816e63c2d44d8a4839d376c1b0d83fa5dde31bc9d88e343012059f2b4358a58b

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
Size

24.3MB
MD5

89c574bacc70a12d6a92476f7afbff54
SHA1

4317bdec13a6309b20c3c91c104033cef052d823
SHA256

816e63c2d44d8a4839d376c1b0d83fa5dde31bc9d88e343012059f2b4358a58b
SHA512

5eddc955d4784af904922acef6c2ca89b36b7b01f4d966c2e5624677d625cd0049ecda12bf5fddc24aa89d76cf15323b844fe116862efba7ada5a30beec51f84
SSDEEP

196608:VP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018vML3s:VPboGX8a/jWWu3cI2D/cWcls1vL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3184	alg.exe
3936	DiagnosticsHub.StandardCollector.Service.exe
3960	fxssvc.exe
2032	elevation_service.exe
3104	elevation_service.exe
2172	maintenanceservice.exe
5000	msdtc.exe
2860	OSE.EXE
2376	PerceptionSimulationService.exe
3736	perfhost.exe
1992	locator.exe
3492	SensorDataService.exe
2812	snmptrap.exe
4364	spectrum.exe
1532	ssh-agent.exe
1656	TieringEngineService.exe
2688	AgentService.exe
4584	vds.exe
3248	vssvc.exe
1676	wbengine.exe
4108	WmiApSrv.exe
4300	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f3089fab8beeeac9.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4aaf74c9db1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004afcc74c9db1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba6ffc4c9db1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026a3924d9db1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097b3e34d9db1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f236e24c9db1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007da6544d9db1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073e6f24c9db1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059bb484d9db1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
3936	DiagnosticsHub.StandardCollector.Service.exe
3936	DiagnosticsHub.StandardCollector.Service.exe
3936	DiagnosticsHub.StandardCollector.Service.exe
3936	DiagnosticsHub.StandardCollector.Service.exe
3936	DiagnosticsHub.StandardCollector.Service.exe
3936	DiagnosticsHub.StandardCollector.Service.exe
3936	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	3960	fxssvc.exe
Token: SeRestorePrivilege	1656	TieringEngineService.exe
Token: SeManageVolumePrivilege	1656	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2688	AgentService.exe
Token: SeBackupPrivilege	3248	vssvc.exe
Token: SeRestorePrivilege	3248	vssvc.exe
Token: SeAuditPrivilege	3248	vssvc.exe
Token: SeBackupPrivilege	1676	wbengine.exe
Token: SeRestorePrivilege	1676	wbengine.exe
Token: SeSecurityPrivilege	1676	wbengine.exe
Token: 33	4300	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4300	SearchIndexer.exe
Token: SeDebugPrivilege	1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1600	2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3936	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 3356	4300	SearchIndexer.exe	112
PID 4300 wrote to memory of 3356	4300	SearchIndexer.exe	112
PID 4300 wrote to memory of 2412	4300	SearchIndexer.exe	113
PID 4300 wrote to memory of 2412	4300	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_89c574bacc70a12d6a92476f7afbff54_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3184

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1148

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5000

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3736

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1992

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3492

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2812

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4364

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3356
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
aa18a95207da51966a97223fba7154b4

SHA1
5b2ef507817f7a29f2507bcda7bc23f09f046b68

SHA256
fc7927b584f2991397dfcf9fd69356ce2e07a68710f9f9123316ea513f037cfe

SHA512
c4fd08ab8a21899a3f5554f284a6d9c200635a760b2d4b78584cc492a2ad196a227d81b0ff717540b13c195b46412464d72ee0338950e22145a01d884f05b8af

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
63f9289405211e4e3ef68b59fb701be6

SHA1
e7a0fd85c101d9f45c5d1756d0db91ab930416bf

SHA256
6e7c39b8bb2cfed133a389771f6926a177c20021e080b57176d9a5d7935cc84d

SHA512
c174cfdbc9e14157d400e2a26bc84c160fc5017f30ceb54c0aec0076551eff7bc7dd36d8a0a03595130d68d72dca7b081292f7770968e7e7cb3e8f04a212601b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c90e5858a2fd10e8f2b92bdb11905705

