4dd9de2aa6c44c0e17f81aeb8bce244761c7eb002d7732fb32fadb801eee1134

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
Size

24.3MB
MD5

bc9ed09e15cb113c0382bfa4cedeb002
SHA1

9ebb27a096dded4b76d3f1da509afa43ddf80b26
SHA256

4dd9de2aa6c44c0e17f81aeb8bce244761c7eb002d7732fb32fadb801eee1134
SHA512

1f35e8e69209c23a27eee5c90a929c5380fba68023d76eb87a049ecbaf8e158ab06e3a97af853916452ed8f1a3c0c4917c4bb5d5bce70c843f96138e241acd75
SSDEEP

196608:fP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018zUoiPBx:fPboGX8a/jWWu3cI2D/cWcls1W

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4340	alg.exe
3764	DiagnosticsHub.StandardCollector.Service.exe
4836	fxssvc.exe
2436	elevation_service.exe
4172	elevation_service.exe
4532	maintenanceservice.exe
3720	msdtc.exe
1900	OSE.EXE
1312	PerceptionSimulationService.exe
1968	perfhost.exe
2728	locator.exe
4872	SensorDataService.exe
3284	snmptrap.exe
5040	spectrum.exe
4936	ssh-agent.exe
1072	TieringEngineService.exe
4532	AgentService.exe
960	vds.exe
568	vssvc.exe
2920	wbengine.exe
5100	WmiApSrv.exe
1680	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2294290912d07ad8.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{90C18CAD-5F48-47B1-8376-0F604ACAA84C}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\java.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4b8be6b9285da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fff28f729285da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b44e0e739285da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd632c6c9285da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf2345739285da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff2d8b729285da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004102e1729285da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6af2f739285da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091c82e6c9285da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094906e729285da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe

pid	process
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

684
684

pid	process
684
684

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4836	fxssvc.exe
Token: SeRestorePrivilege	1072	TieringEngineService.exe
Token: SeManageVolumePrivilege	1072	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4532	AgentService.exe
Token: SeBackupPrivilege	568	vssvc.exe
Token: SeRestorePrivilege	568	vssvc.exe
Token: SeAuditPrivilege	568	vssvc.exe
Token: SeBackupPrivilege	2920	wbengine.exe
Token: SeRestorePrivilege	2920	wbengine.exe
Token: SeSecurityPrivilege	2920	wbengine.exe
Token: 33	1680	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1680	SearchIndexer.exe
Token: SeDebugPrivilege	4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4952	2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4340	alg.exe
Token: SeDebugPrivilege	4340	alg.exe
Token: SeDebugPrivilege	4340	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1680 wrote to memory of 1628	1680	SearchIndexer.exe	SearchProtocolHost.exe
PID 1680 wrote to memory of 1628	1680	SearchIndexer.exe	SearchProtocolHost.exe
PID 1680 wrote to memory of 452	1680	SearchIndexer.exe	SearchFilterHost.exe
PID 1680 wrote to memory of 452	1680	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5112

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4172

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3720

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1900

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1312

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2728

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4872

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3284

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5040

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2984

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5100

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1628

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
457db5bbc74e37be7e7d5fa55aa3246a

SHA1
7eda828b9b40c625651997d8c03c7cca079054de

SHA256
41053d348bf777bd5e45c371614ee98833b59bd1631cb44302e1543cef9ab140

SHA512
992b8d070d95ba322b1a4ea3421c2fc7d9ba986ff0c16e3a3be86d84c8b17173bcbc72728c5a5352e5e64002be389a3e86d1f18833e98962d53dd794e55a5181

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
1ac6ee2ce83dba58a19379a67594ea96

SHA1
d5e289d22c7d36daa8a8af3a78b44eede94db9ab

SHA256
9a2f61dcb0ff5002dae465315f4ad79d70d35ba3da7b031598f2a7dc6cc119a7

SHA512
0b3a42fa46e78c8345295de8f032cd722e2d68f3fe0c8f4dd23cb10efde21eedef64265c04cca4617fd55777a660e476211bc2f6b30152b089ba05c2b61189e6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
875d6153add68c101586f1c0d339465d

