487217e4e5a4e33404bc1cb159db06c34a9df8a82e7c7efcb78e8a081e545407

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
Size

24.3MB
MD5

67644fa83151999c4c4f9386e8ea423d
SHA1

8165e3ee1a3e45efd25c5612c6c8ad608b5e76ea
SHA256

487217e4e5a4e33404bc1cb159db06c34a9df8a82e7c7efcb78e8a081e545407
SHA512

aa10e6f3a18c9604a3c794c1ca7a4dce1a30e7cc710b186b18517d7ecf15ba65b23b76627779230711a91fad5a0d54fe27c89ef0d3e90654e6b16090f3551f38
SSDEEP

196608:KP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv0189I:KPboGX8a/jWWu3cI2D/cWcls1p

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2208	alg.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
3712	fxssvc.exe
2196	elevation_service.exe
1100	elevation_service.exe
1992	maintenanceservice.exe
2720	msdtc.exe
1592	OSE.EXE
2188	PerceptionSimulationService.exe
408	perfhost.exe
1844	locator.exe
4524	SensorDataService.exe
4412	snmptrap.exe
3864	spectrum.exe
2168	ssh-agent.exe
4688	TieringEngineService.exe
2088	AgentService.exe
4136	vds.exe
3076	vssvc.exe
5020	wbengine.exe
3704	WmiApSrv.exe
4904	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3c03c616c3a5208d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b94e2fb99b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005ca59fc99b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000345182fc99b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cca4c8f899b9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046f3d6f899b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fddee2f899b9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c6ddbfb99b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000860636fc99b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005307cbf899b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df96fef999b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000837feefb99b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
4088	DiagnosticsHub.StandardCollector.Service.exe
4088	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	3712	fxssvc.exe
Token: SeRestorePrivilege	4688	TieringEngineService.exe
Token: SeManageVolumePrivilege	4688	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2088	AgentService.exe
Token: SeBackupPrivilege	3076	vssvc.exe
Token: SeRestorePrivilege	3076	vssvc.exe
Token: SeAuditPrivilege	3076	vssvc.exe
Token: SeBackupPrivilege	5020	wbengine.exe
Token: SeRestorePrivilege	5020	wbengine.exe
Token: SeSecurityPrivilege	5020	wbengine.exe
Token: 33	4904	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeDebugPrivilege	332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	332	2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4088	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 5328	4904	SearchIndexer.exe	122
PID 4904 wrote to memory of 5328	4904	SearchIndexer.exe	122
PID 4904 wrote to memory of 5400	4904	SearchIndexer.exe	123
PID 4904 wrote to memory of 5400	4904	SearchIndexer.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_67644fa83151999c4c4f9386e8ea423d_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2208

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4288

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1100

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1992

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2720

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:408

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1844

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4524

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3864

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3356

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3704

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5328
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2700,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=3688 /prefetch:8
1⤵
PID:5172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
6e903544243777b39fd09e664269a11a

SHA1
7a6e58c81f9601139eb3fb969ed30b5232b6761f

SHA256
4eb3cbbd97efe5f407d99cb910179d678e610dedfdba40613cde07e571919769

SHA512
4dfed88a4cee46afa5393e5526329a2d1fcd4bd881637b06af7a7bb7e47912e363c4ce16437a0a315e8efdf7f62db49745eaeb2ce8b2733d14423e887cef83d2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
6dbd5f5ef81cd3ba0c81b57e9fd77634

SHA1
c0d3fd6f21dfe9548e312546a56dfd44a1319cf4

SHA256
0156980543e7f01b3f91bdbab21b4f4b855b643c78c49e586885b369dd7ba2b0

SHA512
3f77bc6c047516ca5c45f0736636017142888f1ee3a52736d81df8e1b4d2050316db230608921136eef3933d40683a81a9f2cbc59d14bf440b50f181a99c148d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
875654e69998de7e8268b039ad358d0d

