0862a8d48a17a68f86bfc42f3cf15d933d6e3c6c97de582160c380f69d406e84

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
Size

24.3MB
MD5

09d7e5df9cc14e88876fb0224f1194f7
SHA1

34850594fdc0052aea81784f8c7cd60419540a81
SHA256

0862a8d48a17a68f86bfc42f3cf15d933d6e3c6c97de582160c380f69d406e84
SHA512

795443fdf9e301fab3b4a5cd8863300a8750bab3059cad05f650d886d63b22e51026b81af2e4005092a7112219b740037534d394c0b0dd876c6c2d4c607ba5bc
SSDEEP

196608:bP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018tP:bPboGX8a/jWWu3cI2D/cWcls1i

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2500	alg.exe
3816	DiagnosticsHub.StandardCollector.Service.exe
1708	fxssvc.exe
2296	elevation_service.exe
856	elevation_service.exe
3804	maintenanceservice.exe
5044	msdtc.exe
552	OSE.EXE
3792	PerceptionSimulationService.exe
4020	perfhost.exe
4032	locator.exe
4072	SensorDataService.exe
1336	snmptrap.exe
1652	spectrum.exe
872	ssh-agent.exe
3804	TieringEngineService.exe
416	AgentService.exe
3012	vds.exe
804	vssvc.exe
3164	wbengine.exe
4244	WmiApSrv.exe
224	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\18f9d42ab3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b239cf160fb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078138a160fb8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041673b160fb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dacffc130fb8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001041f9170fb8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1311e140fb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fce0d4150fb8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048fb6b150fb8da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	1708	fxssvc.exe
Token: SeRestorePrivilege	3804	TieringEngineService.exe
Token: SeManageVolumePrivilege	3804	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	416	AgentService.exe
Token: SeBackupPrivilege	804	vssvc.exe
Token: SeRestorePrivilege	804	vssvc.exe
Token: SeAuditPrivilege	804	vssvc.exe
Token: SeBackupPrivilege	3164	wbengine.exe
Token: SeRestorePrivilege	3164	wbengine.exe
Token: SeSecurityPrivilege	3164	wbengine.exe
Token: 33	224	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeDebugPrivilege	1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1600	2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2500	alg.exe
Token: SeDebugPrivilege	2500	alg.exe
Token: SeDebugPrivilege	2500	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 4928	224	SearchIndexer.exe	119
PID 224 wrote to memory of 4928	224	SearchIndexer.exe	119
PID 224 wrote to memory of 4420	224	SearchIndexer.exe	120
PID 224 wrote to memory of 4420	224	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_09d7e5df9cc14e88876fb0224f1194f7_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1056

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:856

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3804

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5044

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:552

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3792

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4020

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4032

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4072

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1336

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1652

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4428

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:416

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4244

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4928
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:5292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
cf4d207b4c708bb3b462d7bb731b642b

SHA1
e478fea4fea2f8d552f2ddbe0b705faf470c26bc

SHA256
674573b3e19b38eb33a1ce0f9d5302660a2213989064276162fe1a844d7bf11f

SHA512
0fdc4070429cc3a08dc0b1ce7838235119a980903f884f2544b760f7238f4ee9a8283574a9926f10ace3f9b16e00a969f67acd78d0a3f098bb7ac5872ab047e4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
da07afb7cf6b8595ccc66149efad0a45

SHA1
40d5e246d8098685f81621e115e55608c2701f86

SHA256
354f0904ae33c29b10f10e7b9de12de56d185bf1a584be408ce133be6019ee5d

SHA512
7fdbc5b03a59588c8c56aa382f43d81746131712fa2e3102c18a685544bbb0f8625c3519afa817a38b2d7d87998d6ee98e93d6b61e6e2f42fdffbeaf87ffab35

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
bdd16380ab2d3e7735bc6ab0e07f5041

