18538e6cf25935a0a9797e40e7f7c0d50ad6a913df821a0fd9faedad24f76087

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
Size

24.3MB
MD5

890a9ed2d489d751abe944d0243ddd24
SHA1

754c03378d5fd15c95d296de78524038eb5fa149
SHA256

18538e6cf25935a0a9797e40e7f7c0d50ad6a913df821a0fd9faedad24f76087
SHA512

a62daae3d06162fd7595a13e4b6427ab7a61bb6759700fca6e98840f68cb74715bdecc8ab9173dd8b0ee8dade30cf0058b9fbe9ffc2c4b2fac9147f2a3e01c55
SSDEEP

196608:MP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv0180Tp3n:MPboGX8a/jWWu3cI2D/cWcls1Rh

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4840	alg.exe
5000	DiagnosticsHub.StandardCollector.Service.exe
1640	fxssvc.exe
4476	elevation_service.exe
4704	elevation_service.exe
2872	maintenanceservice.exe
2700	msdtc.exe
2064	OSE.EXE
2624	PerceptionSimulationService.exe
1692	perfhost.exe
5020	locator.exe
2352	SensorDataService.exe
5060	snmptrap.exe
3292	spectrum.exe
5048	ssh-agent.exe
4740	TieringEngineService.exe
4420	AgentService.exe
4000	vds.exe
1768	vssvc.exe
4956	wbengine.exe
3964	WmiApSrv.exe
3348	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\96eac6a48beeeac9.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaw.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000478ce6dcfeb4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db774cdbfeb4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008dd651ddfeb4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003078f2dcfeb4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c7611ddfeb4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a3df7dcfeb4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0154adbfeb4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001c33eddfeb4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0ff1addfeb4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
5000	DiagnosticsHub.StandardCollector.Service.exe
5000	DiagnosticsHub.StandardCollector.Service.exe
5000	DiagnosticsHub.StandardCollector.Service.exe
5000	DiagnosticsHub.StandardCollector.Service.exe
5000	DiagnosticsHub.StandardCollector.Service.exe
5000	DiagnosticsHub.StandardCollector.Service.exe
5000	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	1640	fxssvc.exe
Token: SeRestorePrivilege	4740	TieringEngineService.exe
Token: SeManageVolumePrivilege	4740	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4420	AgentService.exe
Token: SeBackupPrivilege	1768	vssvc.exe
Token: SeRestorePrivilege	1768	vssvc.exe
Token: SeAuditPrivilege	1768	vssvc.exe
Token: SeBackupPrivilege	4956	wbengine.exe
Token: SeRestorePrivilege	4956	wbengine.exe
Token: SeSecurityPrivilege	4956	wbengine.exe
Token: 33	3348	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3348	SearchIndexer.exe
Token: SeDebugPrivilege	4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4172	2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5000	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 4552	3348	SearchIndexer.exe	112
PID 3348 wrote to memory of 4552	3348	SearchIndexer.exe	112
PID 3348 wrote to memory of 2512	3348	SearchIndexer.exe	113
PID 3348 wrote to memory of 2512	3348	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_890a9ed2d489d751abe944d0243ddd24_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3696

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4704

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2872

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2700

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2064

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1692

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2352

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3292

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1952

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4552
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
726f63096ec81fe4db4cf7b9804a77c1

SHA1
a156f73273e91ff2ff32288639a7c16702eeb41f

SHA256
6131995442aa7d4b80509d413ce46d24099b06c01d1ecb8529ae7852a45f88f5

SHA512
cf84d01e3c649b16fa658dba1dc1d22e50748819a6fe57616b507e08e31bb2eedf0b318372b93218763e2f73c65b1edcd25d4aaa86b8fd465f6784059e8a1304

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
da4a80b580356224799d9e6c323802b4

SHA1
16205b44237f19513ef6f17df6ec8b020c8164ae

SHA256
b4d21fa5575404cfe36f12d16212379eca2d03a973a6003c9f31449ac7e6fbdf

SHA512
442b05a2c85e2642890ae0b9de2edba8e735e479f04fff75273899544e8aef4049a54e1ef117815c5b826df254f4bc7e09803f15776db3b5d96f047313cd963c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
1f79cb8d0449f8eef299744eb52a9578