SHA1
4e90d8723c61374d0a8f321ef3da85d73c7e6e46

SHA256
c0e667b19666ef9a7a6cac083f02047944be2443dcdc3ea9464dc54e8c5421e1

SHA512
fd378c12c1ce9f415ce7726a7b94af49a4dbfb0a804f50b3e8a53f71f4912cdf555af931b01d50f48b2cfab76b5b08c9822be2343cb6b5e974b324e98310defa

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b501f1d408b2fe292e1d6d9350add31d

SHA1
75b22c7347c23fb75d7e1b4dbcebf38e345046ac

SHA256
556cf598243fd4af4aacc31a5862bb618b899d83149c3ac142b422ca1f1e0935

SHA512
f647ec82fd89eddef65897c1953418c3027643d241d22eef3395b55c8f5535d61db2e2c062889d1ae72c29e195885758742113b2895444e6d837f4debc0fa407

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6f7b8a6fbc13379b3ac8c6cfba55ab73

SHA1
952deda7d279bf19269f8f8a5cedd1382dc1c1c4

SHA256
2c7e5ad4d19b8af8d9cd03f92913283d65e96df522b16d7731ac04198b9d9b35

SHA512
b6b7fb96a1f828913a31e1492887eb74309e781e053591c37fa2416f9728ec04c9bfcde3081a7390a70678bcf0d572e17d2abefb6ffcf16a87b02acdc314e456

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
d1db67bc75cc9fd2bff04dd277043560

SHA1
b3867d8423a23985278fd6f28dd047c7e49a31f7

SHA256
dc403515f7105eab319625398e5b09847137562bd1b56444c902acd9b22a0bfb

SHA512
32a1cbb4d641f2857262abd226749920a0e29dbe20f11f943c82f6354ed32b2756f1098c87838487d954fba17e731167a37ccdcefd8fca4f6dda29abb386446c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
ee303ddb0064e4ffdef339b78ab1734d

SHA1
992e9ba87c436717805e7ca418ff9fbca64fbd06

SHA256
a08efa76f226762f56eda696d4e7d13080e625e2c1482143d1101c343286e9df

SHA512
9b5abf3bd2cca4f66dcfaadd8263cda7e7b3590731afa1ab356eb98693f5226bd53ec07ef32496f7f4f6ebe685e3c8ab3360f76bb3d6eadbe4b9dda408737b49

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3f3fdb7c4e4a4321c4390019917d3512

SHA1
42d262c5d96954389cfbd805d26670401f022548

SHA256
1a6a0201a2513b013640477c7aad82fd66c4c571ec1ea4f20f6f54899d1f0ea9

SHA512
fb079e8a72a391d826cca943f82075e522845ebfc1332612b87883d92d5c5adaa95c5b9477ab007b4dd385c5af8b27a9e84dee854e0546d1dcea6f54cc8a0212

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
565e6be2f133e509063acb460346a960

SHA1
4744d1795c5fb2f016492c55dc4f15b131aaab46

SHA256
f962536515ab19bccd03a0f9e0f2f57f37545e06756c248d851e106136047398

SHA512
eada83e362ebfbe3ca26c40d8e6a7b21483ceef892cb8390776d1232cae7c447c800ddb54ec294ba4ba8cf3e75bb5db062f18461f21eb7660143d326b5f6347c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
21f8d5b899d3e1cc36a7dfe703db6c6c

SHA1
ceede4899e99cd65718ababe8e695ba7739d7004

SHA256
7df761b2edc640aa62d5dd6d1dd4f493d64a885e03f690b8c5363303feec2f55

SHA512
657684161454408cbd1d90ff480415cff835b276afe809042b5a0b8d064aaaf38f41f4331960fc51b469eb4aa27dc91a63949e6ad8d406dd2343b55934d5eee8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7feb5d2774b700c9a72e0e5b2afca198