SHA1
d82e701bb0599374946b74e51d9d3bc9f5c0e638

SHA256
a899ea15ff9efa87b0d0eddc8d8ebd42f7a1cd55f137b5fb62b7ad364779bca2

SHA512
6f8a7c3413bbeaf975e4fa6a3ff9bcbf217d478b113fbc863eb4a150a689b5fdef3e6b64ce52e9d841330ee6ff0613db6e285869268ad48899d0a6b3936e315a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
499b964e6a9c6cc811d04ae9b47bb4b6

SHA1
923f3899d50ac65b42bb34c469b1ef22f65413a7

SHA256
6195c7bcba01c93b1cc3967c0d057b1998b8c9d7e7a617d0084df1cb70ae71d8

SHA512
fa0861facb4a0da1defde59006bbcfdfa286673005082a132d9fa6517430a055a6709baa4403ba8b4b945341551d660c26c65f12cd69938ca80fbd1cae1bb9c7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1cfdebde2229ac6889265f3b73aab8d9

SHA1
00240ef5d0f86198b36113edbf5b0dc073529df3

SHA256
7255121ab070cb40532f7a96cfe2a648da08fd01fa98a4578da1d3cb80701912

SHA512
77474ad5553b5599543d96ed8bd77d17f114c488a8d4a975ae702bcdfa4bb5c8ad0c94c2ab35bac6bfad3d2ead2394f937f495ea1243d5ef88718f3311da3c72

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f68e246ee7e1ad1cf9248fcdaa7e2e9d

SHA1
04cd77d5ed8dc099ea77a882299747af7dbfe83f

SHA256
45dffc1b646ea978ebde19837e8790ad902033ba2fd8b6acba92e0bc10337fa4

SHA512
7c286d5c12f2bd4972ac1ea3ca886548115cdf4b3cbafb50a60db0ca0404f034255f03fe8467b4d3e5367e20ef923dc509b069691483862c925780b8e89313a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
68cafbb26a12655fe62d035ac2118f2a

SHA1
60078f5de9fcf5607ef378a4c8ad6d0750785bb8

SHA256
c8f254d3b9c8bcb6d308a7581bf60f86c0a9f6784f99a022b82e85490d9e5929

SHA512
ce1f50dea088caaa6fb96ba78eb2a345860f642618256e8c025cc642af9edcd73006678a225ccfcb348f3b8c2e2ecbde92298c23239762fb8b8b79fa471739cd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4b272072cf00dfa680f5da2e19642d14

SHA1
c4914686502283059feaf0db0b9c231d80640903

SHA256
8cbf2d709d6f99921c050aaaf72cace703268c144143976dccb1bfefa49fd9a7

SHA512
de802c5d5ce1e52ac7a533441f4ca662ff2c87c902ff3a83cf57998040e7105e17168c4d5c9aef61702a43d00aa34a6775915d4e599dd7fa95b4ff31c94fdd6d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
fdc7d61e93f4a19af58e1cb7eea0eb4c

SHA1
d6d727eaef1ccd6b46b0b7130795d2e8ae89220c

SHA256
0a3c5579b7be23ac25df8312bc483fad091c09f70cbe47e4e73f67db7c4bc68a

SHA512
6725ac1c2faa833afee8019995a74f3dba4000002e21f79b2c6ea32ef43b5b2a4a3b5c2d1c40badb8c534d632503c8da7a4425fcaa12d334820692946a09a797

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e6ed547c974ee420394cd04da74c7a2a

SHA1
04eb0b21d6d83ee8c34c1d6a11c54b1ea85297c9

SHA256
e23e0ad124db71bcb34c2fff73391d3bed6192fa2a9df8b8362680ebfde44725

SHA512
109b833658d5be97cb63e58782624089bd7d673d30c3b51ef7b33a0ab697cb2d97875c9e7b2c6c43f2faddbc50262964cdee4552097f9ba686235bc0e1173e00

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a8d23cf2b94c16c83b8668e0c29a74a8

SHA1
c287dadabc35bff61a7120f3f3cfd8e48186a316

SHA256
cf721ca2b0f20ff86e2fc1b1a3af84aeacd01978e6c029203f3f6d6152574a73

SHA512
520c8d9c20044fbc23ffe289c3b1eb74f08f6aeb783226731a407c061787cb70d9234a1128fc7c253d996f0a9fc1dab9c8bdf6042b8d97c560159575a2bddd1b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
462cdc3ed7008e15abf7930a28f2f684