SHA1
f5f2d029ebd5eb403493b9fdc90ba990d522fbc2

SHA256
a75a36da72c1cc9fb7892a0e321f1fa1c6233095e84ba7ed857fbf0ded6f4bfc

SHA512
6aec128187afbad00339574b874a999e1a7ab578fb2e93c7d07842c489e5f48efe2f2be9e086c51424464d77ad9a510827fdd4f4bfab090acd0d6f970e5e3174

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b814de293027046fd8f608fdc4d91ccd

SHA1
b6ad5e7614166efd83224ee138de2695f3ca9862

SHA256
c2b7d4adf5660b54059d89b1b8e0a2e5a2c884b6e0b7e00207643dad1d51d8ae

SHA512
eff5d465aeb7d061a4f2bb29db328aece7f0c6f545f1c46ed18a260d479ec24921f1fb2280710f16d75fb0eee53be2d8a69df0c6d59d1d33f3e58b5ded911b60

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3b9663e8b70d8dd7b5657334d5813ac8

SHA1
e251bd9ee33c769fccca1e0ebc24c3747823c200

SHA256
7a352b0adb7727ef14f14223edc231fb32adad8d80c998f9ff7397880900cd23

SHA512
91df3a66c1c1643671c9b9e5cdae3a5e079a2ae941372b23a3f13fea88a64fe192c0db19e11f2ff3a4b3da5e4485c4d6f5fb8e96a8c3ba4e714beb4b747d51d2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ecbf8a8e1068021831b5923b0e44dab3

SHA1
7cc9c424d53c9b89330528d948ccc316e9b88224

SHA256
a925601e6ae32161be54c370055db6f4c2d0144d68230739f8bbbe06e385ed67

SHA512
f5724cf52def7f086b980bc0794bf81caa7fa5b1b8c91024c2826bf9453c78941de9a1b86bc86905daec9a40ffb38afdf33b1cdd8240903e63707e5d5d2d792f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b7868508dc8f34c42866c56c18e5d7df

SHA1
e7f8c8bdd10a7abe820aa08dd86a0b7bbd6fd065

SHA256
687897a7eb25bb19eefacdf0647f599a571e84b6872013dd1d9a2b8c739fa0d2

SHA512
a336cc9d82cf0ee6b88530a1220dbed73579a6eb05386817d29aadf04f74c51c83d334f1bb3262ef9bfca89a42e366fbf7576df42572d7a2e9940b75200a7074

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0f87bb77836c9833c3d045284f0cbe01

SHA1
7e2d68ff4c1ee438538fd2fb14067f459014c172

SHA256
c1c25cfbb94c6a44e0765d3fb28fd840fd8f22f51531f9fa69fc406648af348f

SHA512
fcbca1e4c3e3f3ba0d8e2f2f6c831b7643872c22fb3138836afcc1fdc1f2ff4b158009cead1408ccd9df48e2f7dde9fe91c89da80eeb9062cc477e52e4326a1e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
3b7124f2310b5aa001d69c4c7a677ba0

SHA1
d01604c84a0271b0b1a7ea45b6b41ab2651d2d72

SHA256
b639a73f42c1b3aebb96214d229aa30c2adbb8f9aeefdaed6eb4977b92d39cf7

SHA512
52e28bee9e1a2a97c292e9fc794e6e50bec3467b80e2be7d1af98c76cc470ca4c0dfb4a6c492384feab3c9d3ae5d0d2bdf3a4dbceb96fcd3aca0f2ce1dea6544

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2979a12a5d20352d78a5fed5ce5bfe2e

SHA1
a03cb80fa48ba1b98b5420d086d906f4d3d42750

SHA256
453740a4e8ee7b5ea715f6758e01b8675739aaf1698b9433fe346405da8905d0

SHA512
9f72956861ec5a9a4fb07116501ea59c579465bf20cdd15cddc6193644eaa7f8cec24274df3b824e99a85042071f499762c98b9bb11f5eccdb75091dfbbb6d00