SHA1
096bed2443396715e2d174b73ab13d8ef5d7dd8f

SHA256
abd68caa2a42d72625b414280e20d178a9470f88bfbccd894c0646f5cef6003c

SHA512
5af20b41349068a8102783dcbbecb20377e0d53ee2be26d02e71c373bf7b2c8c62c25d91669c8c54106e9141c67c9e37b9691830619f8c2fa16cf788383b600f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
042bfa9fd8ddbec4d12f9765666e5376

SHA1
ff7a4bacc4256972ed2083de7e0e5dd570abeb6c

SHA256
215056bbf7e9e4eafd680edf620d193949d544158d28c7e0cda69d0cbc9b4e8f

SHA512
8a545c4ce0a073e7bc8e37c6ec0e891e17e1430f8e4928f9e66d85fbf9c77478b16d8b5e0dfb02d4d4e02d625addc47023274cb70e8308f05f9c7b1610755bf8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ec5c34359216d3ea4caedec21502d286

SHA1
5c00a90649b0ce3341f11051dbdf3adb90a1578b

SHA256
2969e016e0c29ca88ceb4524e9e4b6269852d82dcc4791f17dde330c7a799590

SHA512
ceba1e8735dd56d0223de5e2db5823a947f1b08f385f647ce5cfc8c02ed8d9955bbb447bd70a67ce1170fff9f9276b7276ce05a250cb61cf384b8e8319042bfd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b7f6c707d28401eb5f1ab496256f7116

SHA1
a9dbb515c432c22039b6cf939b24d1d07a551bfb

SHA256
21aa31c343c60ce8b419e018a99b08439cc5ff481ef1273bfd53f727438fd990

SHA512
8392284982281da614ff5ff81ac2ce89b44d24e8b72c4b78943ae71d48ca47b0d4b3ab7df8af6062c43c03b9481f96dd017eec2b6bf6e65ae2a8e7766c7e4f40

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
7ad67dab0c2ef62b1f192c20ccff0e97

SHA1
36e2811842a90c878b7e6aed763efba2518911e8

SHA256
1c457e2748ae1bde5603d20e2ce103a84dc598332b5a967a877b938152117460

SHA512
e560f8b2d8f7dee35f6af8b4f1052d295156bf7d4be40c53e19409e5e25c6af92bd9f5e52e7336e9243bec1409ba0ed98a8bd900e2038033072ebac77be09701

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7e0516fb18e0fdd0dc7d1c8e5add1eb0

SHA1
7513d43596c7d3a71771c0aee8820ab11a726445

SHA256
f9764c7b0fc91b4e52ed5bd514b616f831419a404cc7a56b7a2637ab7c82f54e

SHA512
ab4ef53c706e2aea790d01af3dd415d61398499cc03a4f698655b9cf4a89c8e22ddd2493457fd511ff2f4c0f5c84b697fe7e87936e8c5b76af9fc48bb81deffd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
737a0712362bb291b57498cc9aa9aaa8

SHA1
5cca59fceb1df46158e4886f64bddaa139b75dcf

SHA256
bcd8f26b173de6a1add260e56e1914d0e31f9d0577c6d7053630d5929155757c

SHA512
9a344dfc970fcd8dcae38962fdfc8ed64636fa699257ff46e82463cdf9a0c31367f49fd99310336b067af8907609b939e0341b69bd364a0e2f86274a49cc0718

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e9db81c8c86b25e1d941aa63ccaa258b

SHA1
3717be83ddf1f8549739d3d7dd461f0244eb800e

SHA256
2253999df40422e954cb77c72c5b0335c32eb4e6010e9e9d6b89ffd3ebd3d4b5

SHA512
d368197f641ba8ce5d3d1ab670852817d8ad7c62276c677abb3d94906a5f5727448a7954a7b27cebb519b9711e8953c9eeced774cb85750f06a59804ce33631e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
853a38eae7d3b62057106505b7ec4025