SHA1
1db50f28ff30348801191e9a5001b354d3c89dec

SHA256
383be052cce205293f05a0d000aed000799cbe04f0f1e8cfe79428f97cb6452d

SHA512
6bc81f4e405aa0b4981a35aa610be4252eefb724c3c81d0e40dfeb7479768b44ae1d488d57a8d1c5fe9732ded067a4cbe6abdc54547bc35150d91226d7f07a27

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
498275d96f65a7da424142934a32af16

SHA1
1fac0481e32cef3a085ed5f473aae5fa2f7d0383

SHA256
f30d26e6604e910132d6033e04080829382c7ff759ca42be50bd6f0745e7d5c5

SHA512
abc16af737ba6b3ff8ed145ff0936697a8d45bd8a203c14df857754e06628d46e55d9367d206448a71d7b6a9e370066d2b6909f48da4c18dce94374422a5f83f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c0346ebd990fd0c50e70d64bba348fd9

SHA1
6b0ba488a6e64e8816c211e7498bcee4544e1617

SHA256
c44e3ff5132074f0071110109840f58004ae5cb7bb02db59c2716696d3153b07

SHA512
1a8e6410fa4721ac3aa22f24c25464181d14271e102c4c175194c979bed1353f78e8d863da2cacff99528b9ada4bf25a38e096c2024bc3f885f6ebd44f8c59aa

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
14b36ff6cf1c4c2121c0801ab8cae3cc

SHA1
ec2fb7cf54fb087e07cab8bbfe80e19b602d00c0

SHA256
0b60b69523a935a769c92a89f6eeea84149069af71b049e8643f6e2a0a20ce35

SHA512
b92f495ce057a5ddcf07ccbe898b6c3b7a3d5c796cae0b6b59b2d91c1b52a6210bdbbabc40eefa4b4d86831df6c697870344fd1c4a6a41e971e2b7e3cc1b5c38

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
964ccceb7efe0cf4bb6d53ac0e24bcf6

SHA1
33e9affa41f75a03fd4e6d8c742f6626014e8b5e

SHA256
8aa9ca6072a4f077b150dae0fd2b566ffbbe6bba91f136dc4214ce4b8eb841db

SHA512
eeb31bbefead25e0a84a8926155afcff02f785ede0cae7d1f88a82d319ca0318ac4cc5bb3bbcfe44f85bc61c477fb5eb3ae1af8b8299803c37b81a922e80aa60

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
fa34e49c3e0f9d5f833fae0d7c154ad1

SHA1
92eefae5f8c122eba25505b7e14d7921803b3892

SHA256
4095b46f508588ef96f179ca8ed4b92ddecb4576cd9bfb544c2559b9ccc8c240

SHA512
ea6dbabf54c5bb51573730b088a00964099a1b14773eafa948e6f7bcb6c1c2d1af95ff4aad93bdd237042a32f0cb794a98f253762b1b28c99a7e42e27e9f8d38

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
185825ca56841ed8499fc9d65a781273

SHA1
e4621b78d38278f4a8785107646191e0ea9512fa

SHA256
87541a143f55bce5e53974e189df833e564562b24a85c59c5041509f26b0783a

SHA512
fbc7e6c927a07d031ee3b5d3fc00e0d315ef9af7fda68f5d1e616eec2ab67b7ac78aa6625a4dbf69828769c46c59e3807cbf8288a27448499933d5f8c408fbe6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
cbb1f234e48047c08a6a50c322448b84

SHA1
3411cd50094f994233bdb3fb146c5036b772366e

SHA256
ad875de92376f8a2a4d4e770bf01202eb88b038c3ed3e550bd1ce35485929894

SHA512
f989e4fbc66e8de214d99049bc434b7297b07e53cb497bfc1b4ba1f9ca40c93082dbbbceb30677ea0af7c47071760300fb7117181b3e9d82c06b79fdbbac95b1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
36fe786fe452c12da051e5e7fb06bef1