SHA1
64b4af7d098c7dc52bf9b057662e9c47d5eb58bd

SHA256
da177a5160c62fe47a00992159bacd31c2fed73d4d37dc79318d73776bc07446

SHA512
623a2bf9296bfb7f2c51498f08222854a8e64f85590ea75c711d40c090b668406c5d495e8f6ef7a3940f49022a6ce2a0135fa88438c656a00ef75ac3505ec18e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
baa11f6b72c018ac7ed585268bf52b82

SHA1
e61738f65dd2fdb409d405dc224341c230ecff4c

SHA256
79897383dd1bd4cb83fe6f6a6821ab7736a11a1aec772b402dc706f24ecbe0e9

SHA512
3e106fe9f0f26713c6d127ffa35532e87f895f93c43d26442e23b23463dcdb104a91e69dd7bfd552136d4e8f6295b8de78780325b1454bf5a0d72aa4acea2bd6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
89d6351af1eecffc24a42b09f7290ca9

SHA1
f6865f0c13d63fb02742840c7d7f8606730c7f68

SHA256
3c779fd16697a457902b2abd96d94fd0dba5b62d96b1c1e648d2b068817c8113

SHA512
dcb214715a433c7938dc91a2a4853f7065d35c46b635fa69703188c8b91e826b3dba6164855020d041a7a5b608ea65ec3288570d90e37187db9ca97ee91ccc3a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
1e129603d9667f6412d983922bd178a7

SHA1
13181de75a16f189b65bee8ad0112ef69a4ed562

SHA256
5ded2ea1b9940eb48825a51027ffbdab0a68943487eee69ce4c089a52d4e82a2

SHA512
eadcaaf09b0b931dc370af21bd96b6c023daca23c7e0c0953e74b1c3f675ece0cb44d8318e52110f203eda01f09f642188fa65c92f8e8c95828101dd4d130c51

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c2ef4be8aedd2e96957a6c59ae8052f4

SHA1
f77150dd6a237a9ad11dd7a1aa80ad8680cfc2af

SHA256
12759be24b6ea50241cc52aa24843f64fdf3d8e312924cd23f2f434fce89c81b

SHA512
3d4b247a401aee0751e0a0a22769529c234e70e30d62a10d430a6e34575a97fc927d34315249450ea420fbe0cf027b4f1615931c64ac30cd6342ea7b98cb3b0d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
218731419dd828d514504ee3718c3a0f

SHA1
3198ca84ea5883937a476bed7fdf5f196edef6d7

SHA256
e9439652abd0525f40df5e3ffe274da212158294099c99de9a01c1045c6e36d9

SHA512
70049612bfb2ebac30e03c30ab7c3091718cf96e47cbcf71f1c402cb3bed1bb17c831a60ea5a5df14b1d53b03ee076e8ba1c87fdd270fc453e86ee50aeefb3eb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e73550e14d892d1069aee96f9dcd19a2

SHA1
c12c514688b1ab0e1e13963e72040d6c36eee22a

SHA256
844cd0c87ae6074a38e081a9a47a0ee637c1d1eedd1cd21a2a34cbec8f99cc09

SHA512
92d7b68e5de57a00451e50691cff9c219851625a1cb589c5a1f4dc490fa4804632a70ced2c163390422e79b01cbfc6015ee0ca2fdf3db511d4780ada131b2ba0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6e4abbe831bec27a7eb7409429733220

SHA1
2c4e55a2223ff06ff3c7a2f73771686f4989f734

SHA256
0f205c811557bbeecead72a4b17e32e30f329b05fb83549a7be6bd3df7a22e1a

SHA512
1be303de3e712bedc47858592dd57d5bf5768c99ac6a1467f6f0c5dea608b8f685e502ecb07b9c46164aedc2ee19feb54c83e1668880aafa2b9fe5ccd7b2d883

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
5311a2fd1e73eef92a761b31869f9774

SHA1
064cd97126a61eda38f53ea1a1224ffe15ca62a8

SHA256
5fea41373d047d6a31f02c843a3653b10af0cd9f97c307f1bc54da1ea51e0061

SHA512
27f2cd7761b011c59b2a25615e0ab9ef9510ae11a4161e2d6e731e547c31f9032c2eb1f08936990dbff2b1aaa34052a1a7e7da1b8dfd3ded72e98ab9c7e2eeb9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7c7995198ac6fe0973944999fd4fb17f