SHA1
56a6b40d270459a47bc3844ec396ae0616ca1f2e

SHA256
788cd50fc8d1db5ba1febabd8eed38f44b8ecfa9d80490ab2534a881cac2d5e2

SHA512
cb781b89d318143a1017f0a8fb5c82ae1a02b1d57f160b725ca201d49d39b613e2b9388769595639eb9e6d27f7f0f4f33ea05d56b8c0e0c86408f0a6192da0e3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
dce6e3d3caa4d8fc88722702b11de147

SHA1
1a06b719669b1f3a5797ccfb17062060d543392e

SHA256
74706fcdfc70d19cbce3b12dc19768d77c0f8bb5ca75e212112fe4fc797814a5

SHA512
1cbcd435ca2402c5d7e37e73272df211d521ea0139d5deb91a02ca9a82486cb643ad82bce69a27111305cc648be13ff900f73a2fd5920eacb54010c88bed2f9f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f7a1170a36b8b76737033119ea598454

SHA1
b9343d5dc20a079f20799ef9ba40b96fa9dc50c5

SHA256
44f9b074217c2fcebd5ee1d97e9101db99cc3bf4dcada4854d325be02ab067b8

SHA512
7dc37a4b7ad0b78bf9ebe673b1c658d33831db7b7bb5a59f131b0c365e17020dabbc425b0e9bd66b339acdfdc358c53a05437875f6e7074c4a6859e53c208865

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e2cd9eb73feab51a8ec92f0e82aced4f

SHA1
5e8124e23b824bbf55774b6856ef933391a6089b

SHA256
d2d895a4495f1db1d922c39bcc0261dd56f895073b8bb5c71ca4d8e6a8f41cbe

SHA512
99ddcfe7f6c2ed8e9400369a9049ddfd89b77468c2a1e1b9fbf7b750c785ed7f74381724df99437115fb6b61510bed4e4c8736e95fae6baec5707bc38ee7d121

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0b8a8d4893b6cf6c42c119f38793f244

SHA1
82f08a62a7b88164fd4bd64566115a0e19493b37

SHA256
1b0c373c22a907d6d1e66a109d812dbbec32db38d0b7d6cb6df18321c20d76d6

SHA512
aa90857127f1e83930fc0591a0fee23227c617e4d07af6c60af3d6f18d112b7f7d2fa837fcd73b358eae0fc1c7fd3cc07d4b2d5f384e8954d66976fd8470335a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
855d29cd6d2265e91157521c3af3065c

SHA1
a85bb7cd7a8699498aa6e0d505eb7b0131142e02

SHA256
0c6f2fb7058941ef47963f458c6a2f756f95538186ab18567e862c0b875bf728

SHA512
5534f8eb032adf6b10dfd7da2a927bdddddcc317a6e7ca15437d16a4e912efd8737b86dc2ca49d3dcb1c36d60c923569d4d6469b1159022519b64da1bcf09c95

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3e88b8333d159851bb39b8147addfe93

SHA1
4cae29f942901039957a98722780282849f888a1

SHA256
e778cac7ef14adccdc4e564d15bdaef3bee3cddeeaee5d806b57df00324189a3

SHA512
e9e6d5ed460f96fe4e0ea32750e1974e0455624830b02d9064fa47c31bfd1dd2382489f91f3036ecb3a7e1b56a3f8cd85cb6d6c2d30208a48ef4b0337499c5ff

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b603d05f7da5c1eb14527b0e4f8c86f5

SHA1
c7d25a3ad9a9c9103810cc80e5a1af92467491a2

SHA256
20a218617e46a20793eab0db372808559edc627274528b7dc8d208d00323ab3f

SHA512
93091d879abdf4f8df822ff897dfb97cb3195df899b0a027fb294ad51ccd41659393bfc4763e5a5b3ab23f80648b3501b1acf89dd3b8cf4611085f7323f3b447

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8dfa56e2ba9c5540b8a2b01724b9546a