SHA1
78f44ca694ed471c34ca9facd32ec520ea997de7

SHA256
2995f0103474e4558e9f270ce8dbf67d12359573b7b65b4a7477bce2f489a677

SHA512
5c3eddab8855e8ec80a9760d23c411f43f7f88a75c1f9718502a9b1468972e7b0d5315a6705f3066aacc0fcad20cde535c84afdf0805e895ff5fb8585db60b66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
dbc63a1c62ea75867553ad9e363b99dd

SHA1
7ad511655845fa1513f1aa5f473d3790b0c7b39e

SHA256
669b17195891867a1e13e0b684980cc400a3d859118e357bece5d9d8e069d573

SHA512
054301bf88737f4620d4031d96409c90bc4f71690024e9d1a36a6a1d6a2ef5a6e38184829d8c1550dec88b779eecae9ee0946b7852769f7385ed608e18c1111a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
781d7a649bb5976b064e31c868734bbe

SHA1
a3186e4d4f0e4dace54442d52b95bd901a0b4c11

SHA256
443f0ffdf9f48afe0c6a3c09e24f1238e5072c4fc4a65b2750cbb3a68df2a085

SHA512
c95f00e700fdb5cab769785399676f67d74e2c7375d5d05f8477e26578b244a0dff5c7ef2b5c66dff256794077caf8e58d1f68bbe50c2d75e169326b9d19f573

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
64e889f298dece0f78f994bda91c3127

SHA1
71f976cbc42bc242d0812045b5cb3cc3919ce339

SHA256
6d7960141ef7260a64ade19c88a93f2fff055ca6d28a6bb7cb5e12c3f1a441ed

SHA512
a3874a3f50536f0cf1068b4ea3b3f36f07705716391d3ad512465531db8f314c7562942f24cb44075f6105f0f6a0eb7045d6b7bfeb43d393dc77eaab00feb47c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
6d8ec081547717ce6c209d9d3e9227c5

SHA1
5e19861415990650a2a59aa520cb0bdd515cad49

SHA256
4339f1a1c59b217395c69d52325bb1efbfdf5faea0beaf46b3aa8c4dbbbe03e8

SHA512
c41e0462acee54a5d6c82139db0e35b0720b32846dbca47407c1a6178290bc2abdfcdd206091bd50afc77e021ffc0e77c317e0bed8e89774f57e399ea7a22f50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
09568fa0c7030de96a56069c0b0f99d2

SHA1
f5b507227f7664884d50debec35fd4ac6c7c50f7

SHA256
9739883ee3832dc6e5e05b601dc0af7e32dc7ecce3e2551f6f16d22e5aaaecd7

SHA512
3cfef7259f1f979addb5aa758e7d8b35157226800b137054b35c7fb074b5edd3bddbcc76a363d523568ec5324a8dd940985f9d1e89d6371bb40a3bcd6ee0f18f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
a6d66125622cb5a0b9da3d98789c4cac

SHA1
eb5a14a6070ce7713e4477a64381f582fdd29632

SHA256
1cca04155160fd959b79f0e489dda03c27cfaade5e6825f2d1459f08def6afc4

SHA512
609af7cf348419a265b33551e90077f2166a6b09c61f75f255cc6bbec34ad405dd066362121aca6d87b44d2fb147eb3d85d0615996055108a29a44063bdbce8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
8dd81e146ad4a6630072e2eec9117f16

SHA1
1acb0692d5c62052a40ff111290fd8febc8ed94b

SHA256
4f3ae88e8562b7823ef05aaa8295b5ad6a104fd606b7da5e98295261b40fa7ab

SHA512
7b6b4ab2c5d4a47fade3f595ac5da8a136ba84396db846735032cb3985cf2782388f3ad6793a460f7374082d1861284efdbb02073fe5267cebf5f9f4de04a956

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
449f304b8df8c558ded2c286a1eb7335