SHA1
e5d5f3f272c671d7cc11200c381840ef60a916c6

SHA256
c8fe69fc2f79af538df6807aac8920fd69fa3d4e0266554edcff6072ad4d5f22

SHA512
ce96bf2dddc6b146242eda376a3bcd1f1cf2c0f0a65711b562eea71757261832fe7fc664ca0c6feb15e6115571572522a0ead5ef698d8d14c90caf9397ca3f35

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
10ef12fb31204039ea00c9e2b64586af

SHA1
89cdcd78b130e0ef635ae0e589ec26f3938c35ac

SHA256
1f890954f220d132cd742128a53709ca2df98d816764b467aeda691e13944aed

SHA512
2b11fc4febb90e85f413f7f95477716fac77a197dc1192db602634cf1d4727c520884d496ab5adcc5f8d1c7cb5b8e14789f85cd849f4609bc798a022f031f7c3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7d653b7c3048acd8ccef1f59e13dcb27

SHA1
1d07ae7244fa2e7cdbc99771d1a368437a2dd2e8

SHA256
a84d52779e27cba1d15ecbe7546702b67878d3755fc8dd61417444b70423c02c

SHA512
81b157d182afa398933e04d96be548dfad7e140a14a0ad4e4b5258328585ddf5b61ebc881eba07f2bd62d425cbf5d77eaec2ac81dc161fbc9d5d2eab244a7d96

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4bc3e86cd6237685f9bc524518cc9672

SHA1
381bcadf78c0e58bcd18b1141b7cd95779a4866c

SHA256
3bf11b25babc40f6a2d82626d7910593929f42ef4b02a581d81289173cdec6ec

SHA512
52d89e3ad180923d53a613397e5b485f79bb1769dd84dd746f498c76c3f942000a93bc108182ffb4e3c28ada333a131319686abfc5c20fe5ac9d2c509c35d231

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
eacf38a60ebccce121113eaf0faa9139

SHA1
70a197338a6c27505cd3dfed2c5c5294e45e6810

SHA256
090ab219361679bb3df34c981413ca676cfa2082801c24a107a57b48dd19d2c0

SHA512
72ff8587c757dcbbbe01516ae52759cf2123ed0f3eb414e7c6bf44f5af32b0eac39a0b9bd78d410676809f98423d9179835bdfa04e5d1e91179e2361814c9668

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
dee8b8f9f50ddf4c672052e46cd16793

SHA1
8c4b4ccdff86922dbba007888a4fc61f1461c3ad

SHA256
9409882c4c79ab4c99a3695a6b59555fd74d53c4007da57f94dccb7162c1f7ba

SHA512
26a4eb1f4034f53a31225d751ca32541f11056914b51fd05e19134063ea717ad0d07fe55dde0aabaa71b231ef115364ca940409497f103e73eb694a03436bc7c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
97686c994ec57bcbdb480d7a755ff2ea

SHA1
b2cbaa42a37a3d27ff871261d6ea27f091c40649

SHA256
79d19c97f37c8044ab3c5cfa6373dd9afb3e98dc4cfb7364d7e6c28ce1518c22

SHA512
7090ca7d922827307688dffa7d6cbc1bae57be2dd01c59476651bd1482a2943b11bc7b98e6ad72b270d44b1d7519addaf1d49490d18b89ead12f885296438152

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
fcdf9f881d7a45884000f88eb3d8dbf6

SHA1
6bf30f20633f1fd6ab1a9fc79bb8515183432b55

SHA256
8715e2c61c648c99cb8a9cfb6fcae74a12ea20106849f76353a8188c82c50353

SHA512
b03fb0d972fda083204043241b3059d819ac313ebe017bb744402f6b709362243a0813820ffded3e0d3d162385d1cd7dd85f59ef9b3cbe20e3f52f7c2c1c35b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9c32ef8a6af6bc029a533466d16c2586