SHA1
fbf7f090f7eb77c1206781ac031a442cb80fa9a7

SHA256
30d76a85caa70dd4937809936d3638069dada9554d9a590a77097c2b6cfb9fc0

SHA512
22c519b12f62c257988663161ece598d417eb0a9b7b8e78511a4df2d7d23edda71ec4625ba363c9c6b96f0b2bb918580c5802ee924a58bc0014f4ef47cc2d2b1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c36eb791f4da57053f7e6db000bea144

SHA1
5651859aa16310709c325d211b7b7b0234f18d77

SHA256
19616eca8f0cb89d2e004c2f9bd8214884e9424281aec54175183cda17d712b1

SHA512
b5cb84a382913bb429418ead69550a2cd30bb64a1c82e20699c850d0a045393d4c5b39a56a3503c4b6d91cd4617577f110a021b0cc265372fe949a62424630f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
450de3e894d64a960cd69feaa076cd86

SHA1
0005190c0b2b53aa07ef82a69b27967b769b0fe1

SHA256
7b27a488212b32218212b1db23a7e37529a023363f5c6a317b81ac5c1156371b

SHA512
06b8899a8c17cb248d7d45bbf1f52e88cd8e8d2040d2a23a37fb8c73923c1d5395b75a64ca93bddfe62961d11d232aaac99dfc5d7fc314a3f3f8114ef138b39f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
76a8c7a6391b304baf1f8413e0d35988

SHA1
e0251bb6646466fc98ed2a639e955d97acda862b

SHA256
c2eabcd14cfd826b6f72d79bad63ce2a170ae382edb39ae2684c038700f02b22

SHA512
834c06ccd6d244a1c6a83b1463af84b65b190808ad776ac61e9df5be89a718dad4358765d7e247509ff494ba5fc479e0d38e60c9e2abb28313c22ed169039d5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
2efba9efd6bd417c48fd30172ecfb9b6

SHA1
b066ad1df0aaa548e928057047e71fa55f47eb5f

SHA256
3582c94f9d7c78ba79530aab8eb887990e20df17f31797b826b54cc38fd186a4

SHA512
85a1d08011c4436066cf671004d465f8a534bc52348bbdfa3147745d32f5e8c196a8e9a25ce4c18a004c1cf9fba778dfeb2b34207c5e77c3f8cf0f5a547a1e97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
8b766f34eb8f6181c3b36b8c69077e1e

SHA1
88fe09debaf0242c1b91e91e0cda0e53789db9ba

SHA256
3f8417198fd01d95cede50a23cee83ff9e598fa33f022a24485f91f85410e949

SHA512
87669cd7363a4cea2be6b6c1826025c98185dc711b63efc8f48fdc7229b0e4e3a833523e5db253f3b1d1b1789b092048acb828ec97f3059a88ceecbd6995f3ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
0fcc328683cab17ca1b437bfd66a22c3

SHA1
001acd512c5ab9dd0fe12172ce06774213a70901

SHA256
5880c9f0ed930a89dabb3b8bc3866f0b54822d9d65af1b5ac93246ecb8ed4c94

SHA512
e4f1bb928db7088231d919f63cd1674b20636a8f145e95310d661b52f5ad8cea7162affa151a1335652fb274fa8c07abb6d68066d85a80142c876834871989bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
bfe86aa7aba62b7f1bfddad9a022125f

SHA1
babc92a14d4a06cfff5a47cf7a739ee73cb16bb8

SHA256
b7049412c7094d580e442f943b074d8d2cfd72f4304036cba5857b134075387f

SHA512
9bdbeea5cbaca9f31df49a88b792834fd6af1ad456fe9928595e04391b7c71eab370456bfb2cbca986b1a85c0dcf391bfce4d6e5ce27eda20bdc0d6f7e70f2ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
c3e05506f13eb76527939bb314b98a9f

SHA1
6699affc3f1848b41e474ea724bffa8f8d4df46d

SHA256
51b281efe0f15b2e1f42e3ddaa420e42b5101b8179143d19952b1d3ac68c112c

SHA512
2f80eaee0bbad51d9fcf7f2e70609513685963b310e00ff851f9c1a06c02c33fe61098783824bbf4ba2aa1be3f79fd3c603040547971512b554a42aa15303090