SHA1
3cf278af64838e187921df3b1b031cefe6eef8e7

SHA256
81dc632770240349e59aed45900e32a911359e6bf28c6b81cd437ae936264d40

SHA512
0b958527ae764c8fae48421ba1c41fe81eafd01625d732fcbc2fcd663e14002bd1e89fa5cc61d30553d16899be8d62b85811c12d63028b22b039a356c03508ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
9bba097093f047dfcc7ed2fe0351b67d

SHA1
243b882c55dcbb1f77d42deceda8a42dbf4044cb

SHA256
f65f38466b64cf7a0e8e9a7771ee771f3e99ccc61ba654c7774e66c70c1559d7

SHA512
8c9700d0b1615202b90d8f6b9a81fe49ae7798204bc0f1538a8c04d91de3e150ee92b2db2f661f0136757be520e34a7206ec6232cb6ea73937492e791d6862e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
684bb10cb4f8036d995020b5f2c254e5

SHA1
4994334f00da8da3b940c760b2a21cd12237d9d1

SHA256
b0c3b2e489c31966c7e9b60774342a09043f1b7da1006f0f2a06a71bd6de9d0b

SHA512
3ad55f4afc091690aaf36debac09b2ef3f73f1bafa56eafe66b7905a94b78a3ee33ffa9419091dbcb792f0f3729cc62b922144d05753934e8a7161e414c9598e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
c036e71b742d114a0c49e7113a646ec6

SHA1
1bb7487623d2e5ef97c57a66e9a463eeb48be400

SHA256
8d27621d4dbb7e5f894a2560a552f7132f77253d88c440d97f2b89b04ef3d074

SHA512
84ba4f4db1ab6227b1ceafa2b333b5b74f01ee33f4aa95f6429918e700f82e102750fb19d2ddd9d583d58defe5ddebc3a866ce8a76ef861c83ee271d6caf19a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
e341fcbe956ec9b0a6cfd3c5cda3ca93

SHA1
1dba82f02a99b848b8e68c3c6972e38e96afbf3a

SHA256
a116b5df437df8f194099a0a1bcdadfd21e53a663ee1231131c17c925bdeaaac

SHA512
e947f0991d692691a2e453f9b63fd20eb276945e3b22feca2069beff9176303b7068c5ced5fcb10335dc8f5df8e7224946054640998aa7ad623dadfa9a221f69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
114f09435b5f18f97ff9cff6680ffedd

SHA1
a43ff61ff0d5acbaf83143f914f3a847b84d91ec

SHA256
31bd28b019414028d1ef690157d874dadf56c37ebc3efd351c4173bba9e9afdf

SHA512
7954bd8054c05f1f0a8fb001b5c7a3ded99300d234a20a4b85a46cbf98990ee7f75804cf3192551f3b5ed84cb70adf2892fc287e7537fb8495cd0ed347be1208

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
7d1491a9c4a15cd282471050b95c0ce0

SHA1
02f9a836250d79ce56e7f974c0ac90a436f8375d

SHA256
d22841b36b2fdb006e95cec741704e7dc325356dc9b6317a3206c23475bc7fa7

SHA512
e6b4a96d4525863b83296675d09b84a264f8bac0c3337f9b91d38d33970a3e0247c11496a503cac268cac0609e5429758c163ac9984abcb76a8a547a83fd970e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
180160d0d8ab400e988bc9f48b4b2f27

SHA1
4c7fef36c51e6158a79a39598f056eaf093e4412

SHA256
0dc29db3d8cb67b19da4c04fd49070014e7d676e15737dfdb8c9bf35018c222f

SHA512
784a27d65bd740a4c5001bf7c9caafb40a51df33b9d694a417ebc50c76e2ece236ea87ca4893fd2dc7085c1cea81f9dc5b665400e6c3a1a8cf89126c768b2d1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
3a4b71d4f11c001fae585c85a59fa22c