SHA1
9c9c4318c2c38bdc40fe7f7a3d77f7b991c00d54

SHA256
7e986a4cdfaefa75714e37f82c4baa2298dcdf4c4e545ca2330fe1b2e9af4d31

SHA512
8e410b84c66c8a7f7ef82cc9198634e7e6cd54d7595594b00b77fd23e1cdf1461c9be827da723139e310b260f9869c4b024d06497adcd967829ade9764edce0b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d625a54d4cda79a5723dfaf50fccda83

SHA1
bf6dcf33047256204cb0c847afde310e2737eb43

SHA256
ab6c9ddaee81006d0d01c49fd4ca1d44d87cd3042e2a96465b4f992f801cbe00

SHA512
9ccb552fa087fa080cc297453ced495e132cd45b5bb4c242deb52229c25779d2a0d9dcb1c4173749fe5cbc12806ee60c4d81a74fc5d05cec00d3657f7dfd05ce

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
2ece40fa4cdb1861b3dfe804a927aa73

SHA1
51c9ae921ce384d243d4a2a14fe921af2f04545b

SHA256
cd932ab0c34ef7b5f28a4f349ab69fa269a51cd0b20e4feea0fc737907b5c91d

SHA512
a05a091535dd698b7eda6a5962a0e54b62385db1f639a65a1f14a224922f4d7ef9aba10ef5641323eca54223745cd154a55ae198421a68004821f25802f392cc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
6cb99027e292b62631c20121945b76f8

SHA1
6acafe6ec97169dff27edaae313437afb4fb3d10

SHA256
829ba050ee72e30a18aeb0237a49423b8424755cf27c1637cd8d4cfad4475ff2

SHA512
5c381011372089cfafc33bfd1b42cb666af9dec9acca54c9d76684553ce9ce2c469dd47bd01c2550b0a0a73c5c3a4ebc7bbe86a91e1550b8614505c369206b8e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
745cca23c8ecc920d68c19cf86929a5e

SHA1
03bcb5c8758ddd8098775d9e05aa02515a1039c3

SHA256
99e9df12e4a4e0c5c6ac3ce3cce7981fa48f2f99337ee65cd15b6d21c6e244d7

SHA512
aa70df66331e3309bd5adc7c89d90b6d1013e40271449bc66b42ec1833c854d3e4f5b8c281e3032507e49e3e25695f917388e2c93ecc8c922316b8affdff7aad

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
15b4343d6471e1a59dbaaf517818b460

SHA1
8ee04bf69737e3882aa72c34830c66f6175a2d16

SHA256
ee9204d84a83c5a847d9ef5ce52eac0095598dafe1f92e659023c6488b3eeea1

SHA512
93e29269ebae142af855ec6715e409b020229745024f89f77031f3aed027d408e6871f72e87dd4671f8281e18f1d18762f117957488886c78abe0da12f5eceaa

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
0b8a4949bdddbf7bb3489d2a4456921e

SHA1
81745a72009a245001c55dc19660bfc076173156

SHA256
c8815041a86500a707d2112297f068ee3ac821c32c8156ab3b27c610c1d95344

SHA512
e0143e40d839b7c10526ccf7fae59dbba1ba4668bc5d729809dffe1ee5f7da1fa14fcc6f5a78d8ace778591e84143217919a182eab8ec6ff51d94a3044f72907

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
93bd6be03e35e5e50dd62832f6643022

SHA1
ab582e4314bf7547ca2167868ab66495f9fcd565

SHA256
4360db5bce86bf523666b9eb885b11360b515f25c55d5965b852d8150e9b3e1c

SHA512
cbe75aee366c03569b7a4c5eb631af55816403aef72ffae0bd1befe6d323a9ce095108b134923f86be555b379f2d132e81cb9366a93bb9b6d032bca0fa13d05d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
a42382491d720c47710acf5750fbffad