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e71cab47c5fe642ecca2886c548d7661

SHA1
bfa666aee2f919df562f98a0ca007208f7b09b60

SHA256
ee27b9d4b09f39b2273a5ee8e33db563853e53a5039b9609ce7d7e68dcc1519c

SHA512
ab301721620995b627b5f166adc25d873655974371af0ec28b58d6e1d483b524aff4c40e65a0ecae469f31fa9d1f1d0105711667b26c125cc2a9fe6e6b368151

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4e997c34d3af05fc057c128348634b3a

SHA1
1ddca82a9045abdd3c3ff873c08d96e50b0430d3

SHA256
f8b9ac30e0a497845fa97f1389c024355cd7fb5e6f67891f69574f1c3f9b9901

SHA512
d1cf65b0ff37caa04f2bf8ba1da7037bcfb0c712af58ab8221b2a1d64e6d1629dfdf0e0a4cc91ca99ae142e2e225be480ab4a377cda90245c5c19bcce6d01f3d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e7b52e728f13f35363cfeab18f1d2bbf

SHA1
ae159e39b3ce0f42feefac917af896ddf33f2a00

SHA256
4982522692797d9dc07922246ab6b4d9d97160cede24dacdb4b2017ec76d2181

SHA512
eb799321a86404bea882fef4305cd3b126f451a27aa0ff14d046fc1252fd44a0c36fac0c150a3cac535996cb4aff4f5afb960f89cde66f59de953485ee235a17

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
5108efcd2fcf73b18a30b26bf015153e

SHA1
0d11ce1ceaaa5ac1e94e89341c7feb0836b89e4b

SHA256
a3c540e4e766dd4e8cfba228ed1b44af78f9f727ef7a6570d52025b9fd686c0e

SHA512
9515237c57934e46e797286f14d507399e04e50c0c58dda1aab76ac4716e811d14922ab2832f1f513472d3535fa25aa4f97c2af25ea0a9837fc2034667818cb3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c2baee4ecb8e005df490c37c32ec6ee9

SHA1
80a77ecd1c40e98fbeca7b76836ef755fc3db8f3

SHA256
a3056a1862b4e53f42267ac1fb9f7c0a036342e1efbaebd910e113ea982ffc5a

SHA512
cc253872a46bddfb286a87a195ce73b36eb06765003c19c6cedd79ef37d9cf2b2c5bd9c333a379d526f76c0ed9b294cb206ee727f3a811380351ab5f6980815a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2f5e5a6fccad34d3e329987d1a14b9d0

SHA1
134e8fd2ef5c2751cd0ed14dd801924c50bc33de

SHA256
85e2f89f90af034ad0c9626c52c4563bb17cb3be732f8aa63e7275fd471b0114

SHA512
85d1687d5aa360070a857ce3ec7978d4ab7398e21fbe57c1e2bd6a5ed7d05f37f3e3ffe42dfb724d42d8b124ce2f88de309681f34acdec15b097cbb72e4be09e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2ceff428dadcd74ca222fc6ef12e0ea6

SHA1
83f909ae499f531119fdbb0a3c201cdec0629659

SHA256
b856c37b5100689139c9d8000c13e79b5a2349e4a553bc00c1a34ccf51dc4b4d

SHA512
14b01d903f79c1c4daf4899b53d3f37200f6a0a980ce037dd66323eac4d5aa3df40514c452f573df0b24927810f0f0e6b4b496433c1b7760fc430acbd2935c55

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7d3025b986dd11bc480bd91cd618c68b

SHA1
c2f39e77b4573bd870afb6ccbdfeca9e872c106b

SHA256
f83e8ab88193ec1f1867cf477f442960d9555e9dfa24ed58687518e2ead4ad6d

SHA512
3212f0f1c56a1129d27e3dcf1bbc3095c39b119ce81a73696e70c0eb63f32c0506fdd90e36b3ace681c2890cabd7987fc0d69b0650925d92d799ccbd0f98ba9f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
2395ea559729f727fd6bb632f7d7a0b6