SHA1
85c992a1b243d3fd9b651460c4a7f3ad88587163

SHA256
6a2e73ba0088c0a230b27f991ef1077da5a951f97d38efc23438c3fb04bb5df3

SHA512
c79f8767f592a3b8dfe413ffb6a383dd219b2cd82385bb04be02db16a2a56a9101559bdd485801a3f9886d1c78bd377408f263a228eef03a75f163eed1c3f5c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
3debf18c24cab1f8f76c388d829e77b0

SHA1
6578b68e5390b06781c13434c4cfa7f5c7a1c320

SHA256
e6cb408327014edc95342b138e70cf023fef9ad442432687de05292cfd22ff64

SHA512
9f4f2daef93ab71cc5bdc65720e7627d9156a53473e08c6a6a4955bfd7bfb575fbc8b5cfbd1e4e9b8fcc108972a5289bd570e88720ace4a0a8f847127c56fcb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
568d50660eaf1b3e59b9d0e8e7e43533

SHA1
94bbb1355ea46d54af5a7bf0b2f47949b2bc0df3

SHA256
b094d895ba117a8b22f0659a94a46f37697ce60080f90f83c455ae7b73631ec9

SHA512
a9c491d9e32612667c68a5685bcd2a720e06be9f80d26fa76c0b23d7eb03d7fe93f1a18d8db716423ba62fc7e467d7f374a8ecc40f2f0450b5939926c641ca85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
6929d2c5208c79915b6d3d5287e07d02

SHA1
88071b1f8039968626546e294d821f8fa3fa0e71

SHA256
426571b750724a80c9e2bb1ed8169137ff4d279cdab5742a89f026022657d3ac

SHA512
38d01ac64069fcf2cc411482c57cd109617ab8a6c62bfa34bc99f6c9cd74f30e2f5281f1d092d3303553961054a78f3032becce4e02cc97d46b0e157a109aa5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
e1f1c44c754ac3f9f3472b862b064526

SHA1
a01d9978e464ef5f6f7efff46965dafe0b14af6c

SHA256
fe530751706ad6faf745efc018f5c801773784fba24e726632183d45a1c50ccd

SHA512
54e44ca9fb0d8f0952323c603526fc1b889d0b8fde77a28f583bf5aa3e0718a378e49aa3026abc1fd6f9e74c8fbb4e4200454b3bbb05f27fe804b49447bb5619

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
982b313eda156f3f683bd1756c767f63

SHA1
41a8b4ec88af7241a4cd2c194496d1257d4ea418

SHA256
a498719d1fcb79f971e6a615458e7e550e4a41f1ec3f7cc2df2372783179e408

SHA512
886a5eb9306cc7c82cb8b1c75330360061d2a2f248e445e3147c66db34ad5d825c7fd6953c70cb1cded7f2152c2a5a4d927bc85dae20b697bb9dd93515d8bd3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
d429f5be708c3bd91410c5ee9eb9ba2c

SHA1
ad23333236afbda90358090ae3e01140bea26bf4

SHA256
1c4837a8713484482b110be6287b979e050ae56f3e8402f672b5cf4fa523b864

SHA512
5fe8b9f60ed151171ff7cb530c8fa6db3b4d4c7bb396cc76c44216b0fc19c977411efd871a71c8d8393b10152308cef8b83433e6795b822f833ef61fbb4dc009

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3a6399723eaed938e0e8ceff6affd31c

SHA1
59d9c57ebf818f1a38c769cbc6ef6246f761d94e

SHA256
06131a7c33efc14c15b6ee4c7d1185caa9da4f761ca39357c893df18dc06b829

SHA512
32420076672875719377b9728436820cd3d6e89e09b3249b477187a08f2f0682eb8b346d7e1e91a801462c5ae1981c38effddb47847d2a4da6288cb9a1804f94

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
5458f24d18e465a863a07ba17974071a