SHA1
a65df40316a33650267d70bf2d02196c364c1d2b

SHA256
7c99ed62bdd0c57966c525fbbbf16304dc51d33753bee2b9f116c7e0f2ac8a18

SHA512
2d7b1e8ef6e7ed986560ed2f9012452bdef5a86ba1bdd8de1f1248fcc6a7a487e1e7476d8221c43f43a04e7bc401a9f8a2a1356c62edf5513508bb90c7e368b7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
d5fef6dba9251e306808cea487d2f2ac

SHA1
f2cf6e5a0397000972ea930a1e919442bf8cf67f

SHA256
b74f4e6d49178a8b7a7c8853666e71d069c6f931f8a89c5a9a474c2fdb16e37f

SHA512
8755522eacb051f146684a7ff5a30c98fd8f154d320ca17740b68a327bc4be683dce749ed904717e84c40cabcd4e7ecd71b6d6ccfee7fb0c4f71e2ccd89922bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
4bf5e9a38c68f6f3fa9cd6b91138f986

SHA1
f4118c6e83f4d761ffbfdbdb846682acb576b570

SHA256
03bffeebe7dec24917379c1e29510c8b6aa43116d2b12b29dcfd67afc70b1708

SHA512
8e61c776c092381df0974b9cff0f5e39a766c34b7ff79bc5aac2ca73ff2ea920fb221f05fa7dee802a4489653ff78a7ea9f995e432f29ea63f842b7c1aa20f0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
3273b67d409b2e51c634b74bfb8bf37a

SHA1
39dc3f69b5c1466ef5f19c77ae6eb90b607d39ed

SHA256
397b277ef77fcac012832a42ee24349f1d2ad371c8d576eb9fc5424a289a5760

SHA512
de899cfd5fc05aa083b58b005e75da144e81de6c58b6d80ae68a292d3668630cc0cc7b157aaa77314ecd652f87a8391aa4001176a2ef388898c9de4791e5707f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d95e5fde65bc6d9dbabd993981e775de

SHA1
d839100b3de02d698a6261c3cc493581243db78d

SHA256
1067139316ee7ea57c67367cdbf6f8b19dd5e8d7334090834c49540dfd48a2b5

SHA512
e6530e3755dcf8b0e7282ddf72c4de901cdbb3d045c92287c98856d7d20a900206b349495089f1fece0c6cc899ad1018003eaa185385f038c22b622fb96bac7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
ffa6741b6d4345b989b4666f9ee6ef6a

SHA1
e72fafd1be4528a55545e7b5d0e021661e983d15

SHA256
aa1a43bc6e2a464d1a6cbb653e4130b67ed18df4033738371a818c7b7ff2b65a

SHA512
1a7ec93cdcaa62ac0ac435cb31b86a84a6f7e0939e1d646512fb7d9cbe644f3d9783296acafb1f6e9f7317625b0392498298156428d78709a133bb8b8801a7d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
6efee72958c58ee5744cdb7a09aa3d7d

SHA1
fe33f6331e3d94764762bcde9facf451aedb15db

SHA256
80e91b9a6815d0812a2d6acf28fc3870b6408cc4d078e3299ed4303c8a951254

SHA512
24ca7dceea49cb5b0d1965e0fcd64716ae13ce0045b58bb5b2a7c261fc0fb396eaa4cb7bfe758b821b0208a0d952ac94c76f254c4fb450e76bcfb5c45d2daf09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
66dff0dc26991b1e00482e002fcaeb07

SHA1
dba2d4847735c5d7cf256f93c8f4335c2c88cd83

SHA256
14ad49d77aeec2270b71151dab39fa996d95c42f40d2cdfbf7f3a6a6edc09fa8

SHA512
abc8c7aa9ac4b2d9123ee6750ee3e416905f16be938063cc643e1b0eff6f54fe8206eacd2dad580b1252f0f6129a3f97df500d8194a23b7b25323f57f9fe263b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1928b9f6367faec33a9f4990b2ca3a56