SHA1
93fd48d82c1f543af2177bc5c36799c0ac78e229

SHA256
1b7ac82ab4833153d65cbce96bfb2f8e74dbf7b941a8e278ed5aec4f48762d8d

SHA512
033546cf5ffe8eb6de2aa258001741fe37de530afe13b484692a7555a1ee9bb30250a7ef9d7948fbddf62e9c1abd2951e2cc2b7d6be7d0b3facbd1bf6a18ae73

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a789e11477b94a4433c173719573b9a2

SHA1
fd8fc328b5d8074f15727d6928a9acbc4a683cc9

SHA256
f2112d2eb031940f1efaea3865e361b85d432840fe98d0d1505cb42f11e9043d

SHA512
c3879d2733eb1fbf0a248941d916b87ff1a18d692ff0161533ad2caf6575e0cb1bd2c79102c5d6f6d2cadbe70e6907c643660721034c84ae932b5211d231e481

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
a1e5b75d090f5e0415cb2719d9f0579e

SHA1
f3ad3f233065dd6680aa85fad4c70b03110fab40

SHA256
0a5255bacdf3b39f44c3efb67dab16af092321b17a6e74b32b89660b5dc31e0b

SHA512
51b272648d8e5cdced441c09591052d9d30a0f8ae836259f621696a5ca793f780b17a6ec3043f5b55a334dbbc3c1861b3d234a2b0af6090c9defe753db947976

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
7ef23ea685caa555e3ad15dcdadb8506

SHA1
4264b548020259c537448f5ba6e3ca223b88067a

SHA256
6644eb64d3dcd6551e5b80f6d5cc4ddcbb7960054dea178cab2835c3e285d431

SHA512
5e9e8c74300e030d7a668a5c6961b867f70a2c25d65ca1c3df30045e00486e454f637792ad82c796f4e5ee45820c2ae7121ec6d432a4c3dff3e16047f483f333

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
10f96ee88820790f0b7457d8eea87404

SHA1
ec00c1ccdbd98db97605322434a55d8d09e19df8

SHA256
e1d057f991a6af3f1d9796e64ddd889910ccd6d229f6a7e4c5c978a7384b61a8

SHA512
87754baa92c3113edad0c2e0e875d5e7c5e073c3e1ab49e3576de651f3936227ab9f6d01bfc0c2ec261d753cff1c91619ec50adda8c42e63544e44150360c5e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
146170c1abf8aabe07d55bdf2f07041e

SHA1
b3deb639195ef4b7cf7daa3cc225c3e0da679be2

SHA256
bae9a3eada361f5d09c84f8d680ccd88c6bc4f2d414558e781e9f7114c743071

SHA512
fd366d0ab79be7368a3849ec6080e2557bc03cee47f649231ec3ecd63e3e657ee0e3e1f1f0e507c84c79cbd264b835c7a091aa6bbd196a80e923a6c74560d5f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
b418aafa13ebeb16edc55f3344ce5ad0

SHA1
8d16963570d705eaf05f5358d941b348f879e5d3

SHA256
5ea8bc6dd87da911a3491f5c666e9c0b70c5a186b25d84edbe5794bf68d5b8c6

SHA512
cca618fcccbe8fc3b3b7ec5c93f2387d19dbea87bc3b7aad6689cdf15d4bad44a46be0148ddb2c8068eb0649bba87d39b04b754480d794bce40e1e01355b73c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
fea9698087da8385b32dcd66bafe7922

SHA1
2f47c5b2dbc9b2449c210ae20c0b7dce92f99122

SHA256
e43d44bb23d41c3fb395e1035699172f1f27d7f4ca0933fc988ea1aa52fe553d

SHA512
8c34154369740d0bffed81ef286215d2a1259b8d5de634433d25436c11637ec67a564a403e1ae89b628c5e48e768e840b17eabfc2bf27140c1d717adb00557d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
24149e22c61d48e89b8f822197a6ea85