SHA1
f2ae169ab157acf21716dad0b6162147b6015672

SHA256
72d2286f7dc04527ebd9cde8de3b48cd1589e67ec6fc94fddeab6552c5424985

SHA512
7cc7a92aff6521783d45e1cd6707db4b40d76eaa56987355707802260cbef3fdf6775513d5a1fbaaebf6c49c219f756038abf60c0677e1413821fe1b63b069c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
6adbd78d91f3a38281e4115a89a77ac6

SHA1
257ec91bc88baa0805d8cc39f1443d75537328df

SHA256
7bd27c7dce86a57aab0512ff643578d24eb1370acfeb2868321daf12c6ac29e4

SHA512
d711b7b18eacd797b621be4be1cda61ee6af2dc7201b1588c436471e38a6a9319494c3edd14b883777be7f0af07bf1dcc5ae3dbf7ea53aaea2c6700dc08955ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
9ed390cc4889c6906540aba4e42ae341

SHA1
ca339334d554f151c124b57d54cde7482ec3f7d7

SHA256
53c6a0bbcb79338941a5c1eacc8e49b9e879a3f7ff2aaf3d1f3e78fcda557774

SHA512
2f23d9bffbd398c97ccc0229a0df027a0886d7e49fe6b3f48846890bb2604e2213e24a767ba81756464e088be3d97475ba2d2ab212223900ea3cf8a1903f8b84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
25fbf1ff2316c41f26b2155b6a3595ed

SHA1
c09def0cfabca1771147652566c54bcb6c20b70f

SHA256
79dd3cc953ae8480f4095025c21adb8f8e3da1136929b2b31502810ad6356998

SHA512
4230d0993ea918582f460e56a0cb1283e1542a44756f96eef3d0ed31aa0b612b2d4c695dc2c7c9b0fd903ea2fa751101d4e4f211c9c663baf29fc83227b4c88e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
2e165902954c0ccf41cab12671026341

SHA1
fc790944db9167cb55a9bb90636bb0e78d8db327

SHA256
50875eaa8150c12c5285f38e797db81007d03da8901eca071a5ec71ef84e18c0

SHA512
ddd92b856db44f9626b1c3288472c9bc157bfd63fcf459508fbcfa5caddb6b646dcc0b6455250288f33725c081a4f66c7b54aa9e9a86c44563cf4b2e96c49a61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7a05ef92acaebbae9f95412a609ccf9c

SHA1
9f4c30c50c13761df967b7ff9d6c5ea6f15ab252

SHA256
95bbe14394009bacad4b62da65f87cb07a5eacc00eb9446d12b2a2d6f30249c8

SHA512
c948471b0c659aa6d7cb1fc0fb28cde3724358aa60d1745100026c60581236b0c4774be7ee05ccb2b1a7d74b6b28028048483a59d6fcecf48c492ba98cc04a83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
cdda6387c90140e7d3e45eb8f886dc19

SHA1
d2cde0cdfc17a41899160c309d68d4be72215a9a

SHA256
720897521bd8f843091f918e7df74bf37c7931e9ab852e315d13fc86325d39f7

SHA512
480a5bd3db6336def42b276582de1f3d0f98d155e0e9fc9c9912c18e7d63beb2a852be7fb931c964a04038e8b6c7a7c617199d5fea4d30473ad2e1fe91ee202a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
df3ceb4f68753b0b72b7e1f698dae716

SHA1
b1cbac12396fbc5ab4eea3228faf9176a064d35f

SHA256
b47b00443f46ba7cd8553a6c91b2449d9d334592b9e047c88aa2fac4cc91ddf1

SHA512
b6e7479a9fff6eeb482281851a0f96aec2d452ad04405fbfa8f6851f7f55cb770053623ae289737c4f5ffff37c9a3f24490b56fb13542e62e6683300b911d49c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e71a77024599aaf75037de0a2a5db896