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0034ff172dcb84d15104ec4e84672d03

SHA1
7fa3b11a8d9232eb1d855d106a3c65fef94a0fd2

SHA256
982840a80fca09aec31e3e234ab600ce04f20af22f4e9425869502324a34fa12

SHA512
8c4f222b0f4e33722d51941ecb4d8d4625c0727ef35914ee21960c3a1308339d024bce671df531daead2ec41215524372534a9a140841d741b061565fb0d4487

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
0fd852edca3bfe123529179c2b5145e1

SHA1
1d7dfefc27e680f2f8c462f7702c1d294c894e0b

SHA256
07e2833de176b60be899bf0c98bc0193854c6552fb7438f3fe98def637ca7fe6

SHA512
dac97f7f9971994df4008f10d444e750945ac4e9a87eac5968f7c6c2c98c7d62f3b0f61c4d67bb97ab76958135fbd676c59687e68446e649d24176ba19b94d3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
632ccfbaa772674d23a6abb8617a8270

SHA1
d7139893e8c646fad1b3b88ebb2884a9abf572a8

SHA256
46f339e9368fbfdf8efdf4164058b852a0d768c4c81c0b34c18cdf32236a8797

SHA512
759bc2a4e082396f5c111a69e031104a36c2b0fd76cd5a0a32b0b39dabe59bee1993748e0c271a22f50ea0d6a450f1709a52be8ac4f8f61bf2c6a1515bc74395

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
09c871d866d11756452948cc7696668b

SHA1
33c697caa657c94a0f829d8f9412cdab65de838e

SHA256
c6105203d52630da2f3b7d15b7c98f6d79366e5366244087c0250d347118a759

SHA512
c646e6b6b0dc8da01971f094f99c56c4584c70196a32c84e7ec3a019db8adbacb9c18e3d72ead2e80cfdfe26c4243aa618fbd9cbb04d1b0b0eff6e577248e822

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
13c285baff6791b9c3e77f49c6d8bbf5

SHA1
36b63dd262224853f6f6832b877b3e3837f3db85

SHA256
f72cef0afa1b251aa7e2e4f0cf13eaacaec8000931b2b87dd9b4a2b6e05e2510

SHA512
f4e5ca4af4903f9ae1ac1f1cff7aa5a4149fb744c76c169aebf2a37264153fe841558d293a43610b15d3c6fa520f598da542b0e9e6c7bffc6e3cdd3e5cccfde7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
6b54fda8a0957841eb27a902508ac8de

SHA1
a9830f3dee113e813dac064289d333186213117d

SHA256
97c2129ebc3cf0653eacebd90cd54bc96b7a60ba8517806ecf4376fde6d0a4e6

SHA512
8280c5a933b36d667963c1eae3530d83597de1f3c1159d07bcc281d966f49b061f9746b56118fdbeae3f3a9a1f2f8d27e3e2631d087dfca45f9f7b554b20c6cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
82926b0fbdf83dc6e8c942debb112023

SHA1
37eff3684f9ac80939c964086a875cf0041af366

SHA256
85fbbd2683cb57e07e4f7d1ea0db00d722f3c6680ab0995a67c32870564422ba

SHA512
ea24e0d1adbe649d2e8e38d751bf869a61038f42d770af88736eae969b045fac6ece232f2083147085098c3bed16942347889c7cf107fdbd4350a9e9ae222f34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
2bf549f4b06e31e521fca3c413175b90

SHA1
d88349bede7497f6cdaa904153dd7ee4b692479c

SHA256
bf911a70a38ff09b2a9dd21898a0abb32b1b54a12644048f0a1a3be1ef6ccd5d

SHA512
028cb8fe754cc224451a3a06b8719cd9d4e78278bf242d8e63c145522bcc0863abd88fde07982a4c59eee5b88f859ac32855e5ef2896e1595174334ab39837cd