SHA1
c26d34279af5464caec92a2ddfc53d72d7a115bc

SHA256
d13c340ef85818c8fe55b576fced6832b72fcdbc0528542f38c0b7ef0589d763

SHA512
44aca7672caea44e3d1a5baff5919a75ba8b541c57a9d5e9fdb566fa582beaa32c09d3a7350f5c37845f26bac929463b8a5fb59cf8fe36994bf4e1adba824703

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8b196d80aa6de1da8d01d88ef8a33e4b

SHA1
eace058127875d16a8897219507780aad8fc00ba

SHA256
a1bffd9b7ca4112d85568a3c0a09ad6066469d1161758b12d6512cb8d04464c4

SHA512
43c3a1ce1b2007d45265e62fa83ed16a00450541f2a0bf1c19d5d6ca214e15fc6ea6b9b673cdf121222e1c6a6f079e94a2919acc13d5630850480c4b4eb99f5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
2c90e0a4e2682f2e5a47a87c072fe7e1

SHA1
a45680d1789f9a95240d9730006488ed2f7d7701

SHA256
c692665e91b55c626af7e56b05d924441edb972ed93dc0e4fb47ace2ffdca4b8

SHA512
5433f007346d54dc6c404be65620e17d63b314c4f4071d4f41c30aee40ad5eb25c66fe62c67ecebd704facc4b443567e6caa69cb908e816ce16c928b1df2de75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
4317f256d6758af223f60a2172a62c0a

SHA1
e9978e63c59ae9403c8d8ed4fa5a471af9690a2e

SHA256
861f09b83f46ad63866e1185c6c3bdbc48eecd180a23b671936324012f79f5f4

SHA512
7aefad0cfc4578b3f49137d4f684345215d1b9f44d4bc890e74edd7952f2f61e76801ab684853a51903f4902e76eb90fe1dd8981c8ed5e31b9d54d83764b1057

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
cb7f251642330f64e1cee725d1f0f182

SHA1
f17d10092027826b26fd89b1774b67e62373c112

SHA256
ccce737d0f0c88f96d48f0ae0059dc8d33e11b59e6a384e6a19ec08928dacb08

SHA512
be33ee5fc602e2b7a225b2789a9d357ffde699a03ec16294f3dd0d75a70019f3c9d9a9d7c04182f68585e2e2d7e6713bd2dcf69e080b663f8f8de72ba0566fdc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
05166b0fc9efc6fe5ac9508883f5c307

SHA1
49d789da07e8cb73a53bdfc5a5c81e49581178e7

SHA256
d98a8b5c13dd3926b3732330d4bccd30eb57cffc0756695be59fa1cb32541343

SHA512
9111d18984c0b181d2c6e988d18b5c9e76d0b61c9afa7a4f7e8509860919c998750fe25be375ead8be13c3a1b04378bd41afd7ee1c6216a16d92e8670894b896

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
48064707169b1760e9b2774742729488

SHA1
391b4a4c1fb6d7704c67a9da535bda33607bf424

SHA256
292248c8ede73649979c91212f37f805b45c7b758efacc43e800238b978ed435

SHA512
ca9bd07e50720fb9a199016cc5b8db18be739f87f88745f90233f9f49502dfc9f017b361a3d4bc57644f4e1de0ff5c35a26e36cc02cee50ddd9e9176ed242ca6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
814c897a2cb6ebfb7cc5ed2e315812e0

SHA1
ec91fce5b753ccabab794e0f3c22ae6862466759

SHA256
41be64dbb1325690293890ce7f63e96d360ec0164633cc19aefb625987482834

SHA512
269f6cf6ea8f1c40fe143149e646626a1ad62f9a87a25da90205889a6df80026f7447af3a7be69eb5971de1639e003a295b891c2c32b10247e7c08318c31fbec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
eb46c463f13c7fdaf6401b2a9565ccb2

SHA1
6b0d66c5adf8e3d2b5335e3e602d710d7b59d099

SHA256
0303105a6f691b316382a673e74851eef41eaaec4998e6d13d74866bc43b2180

SHA512
e11a0d69539b3ac62d643a99419a26525de84de4ac64c036a6b8323cd3e1e6c1d2106af0dd325b64f582f6dc5fd2914c79948cdc38ad8baaf8b73af9e31e73e8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
997f5f35f6a27f83ee39552605d267b5