SHA1
6f528a22907d3cd076a6c5a93876867552ab76e5

SHA256
a7ffa375ed2a475b8c40c415e03696d692b1f4876d7f6ad806adb657cc0360e5

SHA512
433c5aa7288ae5cea284d643664c18f58f974f7944c733d1a237ccaf3e1c046895a89356643c51775e9878e3112d45d78d06b5810c675d7af18628f84ea04b45

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
d5b89c5e53604a55babc1dfa591ab808

SHA1
e57950fab8f280013fce0d1661fea03d2efb7f9d

SHA256
a09935a2e9c8674c396fdfc63ef1b70ab8c4526aede2fb21baabecde1f34f430

SHA512
29baa29ee2d5982931056ca0f366d04026d058fdafcd1812e6fe365b85770e89edc2d68e91acac469bf41919ce15f1cde5656551a9d27b4c989050f1c287ce18

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
75ea88d1e7136c239a1fba9a05ecf0fd

SHA1
da8a03b8aea13f1910bd8567cf2c2f28f44e694c

SHA256
32158edcb2b38296c0f9cde585a6d6c399ee55af76f6c074dcef05179c46fdcd

SHA512
f152565c7b7402c69e03031e76008240ce5b6301ec088b52b8a5c1c0196f6cfd1f86005bd035d3aaee5c6b278b1d570d980b1d6185e1036b23cdfbdf45ef4386

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
284dddf725a0eb022722086f16445f8c

SHA1
4fa87fe029b364c4623cabd95bf48f2c82a799d3

SHA256
05cdd48c41f4071db83225012e64cba042e5a6c7923ad2d5c56dc52d40385075

SHA512
6587d53a018626af51f47e9cbe45277ef92f7daa8eef33001680cb8914572eeb974453379125552c1c03d9f4217c6e3cad735b0dcfa37f9adaf5a05cac274731

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b16a5c91eeb246e641039eae2f365f92

SHA1
de4a8da955edcae811bee242de508fa15ec76feb

SHA256
8d5fd3051324a2b3c779646295ced5fd01b4ad090ff564c10f613e46893156ce

SHA512
bac35f5c4f9578641e04737a03489811aa698126780685750fde9eed22a70e3799bea1879efa527837a4c86e658a54e8d23906feea892220318de3dc68ad87b1

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
88d1995df9079c11c2477cf19be25315

SHA1
eedd1cdbdb6993a7876acdf1035f1a7996afe47d

SHA256
d9687d80389f7cb8d2cc3f1d24c3ce6ec8893475d83c87d3cb6a5e1f3e200db9

SHA512
4268512eba6d3a13e2d9e6820722312a41fc96ed03a32b62f15f7de369b7af4ba7b08789f59b94ccf7389e467b61fde5a8aa6f1622b62750064360318727c17e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
3068ac64287d9e73d55a49a57c53c1ce

SHA1
47a06ac25d370cec281b5adcaffb88e7df4807ff

SHA256
f6c0ce398383ebd2ce3352daa95605d9b85d038433ff718b4b5fcd14bee7d6ac

SHA512
9dcac7d72a1bdfa956795bf29b4119ff6b9c7b0c7e96de24aea0ed07efd186553267a7da521cb4d74cb114e880e6f50c9edb2c7dea8eec560c387ee913a516fc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
267b99152106bd8ad2f154a0128280a6

SHA1
f850fa236f2acea9ca822b8da0b4d2225aa1a2b1

SHA256
ff70df75f6759e06ab4529313b8d5eac89c21473be121ed901a370c36da2a64d

SHA512
c1fe3e12273b2a1b2e903d41145d2a273543ca32ce4b744341fab79890cf567616602159dce2de57d72c2b4e716fb48b38f23533e4d6fa3e5af6ac60c69e1332

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
ea9e3d4a40d2e4359f60b75a5c8e903a

SHA1
eff040448b1beec928d1ead2b6c38ee807292144

SHA256
c99576ab6d3ea574bd43ab0568c6a561d8fa8207ea0d85a9e5d9655db5054be4

SHA512
2f61830669cb9a795d7c2dc5e239b44de07ec1072d9fe8eff6aa7e7031fc77d5f127469780a40f9247faa64f3a2f7be7777e78ecfdf28f0fb3d071a9e6a72bbe