SHA1
a9e64693d83a6e734e77a0df588cde55994e4680

SHA256
7811fad3d97d37a8909d8b37572669ff8a018569b3ade0bedafcd7b6268b9041

SHA512
bdfb4982596681aca854f27d5c90cda45bd1d1f739b3d419b0041a1ac6b56ce9e4457bf23a986a710f9ffc8ab4b88e249ca256bf88f0993d1c31d5e0b9c9eab8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8f3ae2d2fa7b3e2f36aa67fba0680c7b

SHA1
5fe372e69dd24a5bd4e57d019b47f598c22f4e9f

SHA256
ac9599f768bffb890db7cbcf6b5e60cb80d9c3d09f3c13f7282f9b6d07cfe2d1

SHA512
97f4e6ae71f042f4f9eaf1adbea57a7d3809868925d5857f9a2b006e40af65defed5603e8ce97a11243edeb7bba70c60f5910ad9bc98733f4af3a6cdd36eeb94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
1294f014cda8209bc4d846f9bc634663

SHA1
8327ac202e0355689ce3e2143c47b21a9f05f714

SHA256
2f4a52056eae424c570ed0f6070bdee2d1367a0d20f50447d4941ac4d7a90839

SHA512
d43b5d030bcabd8f4197b2ed7d67651b42854534d0fc5474bb2c0cb742c30aa0028b95e1dc2503a9b054a09f57b5a69f0dc71067decb260980d02f87d527445e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
3e8c1a32652ff18a62d99d004e567f3b

SHA1
4448ed38f1429f43186009f3ef9900e16ca7d7d7

SHA256
496861f7676796dd17169eaa8f224cb5deb2c9bb1fc40eb6a4096643969d831e

SHA512
da82617bedc3c323f027df61992a5226525b95c84e0bd384e202df7bd31ff5490316b2c9dc4d4af9692189f76991542dec1aeb342d4e4481bc3c36d838640898

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
1aece5e96a32036347e336ddd2a5de6c

SHA1
7327b3311b7695feb2176e0eda5669c06024ad43

SHA256
a7a9a94f6481d9aab4d7361287de18a58abce24a5fb8f5072b1037aaca11797b

SHA512
e010834375388d21c1960e949246644ea880a1b013dfab6004bcd097be041880b3789ff94d142987d2c227420470cb8e4b4caad53fb4fdd03a8c5a848b0c088d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c5e009ef24768639236adbadba06359d

SHA1
b4999afdbce97b7ed8762caa43a1545fd5bf14c0

SHA256
f03f5e6a7bc6774912cfb8f5b375ba9efa17781aab616f4710c0b25d75818292

SHA512
9396f3ceea9169eac066ecb7e73acc5fa401419c317b3d01e0a2e38d72d9f4546ae7c8a321c59c5e61a5c396d5e770a96aaf24346d2420b41a9f4f5e454b3206

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
4645e7451be424d3016cb3af300b5c04

SHA1
99b2a7b6819525d97dc4a4f7a055e8d332b0deda

SHA256
a8c6e0e84bd11462ceab451e13a626d28ab4ddd396c4cd2327acda74462382e9

SHA512
6bc2b8763a1ae8536275609a3e85dbfb8fe1b8f34301266f79d5503115de016d2fdccd60e1a8416c26e6ca8c30bc0023171df6c0306da1c74ecb516d1ee06cf1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
7ab2567e708c30cb120b7db9a6ee8cc6

SHA1
24ae927ebb5f5de6735742c9572857aa5df82b3e

SHA256
2f6f2bbd99c6cc448b5a6eb6feae0dc4483bc9bf722e0d3b51224e5287fd9f9b

SHA512
0e2be18d33cb24a64179470c52cd02fa4da4df7aefc5cbf0c5157e27cdbdc6382f51aa21148b0538e66a9fbe9521dbf57b28fcacad9aec5e7dea0aa1f27a426f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
fcbc1e48c78a638d4a4a1e91c5f233a1