SHA1
5b7e9353644fe6c2ae2fabb47616768b00db94ae

SHA256
e4992d9d85ccae07b685c00226866dd694f724d30875c7ef6fc676d4ebef7c2e

SHA512
babdebad109a4205af249ffb276e62f71275079267d4efffafd1b533dd21e73582b8fc316b1140b03e95ea76e773cd24d6cb47834ebe7760f69d7c4fcd2a55fe

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
4ab1dbc532524a7bb42f4fc87ce76ab8

SHA1
c372e3135bc70e3e77ea627717d2f8278952a3ac

SHA256
aa7c4dc9e8a467b59fedfe12662d110a1681c3e144452a5074e55fa75c79cb75

SHA512
e57db270a5668f043c15487525d2de492d20d1d45f546a6752e48ed20194d1da59c2dee648187144a74aa60d965dc235e252980b08d6ed6457c54dc472a563c4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
2ca66c4211d078b3d5e7a8807c13a6ec

SHA1
093560ad0bec5da1f08175ffcde1b2a19e1dc18a

SHA256
d30cd3f506af86075f080b0ad29fede871a618dc4258ec2ff40eb154a60530ff

SHA512
4f1a851e5a4a768d700c663acbe5c7fb9d0656ae96f3e1c14a61bb3953cba2a8856011a3367b6dc4ac367dcc853b6226dc3c1f77341bc43cae1fdb2ea7951485

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e5d4092abe5b47db6141a931b796cd64

SHA1
8455f24c48e6a3cc2a0cde603df84d7952dcbeb9

SHA256
1b8ace87c15fe64e8be3360a189acb62b65a5ee8814addd12dec9a6349f80d36

SHA512
656fd37f1ca786d0d34cca125874e6e0fb66eb3963bdf539844e22a433e8f3fecd630ac354e8c3d51d045d2202e8d0b40e6d462d288e6e802a88bf38249ce74d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f6ed24c1affaca929efff3b8a5253bb0

SHA1
97b1ea3b6e89ecb9263cd727e23f898519beb6d6

SHA256
ebbbe4f76cd06b6fd27f7f963af4335de003b99a9d37fa3cfb7c7160ca1944a6

SHA512
ee628116c15342e0f34f47b2aeb13633fa7c28677941d0865cf652f7e8cd4099499485f4b4e9fd46969c63d820d454fc07cf825d7bdda6f19c16b6316e7a474c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c7c174ccd639b28787bb88ba39427c51

SHA1
8d299e80656aa1742fffb36c8575875666909300

SHA256
ed000d7b56c61cba30c6b768a085f5025524ff5174ce57e642e68591c333333c

SHA512
bf60cc926e4b32037222924eed2466ec2f1d2dc601c95835f6c6014b98a668671745e5e9c516e2c15d3ea202982224f9f4ff7aa1f9259aa5d4a02c8a7577b319

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ffde04605162060ab60ea5cb4651a778

SHA1
9049d0fa0b1e862e5b9d6d5d62e2f676100fb6c8

SHA256
7df201469c52a9e3270dc8a9f3012e17ae3cba32d7516511c5044177bd63d8f2

SHA512
298adb20be3c1393953730962f7c40183f364c260cb48598e6555f0bf34309bf92135d740b15b9741d78305063916a6410a8d6df7c5c1a7c4b0168aa6ad1503c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
356c1e0674dacb8eab6c05b9c849613c

SHA1
891963a56f4cd72312b911c29103dc2647365946

SHA256
a133843f6c264d0e38e3d986ccdba187dd7b20b85f2ac0191550b837853149e7

SHA512
c36b05f47f7634b712964d72c7661eea6f811c7c4077667fb6b6dd9d741abb8bbb4a36f021e35226790e7858829b74f64ff6484987a3225cb1ba28485bf9667f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
73bc4c30a9cc3736702df5f7e5de245d