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8e70ead7cba4717d23984efad020a3b7

SHA1
98fe3de16b5305df7e0ecb3fd2cbea09e304bcbb

SHA256
94e70f35567b4dcc5bd52bd91319d94820bcb85844d12f2a8dcd55b9d0177642

SHA512
0df1634efde6f9f1dbecab10af92dae8c18879f356b79bdce8dbe11c564719346f7a9b284b8c54c8fa96cdbcc2727903a595982cba3701b927f128709a2ae8fe

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
81ee558c4ccbef96ea96e4dc4fe540f6

SHA1
ea617eaa744f28b8c87bcf766b10c3b61401fb1a

SHA256
f62c55f757e2140cf0d2d7fb00bd184a7a078e0e8e2a08fdf0d9d387754897c5

SHA512
6dc94fd05e9db92dda90da901e844c970375809671886cbcbfca56d9284244d595b4d1bd4be466b6b7f60641136886af06df5bb85c3f07acfd3b7ca70c0a142b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
68552b65ab8ab3d2b6f21a366ac4da4b

SHA1
bea3db5703c57c54ec63c080048de586288582e0

SHA256
ee7612691641feb48102f4fc7dc0cd3433f75e39d8297796dcdb56b876f93189

SHA512
7ca82878f4b968de6a9caa45d62478a46d9799fcf180c1abe1beb657664075ad12e572f0706bed5a4e75d89a626fc05fca74b91b1665859afcaa6e95d9bd71fe

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
be107ab54714d6ad8bea64674189e709

SHA1
421f6c184ab30c470786608ca00e71a46221446e

SHA256
d963ad5f85efc56bf18c462f662a197e340399c162d1935e30921937a7edab06

SHA512
c49e6fa663cf04207f6c471103cf52586cc7ef1a189c9b3d0727a29092709918feb44ef74c7edc67fefdf727f5aebefa20e447e91c16fa9825d4509f5622012e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
dc5eeaca0e3514f536ad2ed4c9ecce21

SHA1
306842c78653bcbed6421542a36cf9f2735c6317

SHA256
ad8e6776db07a90743cc2e4e604cca2f138cf19106c4afbbb3dce4718cee1244

SHA512
9733dd37ff08f0d0005ea5bb378bc7556f73d31c734204fa04b5024c61f087db6b15b4bf368a5f5fca394d561ac2465575b0cc952f83ff16c05dfe952bfa0a11

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6d5f14de827d8ed1407c31fcb37de169

SHA1
2114e3126cc89e28047d847e19ab12abd367f5f1

SHA256
1808d95a607c12b7912c6123379fea0207a89113c131febfe90ac01cbfa26105

SHA512
f2e774bf02c20858e91e7c50acba3ef68bf6db7e1af164d1839601cc88ad3c4c1de08127aba00cfc7490b553a3177881c8f6e56e7123904945c37d61ad9eb110

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
14caa3bbeb1a164474bd018d36657d45

SHA1
0348952d9d4c029b0f57216122725ce7e173272a

SHA256
e113ac3935b9b949953b2f997218e19ad90c865c51e7c7f64295658c3b1e8fc4

SHA512
df100b381e8a088ad1077c3fe9f77d66ce6bc32e271a8c9563ac86b5ea22985591480cef24d405c7ffd5af4bdc20e773ff86c033756338bc5473b9596d1d561b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
5effe8b920855b92023fcd2a138760ee

SHA1
2a55b537e02953303ee00b85018d3b952c107bb5

SHA256
7f9d53a20dd1145cbbd11f02f6f052990d25ead3e863f6e43fbeb17dd28834a1

SHA512
9a14084421cbd554f772e1e4907f2aaff18fe35d9e0969d21564ec3d38d92e41406132e709c786ce9c2bbee5a2d4b1cb04dbcac2ddef0639ffcb8d50d40c5807

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d5a0e6d8bd67325204b408a3d73331b7

