdca7b68c589725629167eb6a829c3e99c3e66a32172b576a0435f82079d3859985e3ddab946e32a074e7d1ef90564536a3f9fc28c17993d5aa088

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bcb5ce41634ab92a9d7b29c0e635eb02

SHA1
569b043a41fc2135daf42f72c0d8ff87ac50dcfe

SHA256
598c0f2b08f990e6607612cd5213bb8620a62405be2be01b699344f21de855d7

SHA512
912eec47a9577a36c38a2d7f4bcd4753b0358994abb439762b38b8af9c3837c49c723426f9256de5344b8396d7b4f5993b7a7be943968348d0fa80834d03e068

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7d7e7f3ef9915351c8a05b83ee09969e

SHA1
9dd3b5f786e756f0dc2a1d12fea7b2fac78f111f

SHA256
2562a5a0c66aec082c947e735695af41cbba20b906ce3d27c2631571e12d5ad9

SHA512
066100a72d817c4dcd3b0fa4d2404e3b2d29da48ce2a841ecb2157f8d223ca8d167d6040f9d5c33e7a991cae3a63155f50542d0f72b24181741eb0787d7f6c61

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
127a7adae5934e89fafd66d50bfe19da

SHA1
06e43495594ab5e48a7a4ebc737144b4e81cb792

SHA256
0addba1585872678242e30e751b6b82bc5c484e7b8385b5dcbdec3ce0218c9a1

SHA512
74c2051fce831d8c0a98e312f2a72542a325e6235d9c8c1cd6d5f66451ff715c5434fe62b17683daf15f6250cb4778ed641c98e12fd51aada45f248bd12d2589

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
4f23220b5d9ecc55032dfc2d90082adc

SHA1
4896a72d917b7a056f1bd955854625fe1b33d640

SHA256
81935748cf101918e4ac136d6a728a9a79c45548c0412c9addd8351a3d752f6f

SHA512
48d68c18ce2963a1db19944256b5315371e7d5a56163eaa7f2134fa74455f662e9cc4ee0be69846db5259b8c0a02318e869312e09f31b6c4f4d10920624ee466

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
eb9e7dda32dad04b1188f12861c273e1

SHA1
f04e450e2f43378475edc05ac02ffe517119b9b7

SHA256
14a323bcef861cce4ce13a0e4153a4cb106291a35dbc7e36bf388d9d12a8c7d9

SHA512
e52d31579a14ca124d6372bdbed7182ac825d9725691cc08114204d2aa4206142d66411e8a9ae439f3cf57f7a391896b786b0cf0da5a886e6bda65d0904a4a42

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
504994c0fa5ab4e5e94abfaf3940e99b

SHA1
522d017a49c9f89a658816b09b795fc36b91fef7

SHA256
167c29aa1360c27fb2af5596a2b25077a6d78e49ef54fa2f267d278bc6943fd1

SHA512
aa251a764520905a9b46aa0940be0e6ce62d11d2b6dbee0e0fc596f797f72cad8c1569d59b3a26a5b019d03559dc573e77bd4ccc9ebe1333823d406321186c97

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f33ac0062da25641c4c8136b4a108e3f

SHA1
2ea59fc4bc6c757792550de26c098101e26f3fbd

SHA256
e5c90600edd7a98a3b06d1970f119a41390ed6a943e7133d34a038f6ce76b931

SHA512
4702dc00703d73742c3783d923062c4e8805e5a740485818ea82b6e94c1f0e353c0157aee1dc0118736e1ee6de44fd469bf116d1d520865ecb352c710fc8c92a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e55b24d49bb7f8281e2ba4eb1cb2104e

SHA1
970313fe43c999d6af181b598adecea8308203e1

SHA256
2bb188afc727d7d940e35c26910936c67b84350f54e24cf9fdde928a827bb18e

SHA512
5eeb64ede50e3efd9e2f2175f7e1e0b69f24d30d30501aef7d3da906e160ce8bdc85004d0d4c10a20369b0a31faabd2d41898bb4a0166b120d595d15d10364bf