SHA1
352e81c4a419eb411789a24f134363d8261f6fe0

SHA256
d84b0ba3ae8fc658f63ad467d2ebd7725a6699fd1dd428595a28fd4704157e2f

SHA512
4aed173a4c5f9d0c371cb56c650c68cf93aa6e6d0a49a2f491fee8046ac7535bed7f2c524c7a1357d750186fee1af65e1ba3f632b40e22ad9f81de9a00abdabc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
48e1fc7f3acce3a1ef44e422e6ff8725

SHA1
b0797bb04ef83324fefa3bf7f791438171cdabb9

SHA256
7264bfe13e9a6d42b6c36cc296d9b65063b7490352b93bf33dc1daf18bede071

SHA512
c11bdfac21ac1a2d393916efaa9cc9014a9396aa04587baa7268da31ea9c200e95afc67ac2ec46d29165d37cfc550b560755ad3e71f7bb4d8979e8649e2111e6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8c8249caaa7bc2f13d6a54304a6b7ff1

SHA1
86b4966f4cf9b03707462a372fbf2c4ad101eec1

SHA256
edb70ae669499e4f11c03556721f4a112359f155909e496aec028e3e3ea31e38

SHA512
7dea04d8fc9d00b6f9ce1d6512d14da13e4845ab1a6472771b9e23ce03ebe66518f09b1fd4fbca410d19634905c9554c648047ee13206a8163e66c7fc486a444

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c6942d82ff10acfd0f5770c09998230e

SHA1
3817c22cb15b014d75b960ffacad1d8306d1fc24

SHA256
cfa962481848de9e605f25e0cb730844348a0043d419f9174be06d5446d0c054

SHA512
f3b4cb10e37cdcca743b2493c8d75d02157a175154d20da2bcfc26719f9773b535fabdb3aa2e568e389e0b22ffeb53b3cb3dbe444352cf697ada169656f4ffa4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
4fc6e3cc5107076dae175990aed0fae5

SHA1
abbbe34f370331a3355d1c499129842d65519950

SHA256
9f7a3dec4e318d3c16bb3afa431b18921dfd81ed639a1f858afc5b3c366a1b67

SHA512
7a05c9b3db9d04ab0b6ea8b0a918ace08bdf00c30fae98ff8229af6218211031861a540f134c8383f0682be7822a4c2ae54a2d487a43f8bb8f74e33931efa85f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6fad271d27f4291a3793ae368b0021f6

SHA1
28c6b73c2b855f2a848f6d984352f2962f656019

SHA256
ec21d278333e83c118d5718d9488ddb77918b24d22ccbad7905f316812586670

SHA512
ca9fffe1d5ffe99f54e7aab2aa43b0840b8571ac4fdc490e440eaf69be8e66d47c8df45455461ebaf44123831a14d86359ec414b770b557a362ed1290c2123b3

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6c14ca5dc747612cef0cca0f8baed294

SHA1
8cf5e983dcf6e2438168420f78e1280e71a89980

SHA256
0118742212e9f9615e2a7a6b30d3d6b9387a8aa54c1455df25f6d9fb7f6ffd48

SHA512
1275d540da71466440b52f0d6471ffd324f62c72be66588b254ccf43811a6d70357343aeb3f6ae682f597dd745706a64aa1c5b305b9a62027301efff2018bbad

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b1e531df32c8e0768394c22eee5406bc

SHA1
1627764fff06b18b541d81387849701fce6efccb

SHA256
7c83ba81d79db6f03ef0d83a639d440805aaecb1d3ac33209f5d70c4a73748b9

SHA512
ebcee1787eab38968c98ac6a7f91d2b024d5704be3bb343d00f54f1add20825919f0ac9c81071bb032e4cabed6decbd7708f30100443ebe6c274805c9655a1d3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
61cc7a4617bfddc101f1fc61708b0e92

SHA1
d8a89f320286825525fcac7a7fdb54d5467e90bb

SHA256
3284ab6a03f8a223ded55bba8231886c1d79526f711b6f97738c46fdce765175

SHA512
2d94f6c5b1f240b906ed9f25e14c97fb8e9ea9b129fd15eb2de580ffebded5ef6c17595c87fc2633b59c9f951f5014ed2e93afe621af9ffb3fbbb30955ac16b1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
308fc15d02760f551fd18f284a9d1599