SHA1
158b945156264e07842ed6d802cd4175e4263a49

SHA256
ff9e77bd23eb24c14a977d9cd2759379fec5c96046a27d89b5ab3fd4182450cf

SHA512
4be4357ba61fcad496df68f1654c3912b587cd6607e97beeda7796ef2f76ec03c1d360a1b865d56385b5aaf0e9348cc4fe03edbcb0ac63691788d52ff0467de0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
56e07128d93918b7f595c3c223608e45

SHA1
e11c8039cd378f4c072f6698cc6fda0884d89c3e

SHA256
0a2e38c7f364080e94a7e6d74bd3bead7775fe7415374988ddcee99eb4904512

SHA512
cc2720e0a775f40daa84da52705c3e51586b3864c64ed8790c23a31824d03161a803f3a68981d485c20a8600a49f7cf37d9ccd0130f4fb0d31d2149cc953db5b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b139a403520785a5ed3c3ae7347d822d

SHA1
f69685ddd09777930ab68062c9337dd0eb988be7

SHA256
b24c6f250bc06006d6451dc5bdf242bce92c7b333db6ef9f466b806af487bddc

SHA512
fb491d757055bd60fd9dc0a4427e77adb30fa48d265806ef4628d4c4476db181a4192c91b52a7cdb7124c9a1acb37dee7e2417009e67ee327593e2b44175c8b3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
9d0f96f91cb32248dcafb733b5864604

SHA1
d8a7e879bfac51f687233bccf3e1d7c773bc5fe2

SHA256
2826e102c42a60e3477c7e2dd9d74031f285fd9659cde976383bd1a7bae94859

SHA512
4a2b2296f311671670a297ce1b85a4e9676c12af19562b8864af9b25b1bdaaf72d4df985b894ed58f99a9285461da0f0cf7300393ac7a3912c72a9c52ef017e0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
293a20754250e33e3bb3b666789041d9

SHA1
f6f0f4bf440ec634899760f42e4827278ccab235

SHA256
cfebff10db7b458a50f496889796940b5315cb9c6a0e6bbcc1c43c3cf617cff1

SHA512
5b9356056c07166469a3f25eadedbe84ad665c0dbb24e5c20232a7de4f1e63c7798da8fbdd517034dd9933da96231473ca8a5063e57ee76578f4e2c3b93e4eed

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
de8d61586c60fab899baba84513a1596

SHA1
a0d25af2135f84069a783262a341a4ec20467442

SHA256
76c2efb3eaef791ce48615f270eb6882557daffa5557786bfcb3df00bbb4ded1

SHA512
c7a1b1a44a2055a22ac9e7142120a2c5dbeef0624424ab63a4d9f0b2b0950d7c61c8d4d5ffca17c36fb2602a2d6c1b3969efc8163cb34b394a3ba88b70f587f8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
23b4ee57975ae6ceb2f4e3a4c620097b

SHA1
4e63ef43050ea2788209e650968e5c25c6f9e267

SHA256
ebba21abe6b5504330b5ef4ad04b54b7039df405f25660c9608a4b95ae7e4832

SHA512
beaed0805f80f4cc98e25be5b1d915cf61b229b5686724bbce65d5dbe6a0827cc45b969e84e5b3a6761098df9759208587e47201ce1f4ff90b051df72abb071e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
580852bd3c548257002bbfb827e4ed63

SHA1
d6a9402d03201d0d3c45f36bdfc33cb1c491be8f

SHA256
dc6ce6c1f6988ef537ceddce4ce5804e30e73c0b52e99d046d782e9f72d147b4

SHA512
e426cb68168b687996f1ac29cccd08b77598724c3fec00721db008c3d8f9c00a17a7e92ff2f1e88fba5f2c262b32350d90f9d650b7baf8155606b83abf77bdcd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1295f8c60bbacc3183ca7cffe74578c6

SHA1
c66358c13320108b24ba00d6d3e2bd7b432c2d0c

SHA256
58c0f25fece5dd5d9bc7960a79340bc9d91de9562db87b035079e93b66e2e830

SHA512
86ccfb7f0bc43911e1e5301dff572dfb87d2d18f0435ddf3c92cc43f2d1670f1ee5f6733da3ddda99eeb3df70fe6a00549ca730f8d4409ca5a2fea021daa8a25