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bde95cdfa7f9f6873cd893544748b5a9

SHA1
55cf6b30414d0775c8813b66e9aa2161744d9b05

SHA256
253f8b0b47afdfa6970cc2cfa21c7f7256739eaa00c672f1ca6728effaade73b

SHA512
ef6afb3c0f1d6437c5db6447bb293e84017a0cd6d4d1a04913d2a47b6bd134cf90e071efea2bd8503fdb1d1afc3a55e53a39592509af47c44ae4a3c9b2adc284

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d4da726323e4f785ca534983c0859848

SHA1
8c850a1426a8ca0125703828be611b22e44c0970

SHA256
3eb2f5cfdb2133d60ce89483ff442b27e3ff888eb7182a8a3386fb54ab5961d0

SHA512
16773c13027ce0a45dd603bc7874d128986fa16406346998ddeaf36cf2867a22ad4f61a7d72d9bb452bbeaa4df8f4adf9189ab087ae64349379f5eca381d3a06

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
6725d5d1155ecf003dbe6823d509b6b0

SHA1
39f5f62df6ec6ad5ac375d287deb75be05961d4d

SHA256
c1aeec07d610067fef0410544fcfd96a2de64c7a1d09d6d1ef1b360425c73f6b

SHA512
e477a9ce7cdc88537c50bcb7ac0480e09f14f49df106f6bf97687c435f976ad02781cb7e23b2eeb6c2356437869c53c62b09b0326c00ac773e565db94da38135

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
bdae2d99f6ffa17dda40f42ca2536799

SHA1
916d0a6940ae28c6e397f41f0a3d326eb8a5f687

SHA256
74f12a72025ab7b8782edcb71c76175d57e415b35a084fa0c352f55f418220c5

SHA512
cf785b1456d96a6f3cafaec63620982de5a7a2ef0c911cc2029972bbc38757ca84baa66b6f17de1f8adae10152fd9cecb0c7ecfbc8bdb8298d0d9d3ff7851a11

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
62ed4f0e2d8bc795f2dc816e964135f8

SHA1
4cae1947447fc53cb286e500c098d96b54b3541c

SHA256
243765352358492bc03c3fd44c68023e95d41556cc7308a12614b90056e4bcc8

SHA512
2c181f7dce46ac7b0c4007e24f0eb544b455256d32662022a85741c489b8ab36aab81edf2bfe4746295a06cce460e4bed072b9955842ee0cdc34a35783865d3c

Download Submit
memory/644-161-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/888-32-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/888-31-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/888-38-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/888-119-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/920-120-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/920-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1520-48-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1520-42-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1520-51-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1520-132-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1600-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1600-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1800-53-0x0000000001EE0000-0x0000000001F40000-memory.dmp

Filesize
384KB

Download
memory/1800-66-0x0000000001EE0000-0x0000000001F40000-memory.dmp

Filesize
384KB

Download
memory/1800-59-0x0000000001EE0000-0x0000000001F40000-memory.dmp

Filesize
384KB

Download
memory/1800-61-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1800-69-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1984-365-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1984-152-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2208-102-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2208-86-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2208-92-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2428-112-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2428-312-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2428-291-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2808-369-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2808-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3320-108-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3320-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3392-109-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3504-147-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3504-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3788-144-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3788-361-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3792-116-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3792-325-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3964-165-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3964-104-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/3964-103-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3964-97-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/4028-15-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4028-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4028-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4040-68-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4264-75-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4264-81-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4264-151-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4264-72-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4948-166-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4948-371-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5036-344-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5036-133-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5060-162-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5060-370-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5076-96-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/5076-0-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/5076-6-0x0000000003DB0000-0x0000000003E17000-memory.dmp

Filesize
412KB

Download
memory/5076-1-0x0000000003DB0000-0x0000000003E17000-memory.dmp

Filesize
412KB

Download