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7b20895a153ebfc297cabd40f5263f07

SHA1
c644c378218b408959128cad901f575a7e3cc225

SHA256
ba8489ed159428e7634ad46df597c0a2c8881bb20b7165c40a76ce8b63728f81

SHA512
572c12d0f3f34391ec32fc3071a28013425372ce334993be826cceba3094595575b69c297cb38809285299955a1a63b31196f96bd9c4e72bf878ea5a9c90942d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
7a95d9db43cda93c6d2258720bf58528

SHA1
2bc5be1f957300dcb9b8f2d881840c759f86dca1

SHA256
a311afe5b0ff486ee171dbf99f9ffb355343bc3dbe8f838795646ae323ed7219

SHA512
de887033d9c58e07ddeef045734c7b28dc3cdae7283b6a1f3fe8aa49575abdae2a23b1832d627f8d7409b3381a6b96239a1167405b5734a2689fea262247fdcf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e57e550e94a702dbdb6a672d31f1730c

SHA1
a0b4e74b23982532c7f3301fdd8635546784285a

SHA256
660be0fa78d35f05f6c132fd9bb045cb387ca4896d3fd468758153b9d9e59f23

SHA512
454659526e2e57e42544eb3e51d6c6d7f72418933151e3a1edc3eb3fc17c16327fe744ae896785b265af8aeafd3eec7ebc42451d356f2df7e5dfe5eaa592b420

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
17a9ae15dafd0a9615a32403d2ce0668

SHA1
5f322b19b4bc65ebe4f01cef9f87f6e167af0cc5

SHA256
3e3c505a31ee949e509ff788e4c1ca849c4d292e9685e3055fc05979d45d18b2

SHA512
2365339f4dcbfdec7666770c7fb07a5e66f02b8791e03081134048538c30f1a352d09690de3f2c9678b4af834a826b1fcd422d997616bfab491138c0413e8adb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
63b51f86138e155f5f5d1959cb8ecf0c

SHA1
0fa83d637e25fffb65a62ef0d7735f93c2226d03

SHA256
ae2584f35cd82520f9fa9af3dcd62eb7d1ef63c72714681fdb3fd0d07e75741b

SHA512
c401f1ae5c94670b586141415c85cac27466eee865d79f6bc163ba6e2cc2fad95e724597ec431311a262cbeb2591d5e2d7c6d0e820e8a08798b2239ad6e8e462

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5935a396b206e530139227e10239ce2a

SHA1
cd470af2cb92474deb9f72e9cd117d46ce7169a3

SHA256
c37703520af1dac3e0ff09d85e8d9025789d3bd37db228a1831b81f6d9c9143b

SHA512
23565441a52de9d2ba0eae6104296b76a2cb736c701c3e4f099d46c1db34596a947c65117975fab998ddf3b2246ad3a69fefe922743afe2c103521378bd4b750

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
4aaa8d74bc7a9157dba8e384c2a3fd08

SHA1
1ee81174da2a381ddf1bc0ae04847e40deac5cdd

SHA256
eaa342d70835db81fe34101eb34b0ac5db2b8eabd9733724180140bd90641d8d

SHA512
cee551057a3cdd020170203623abbf8f6e7b3f94bae3e687de5035579b77ab97f408bebad437703b2b50305b9931c1c204f5466af7bde5241bde93d2725aacc2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
1e2a07793858c3242a617092d8120991

SHA1
c4adb2d1e8bc4eb12a95f420ba2578c52d208d80

SHA256
d828bd8ccfd2906dfb56971b2585238806b48a0308a0dc75766b4c8190f09617

SHA512
527083a04f50f0f37f224825b6add58979df3607145705a8e30c4dd373eb3957335d9d11462b9882a75145c0dbe4a4a66f013f7a7fffe16b6020c138b1e42424

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
bc7e7107ac5dea54b57abb8b9f8778a4