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6f69c2b9964642af5fbe7d9e934cdd7e

SHA1
d60a55fa54a1bee54447058b01c5739422ec0d02

SHA256
7006e7f343d465ed06288aa25db30405a4d0cb2213aff9d66ad3e6fc97ce5d2a

SHA512
0951dcdfd963513a050f5c1e9b4777bd812fd9ac5e1ca517367d7c77c03790208f03e013fd0c70c6a54f94cfcc34a9341ecbc28ad4e328c761be6fc32a095946

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4eb964f90aa900e69c528496dd6504af

SHA1
4c5fd867336c9a89303eed1e96fd484a358d5982

SHA256
8bd0ccc99f746f9b9aa7e16e6320f47ba3c86812ab9db35c6ec40012ea6af536

SHA512
c950f5917997d80e87a8e169d882407d738b5945687778ddb248bfbe59e5615fc4d3c155e3cfa55f8653d25b5eb3c23acdbe186ddc0d010bc5f1a912b6110d59

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
191448ab75f4511ab4627df8537f211d

SHA1
b4cfeac3d78c98ed04f4af01b1e6ff59666e23a9

SHA256
1a8c82cc3b875ebb4643c0a1832533e7bfadaec20137cd12c5b0780c669d3411

SHA512
7e52eed744d33ad6333daa5244aea98337a0f11762502a1b586d9a1a6a4df7d7854ff0cb14596544cec1c9fddec145c86aaf07413234977e67965b87dd942f3d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4160f402b26a09fa020bc7ee19bd8df6

SHA1
e137c41fbeb20246a1dedb50e15913cddc7e8cfc

SHA256
febcd9d1df9e465b07ef648bc8274f2234cc170780aa24e469cfcae16766d188

SHA512
e80e782288e0485a7a0185e52191eaf126e515cdb2f17a7fd2b687ff3fe64ec42b073e3c5898efe4bc52c4814992e9c6de359fdd914d61ee1cfd523749ac8e0f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
5d0b95b0c049123e3ccb098465f898f2

SHA1
ddbe70784239dffc81e1baffd10ebf7cc7ca4462

SHA256
f9fd9baccd3efc27d3e04086695d4675e0faccb8e50937febeea5d67168145f0

SHA512
2798d38cd8a57a973b73b9db0b54a1e79a93b9a89b53031ed843a33e3d7f58bc58770fbacca2d0d915c50f158aea1121658e8be9da12acee8001d49a261565c8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
46d31ff2ee1a1e9fe21f35c4fed34db4

SHA1
bca1654c3de67449a7e54fb55855a686b43688df

SHA256
f732de374b4c87180b9054accd1c802741c4356e090dcfba9fd69507612703a1

SHA512
30387aa8119b8986da03d61f00de0618d920d3af672f8c86e339d34c1bad9190b8315d8472ec56c8a3976252b985901addfb7d353487231794d3d8bebd63da3c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
be607317f2aa20d4069d6f0f6e572fa6

SHA1
acb0d0354dbb0566542fe26b86eb3581273b8f03

SHA256
49da2b3c119fb4c1e5b218df17412da9d067239e0e6485d83fadf37b1ede91f4

SHA512
791be07aef440e6c89513ccaa43c05c040b34c8f4b7902d9a0c6aa57a3ba4977f19dbf4e6728cc5ef3902179778e9c9f710d5259da56b492ebd935ee7c15064a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
459ab3c17a7642a36fbd629883b59472

SHA1
bd7732eb5e39541ec9917a685bb0df47de93a4db

SHA256
7190b665891e3208f02678461c2833cecb73d7cb50b9da02bc30ac61df88c20f

SHA512
6fdb4eed48ff28adbcd5258772f610c192db0e9cf0521533ca88079eeb9a925f62c2817c57985da5a4e51f25f4a37a761792a7f83dab29c33ba0af0ca6c646f9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
cf8a787d9d00142e51c8ce001915c2f9