SHA1
e659d9d310483d76333248972f2f889947182964

SHA256
0d8d03f5268c59c5f528df90b87f975f96a9f8d0bfc5f68d42446f4bcd7c7135

SHA512
fda0eb830d5b44973b61a0d18d1c15b5331f34335b15d3e8d2e762f78c9635d207ac276187e09438ba77e085d2b1fd68ae5306bda9befb14ca6da3aacca04b3c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e591235f5f9db3c4a9d581d75b89114f

SHA1
bc18d2df80a03172c66340c3ea8ff3a699c754fd

SHA256
9c241307b75e341024e64e43f863f940a88278d5825705e4d54949412a51a631

SHA512
a778907ffabe898e5d5ba6be6169ed98fbf0825b7985b31478cf66dde038a100bfa319aa09b743430231512e09709e32fe085218f8a39cfd55432e5f3cd0a23a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
327941d01fa5df3445ab56ebcf3dd151

SHA1
c116c665eeb43791adff840fa12eb4fac1d2a92f

SHA256
dedad6a8f6d3559245c626c8ac26fd24cd001c508907e2edd0f5963f85359808

SHA512
05ea7f7f8daecf00ad1d4e766600d655ea32e16829764b9601f51435ab8e6f63d39a1dc10bd5622ed3c5f577ca6d7c5812cda02391a99fbdcf63f0010d88f22d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7cf8a334d9cbbe5f06120954f39e0f7d

SHA1
5d7d930d4ea83ad3c04b559e567efa2ed1bc0a4b

SHA256
730c10cc2692dde062d015ce94c246f03c58e5546944e9a70af31aed9a56acbe

SHA512
8a5a1aeaa8f41525d3bddc15d76150d120a7ecc16419e3d83484768e67864460ead1b889df9b1cc1664049a0bf71165269eb69f241ba94a8363b7d216362b822

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b6455669c9ebbf16b9398c444c16347d

SHA1
55cc64f7af4ec4eb18b8a166ff5bb37c140c0b68

SHA256
4821ccb4a3d546122319c271c6d72792b3d680b52a477a8300498b7b654c41d3

SHA512
79169f345bec5b39e6f8d723b1203e702cc0c1e2316e2c62a61df534d14063814d0149f06accf95f72051b2f161eda8f08cb97b9e210af4f5d39bf62e7600194

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
a4e544bbf018a91d8ec68d9ab8747bde

SHA1
57c96ecdf76344d2b58e05d76d4f3a80d7d43436

SHA256
38265282fda2db49a034264a88a70098e5514e8fd58831109a9f5f77ae885239

SHA512
65ad7db0ecb560f866528ee6b894a0fc15506ffe41c04d1c86837ae4ccaaccb2d5cab11a2331566fb9c433ca5b498818c1da67d03b32d31de0979d97be18f596

Download Submit
memory/1532-157-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1600-0-0x0000000003CB0000-0x0000000003D17000-memory.dmp

Filesize
412KB

Download
memory/1600-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1600-5-0x0000000003CB0000-0x0000000003D17000-memory.dmp

Filesize
412KB

Download
memory/1600-71-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1656-158-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1676-164-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1992-116-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2032-31-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2032-353-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2032-38-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2032-37-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2172-65-0x0000000001780000-0x00000000017E0000-memory.dmp

Filesize
384KB

Download
memory/2172-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2172-59-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2172-53-0x0000000001780000-0x00000000017E0000-memory.dmp

Filesize
384KB

Download
memory/2172-60-0x0000000001780000-0x00000000017E0000-memory.dmp

Filesize
384KB

Download
memory/2376-92-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2376-492-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2376-86-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2376-93-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2688-145-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2812-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2860-80-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2860-74-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2860-491-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2860-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3104-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3104-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3104-360-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3104-42-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3184-113-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3184-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3248-161-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3248-496-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3492-117-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3492-361-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3736-103-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/3736-98-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/3736-114-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3936-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3936-119-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3936-16-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3936-22-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3960-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3960-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4108-497-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4108-165-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4300-498-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4300-166-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4364-128-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4364-495-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4584-159-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5000-72-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download