SHA1
04b80b8d9bf86804c91792867f1a8d6c578b4eb7

SHA256
547a1b58aaabf5f50834dc39ac224f2a309f88f287a92f26cca580b825737eee

SHA512
12ded85098ca29d4afb54bf8e609e55a5e0d9d7dcfad632a22b2202c4ffb339180741085764fc9c9e02f47f6cac23b97fb8b73abf69c7e83d49bc36ac18fdc1e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
96f0fc8e16206c0da84a151a7dab81d3

SHA1
a947aefc2e1c178b375793b4cc85c81653d39d32

SHA256
99c29d9ccf2d4ab38ef58a6746ff6746abd1389336856c058db020f05d2aa14c

SHA512
01748b31c1a6bc1a8108bddf190829add30cc852c22e9ed2df8e5a4eb5fa3623d15bc6ef2262489915b7118c96ecc16ed75045e7994bb356cf0a06a0b8c22646

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
203d92227006981fa8176800680884eb

SHA1
9db4c4f236c42c09fb3fa1c7b391d37b3a9a5564

SHA256
79c7f04aba97877f818fa959057c08c8f25f642d494446b453eb040ee63eb466

SHA512
68d93d3f40b2d3fe530add3a48b4622006dfd3b4cfdf1fe274f0536a87a6b1ed93413978012e2eb7701dcd35c684990cc50a5387df5cc6b623a443500c088911

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
fceb1352d8737f79683b0edb4d7e648e

SHA1
08376bbaf75071a9358e0beb3a27188e484b169f

SHA256
87af313a3b3701ebb9e09afa580f4286f76c888f1ea1dbb82802f958d2330403

SHA512
53ab6353256a79a3d0d59ca763473798f0fc49ecc4ad874c31d2759edc6b42ea4e257db4e5714d85ea55c61070584745b73117d95ec12f499364cb762e1f9d6e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7108ad4a0b5153631e9765b75fbdbad8

SHA1
cbbd9ab93ad7c5c3f63b18d32570ac2bb2afa58a

SHA256
b3551469e63575069a213e003153fc3535b1ec248e72918509a1791171e41a32

SHA512
0b78b80ffbceb3b33c436939b77c4f9765c90d5d0c7c7ddbf161a9bfef546c785212c69eee3a421ff237456872e13e1a87bf03d030ac60a65d390a3f1be7437b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6daa697c06300b64f9209f784b553610

SHA1
c8e526e0eab95da60a33297ebabde3ca34056a00

SHA256
0e62048d8b57173474a26124c62b8017adcc52b7208d124dc3f542f787f9f745

SHA512
9839521324a2b0bb9fe12d4f4800c231669a75b7cea545847e31e719b384dbeb6d8ca54165cb9cc5ef65242b1f6fdc64162c14892107caf3821f94dc9028a8d9

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a0a7aaa8567f5a3bde5d7d24b98f3caa

SHA1
3d96c37dc4bbe3f838800f41bf82b688a95c2eb7

SHA256
16242338c8144b0d5803b233479894a47530110e3d66549afe4c038f9c1bccd7

SHA512
42f4726f73957a3e95dea878e2090a83a2c20db4d09baab066e492103c12bc5a58a5ab514ad84746799fb54826d4dc8caa3a2c0f0a7fe07e68647bb90c461765

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
8fcbbc89ae70064e2189b7106f234b89

SHA1
47fb3e5c357c9bbf5b43a0bc9fd74e6ad09b37b7

SHA256
5c46e2d760de1c084aac184eca3bd6f00f97ccb66d69af88239a650ab7ba8828

SHA512
17b90258f001988affddb3b48fda5ffce130def067f846706498b13c2bd7bb6ffdfe8e928896a4ee8732ab957749041feb3ee9bad950b3f6ed39f59e7d1c3038

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ecf292fa9d397b2e5fa342eac048b0a2