SHA1
0ec454198f58436d3a4e5b5559cbeece0ff2ef5f

SHA256
f9c2bfc0f3f6b332e08fda57329f2dcddb7826bf63f98783166c2f60178ba721

SHA512
9b418572ebfebde4ab0305d6abf0fe01735b1da1b783157b6389eae3c0b08025d695a0203e9f57a6926f687254136d7fdde24719564f159f81c274992d5ea3bc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
588e0b77cb6cfbc90a677f87ca361c17

SHA1
59111159d7f257ef838b4454b00e6a42611afb2f

SHA256
f03ebdf6990909c3d9d80055a8e65acda781e1e7a87365850e8f21daf9ebd070

SHA512
56a0dc6b6eceaff524812eaa2395efd3a23cc8345c3027b18c0c4c1c48484ff60b15787729145ba10ee3bb5b4f1e14997606880edaa6303111bfabf8ba0441db

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
417f47dc4014e29280a900ca1d82942d

SHA1
91f03542ea5f76ba58f99e547da23415245e3875

SHA256
f08ed539227f8fcc5a7ed0fe27dce8e0081d95aeff41531c3b16f659d2832bd2

SHA512
2a3a23ea1d840dc7209a8dbc5faeba2063d983cb8eee37406d076a6f68e75006c13503da1e83c0a1f28fd118058de9820cb320f443f0866d7592ad198799c13d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
7d594b1169a6ac14c6c4aedb899df1f2

SHA1
4c0a44747bdfbfb26b3d51bf93be7f9b7716850d

SHA256
605ea5731bab3a40830d458f05f9b2dee6de4978e6f1a0135f12e0cb0e88e302

SHA512
fa7b0db4af32dd448db1719437e5b5b865278ad0f2e3630d9c454f41053b213cb6c4af2d46f40fba95785a703a419456c835fed6314ddc4a501099b973a1abec

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
b167a6de7e0d3b96382ace6da8d5bfac

SHA1
cb0c3e8cb7a9a1e9c6998a0231eeaba46e3fd487

SHA256
3e526667c51f314623fc30158fbce353a3f0ac7f7aa2452345a00a61fa007af7

SHA512
7dc462d21413434e3206ff4964cb3bc3d2cd64a970f3bca8a18706ebc00deefcc8fc99ab9d4163d635cde509ed192a9d4f44fd8d471df51b13b8353e94d4f2bc

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
5371886f17d44bb288eb6c868c199a03

SHA1
848decd5b308d1525b1b326cbf11eddc4b32d278

SHA256
5c331da2e79c611b0c2059f55b3923bfbe6b4b5b17245ec06ece5c7cf3efcb27

SHA512
8399a8812b6f47869ee3ac9aa12d284557eba2a990df8c66fd493ebebb07e10644ea099a05ee791bc5c1a5b13c39a2e9b7ace9d553a7435f77a2d639c4720426

Download Submit
memory/224-480-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/224-265-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/416-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/416-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/552-214-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/552-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/804-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/804-471-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/856-68-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/856-177-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/856-86-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/856-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/872-426-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/872-178-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1336-153-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1336-330-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1600-7-0x0000000003D50000-0x0000000003DB7000-memory.dmp

Filesize
412KB

Download
memory/1600-84-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1600-0-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1600-6-0x0000000003D50000-0x0000000003DB7000-memory.dmp

Filesize
412KB

Download
memory/1600-2-0x0000000003D50000-0x0000000003DB7000-memory.dmp

Filesize
412KB

Download
memory/1652-386-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1652-165-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1708-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1708-47-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1708-44-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1708-38-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1708-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2296-51-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2296-164-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2296-59-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2296-57-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2500-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2500-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2500-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2500-88-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3012-470-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3012-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3164-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3164-474-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3792-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3792-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3804-436-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3804-85-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3804-78-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3804-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3804-72-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3804-189-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3816-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3816-126-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3816-32-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3816-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4020-239-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4020-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4032-130-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4032-251-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4072-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4072-141-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4072-364-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4244-478-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4244-252-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5044-90-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/5044-200-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5044-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download