SHA1
9376d56b53de3c2ebc610dad041bf829313de487

SHA256
41058e284c00287e1723510176784b8dea5edda67eca3dbdc474cabeeace6092

SHA512
62d797050240c3e038f55d335c5e62bf24a053e27369c96d177d4236a63e7f8fb289351034fbbcfb7c6e23a0e5456bbb944ddcbc8d2386b8185ed5f07828c069

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
070f2e51d82c0dc2fb8540d2170baa7e

SHA1
c5a007a847d8e24979eaeebbbf20ad5d21a930a5

SHA256
2b72355aa47756cd6e6b7835741f36791ce0daebc940b0f8ff2b4e57b995b077

SHA512
07fcecba586085457df63ee8856e8f0c36f79fe3f684a12b6127b966e0be28f51a55ba21d71ec56e82cf98b4692be6ec2d175ca07d68b72c6bead8e4b9a820ba

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5904dc3e0f8e30a3d905aa7183a1c229

SHA1
035fb8e472a1c6edb107b296e89b6ca92deab5c6

SHA256
03cdc3bc6da3f8a1de96df26b4ea44a2031c522f689a497c219cfa43c43eefc1

SHA512
c150040301307f373c022fd4bdd5dd9cc53aaed5604f0f5a65544d49bb50cdefc2529a157b492c52dc1bcf8df23f25517b37a88935045b87c0bac71cb7ddae42

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8b064fbe25755dd168fd52734d9452d7

SHA1
d66685cc88e4287b6d40bc6d1641ddb5516da3d7

SHA256
6fd15c40638e0ba816c25b8410c3d235b17e283619223ba9e91bf6e3286bbbd5

SHA512
d20415e4e5e23d52e21f40b2e1d82fddc56cecd4b9ceb8c4cf91bc36904849df734cf0da281f9197ec39aaf987d92556c0812e0c437e9764c7fd8487baac95e9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
3f76de69222fa62534a185e2fd33882a

SHA1
57cb9e0cb4d9aca429279f48d17bfa90a91e94ad

SHA256
f38359ad40ec8e5c9ae28ffda75a884979b23c7d29c00174b2d326831858cbbb

SHA512
06cfe614d428a36b7bc0aaf1e9b7382bf0a0775a6ff4ab9dfff57856e92cb45bfea09c0e15c1f9c11159cae5de8dc1406ed7588f9766c6a46e8d814ad720e79d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
8c5f511594f55ba649f291f1e32bc802

SHA1
171495cb304b9ec6059df2099ca90924e19c322c

SHA256
efae99d7f95fdd23b526812f9598919e4da1f56bc0fa8f79f8c809e34fe30677

SHA512
70c41d00251840591e68e6fb8d707aea13e2d26144987de826eab0bea505ab7f2bcce592303f0de5c6b3df16cdf68d5cd016840b7f3b3131b2fb03ec8c3a5b8a

Download Submit
memory/1640-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1640-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1692-99-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/1692-427-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1692-104-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/1692-98-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1768-158-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2064-81-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/2064-75-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/2064-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2352-112-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2352-428-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2624-94-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2624-358-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2624-87-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2624-88-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2700-167-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2700-68-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2872-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2872-65-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2872-53-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2872-59-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2872-61-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3292-141-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3292-432-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3348-438-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3348-168-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3964-166-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3964-436-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4000-157-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4172-0-0x0000000002060000-0x00000000020C7000-memory.dmp

Filesize
412KB

Download
memory/4172-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4172-5-0x0000000002060000-0x00000000020C7000-memory.dmp

Filesize
412KB

Download
memory/4172-85-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4420-148-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4476-30-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4476-38-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4476-140-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4476-36-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4704-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4704-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4704-144-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4704-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4740-145-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4740-435-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4840-108-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4840-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4956-159-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5000-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5000-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5000-15-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5020-429-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5020-109-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5048-143-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5060-116-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5060-431-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download