SHA1
de25bfca9ecba2398292ba7d1af59e25a0a5a99a

SHA256
ae1594838bd1fa7d10455577b160010eb800b0c17b52336c9ef8bd2c0a21a6bd

SHA512
9ac0da630886bf967e6079f9bad3569138a880124ebec299e2061c238ffd9a1b3d15ec3b5b94cd324ab24e1d698a0d011c5c543ca8174dd0db364f52992f21ec

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
37b24b7a29905897622a88d7bac5cc27

SHA1
accffe21999443d3d884d37dbcc623d615443aa9

SHA256
4486ee745a8225ce633d6d2a3fc8db33599c3f37f899c0347a428463dbbd457c

SHA512
eab454a69e0fcbcc01921266e6fbd41602c7af119877eaff001505e2e213f90cf009b57dd5071a9a898b977275519b7fe701bf5ea48ec7c220d45e038246206d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
943c8f6ef54a99269c30d2548e6ef578

SHA1
a4cb184e15ee4b7419b701a650fc6f389f628874

SHA256
567764ba1ba5a1075689700c696c7eb65f8e04f0aaa00476f84d7b8afdde418c

SHA512
9408ea67d2e484314f1877d9fdb0549c4f7221f0fca6dd57684d0b10f9c5054e7e6151eb13ba754a44e324d392e9d6e90c92a560dd5f39573d8fe7c82906772c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
514129c6a102e97f1ee41fa19454f1c4

SHA1
9aa7b45e3b4c8544f9a4f0528a05ef6c9549d42d

SHA256
02c3fa75ebd85ce500a89e374eba90be042fb38812775ea15c15f4b8dcaa3a77

SHA512
58bf33041fccbe0a8f841ec79b97c7161327e7d06dc98400b1a647a1c01aa907b2096f5e71538e4139912384ca3f533cffffda35cb2b8de5b13ab67eb279e978

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f1ce0f52ea796044282f0d662affb7db

SHA1
66be296ee47bd8880c76e4de25dd84854818048b

SHA256
0c4646f080b18f0bafc389d842fe4d684bd4571e617c6d82716fdb06a909984a

SHA512
3cf667d9aca260e6beca45f40b6d30a099869a7e1a0bf946b68af8a299a51ccf05a81ef2f37a858b35f9236af927d72053d16c722f6e6a22b13ddfcfefba896c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
384e9be76e68c36065c4dafb3369f096

SHA1
24f780c8eba09cfd085497c1cfabcf46cdaec059

SHA256
cf38e8a113a0f9421bc0d1364a4074a45faa01492b1cc316eda166ba908addd8

SHA512
52410c26241d2f903e7256350597bdc9743cdbd98e61c8b423d2e166ec68cd28feed43002275ad195576b2de391a288c2cee0864135427fb87c5289a3706facb

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
100787e870d3e8e77e7fc027f7ef652c

SHA1
ffd74e1ca500fa19716af4dcb0725d64587d13c8

SHA256
95dce2adbb74ea9a63f040e0d077585f68ebdaa7e2295b9c7676c2a03510ff29

SHA512
90742ea30608cef77c482a301b10c01dcbb0f96efb91356f9a323772ff42ef103c4a2d4b0aff7d1792c2ab8ff05850ec19ba570241294a2c330a703f55fc8530

Download Submit
memory/332-140-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/332-5-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download
memory/332-11-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/332-1-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download
memory/408-141-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/408-98-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/408-103-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/1100-63-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1100-43-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1100-49-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1100-378-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1592-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1592-379-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1592-80-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1592-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1844-142-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1992-59-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1992-65-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1992-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1992-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1992-53-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2088-138-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2168-147-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2188-93-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/2188-95-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2188-87-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/2196-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2196-32-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2196-38-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2196-377-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2208-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2208-164-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2720-72-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3076-165-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3076-383-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3704-384-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3704-167-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3712-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3712-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3864-146-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4088-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4088-24-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4088-15-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4136-149-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4136-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4412-145-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4524-359-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4524-144-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4688-148-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4904-385-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4904-168-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5020-166-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download