SHA1
9b26eccc33c16591b2720aa5c7cf24319cf61b55

SHA256
0437ddb0fb34c1149ad86034a1820528f62042dfdd5de72f1664e9318dc47d0d

SHA512
d44a4e5ae1c3a7fe2780459fbbf9ae5202fbe94918d0664d960a9081f895ef830eb86f6cd0fe30e5f77613d08903116b275c4f09ec48df77fe702337437e0b35

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
c4b7d99745ff8d53d5ae35d84b7499d8

SHA1
f0e4a3e15f473df081d76c2a3d7612acf33bd8e6

SHA256
29d683c6ea2eeaafd2afa516d4249fe6dee4b00e07124a75c2dcb4b97b00bd4c

SHA512
d24dbc484f991d74bd2bea6e258e4d4900da5789bf0b0e4a055e7bc4a78e38e02fdaaae06c986d865f22c3945b7d523ad7f3f11d4f2ec05a6f9dab96085ebc31

Download Submit
C:\Users\Admin\.node_repl_history

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
9d62b0182df40f0af893d160eeb1c184

SHA1
82eb1614f6f63c648037c9f9a0178eebe8b289de

SHA256
1012c2abd64a53df49b0a6fa42893ffdc0e348236343e4a97fd4265ec47009fb

SHA512
fb70a69e56f0767ce53b700c695bc8612ce7dd0f95849f4be5b0e871efadbb5879458ddcb6728e423e2983ffa97046fb4d5f6166fa13852a05ec4550e45429a9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
12497457b16690040600d44cd69240c5

SHA1
8f3d144f2ed96734a888fc57c73884cb314fce69

SHA256
8f1d894bf8422a8e1037013575d362cc74a1fdb4ae81fbcca460e95ae73bae38

SHA512
b0280fff2cd7778a2918e1281ab5995f72650424686121d327d5cc0f159a8f6a12a03e99eb9661c6af8bce3c8b9b4cecf7bcf398e00acda2bb3a51a790c8e299

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b04702bdde1d85dd9fde3593fd5d21a9

SHA1
ceb7e5a0ab80b0cd444b705e1455b28c1f4ff7a3

SHA256
dd832343eaf84d2dffe52200075b8c4dcc6cf64cd3eb700cc266ba86081e425c

SHA512
17f2aa5020d6a4c8265cd660d183f1a58f011096c493bddf348b959be9decfcddab575bdd9f66392342cfe5cdbd8c18518615b713e0aee6cdd05bd7995adee10

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2b6fe538fd5ca81cce0253a5f6a5aaff

SHA1
14c7cac438ff2bac75b1f6d036cf448dd99f7d5d

SHA256
4be5f28edddf90aaad75d820912d4578886baa3a9d76312ff089c0ab8da5fccf

SHA512
7a4b4267c728f6bc1c68a5b6a39ebacf33c2f0d2ae8c61a40d1e2407a32cfc7e633621b000873a2da7bb6dc58776395a629764acdb0f6ac02a4ce13e149a2fce

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ffcb661120a5a8f95cb55b74ab3b86b7

SHA1
66cda023f9f79842c361c24f651aed4afa9bfd11

SHA256
c18980d5a52bca3fed37f70b5b4dcbdb03bf4a9b0fa7b602fd8adb0dd0767552

SHA512
199ec9bc1163f231cc1b7ac74d6f5b21c5c6d2e6005d65bf6e382b1d324f9e1e23a05116ece96dfa7dfc72c63bb9fc4257078b43d15bad5e44bd6a481ea01cf0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
bcae2a86a759683e214bc132629d5f72

SHA1
aaba01499cac2ef865df3f74e3d981fa55addb2c

SHA256
b31cdc281c59e8880132ca248049af3a8252ba65d02d71318ee4ba75872acc04

SHA512
ae18d4bf5b7474063c36097bb9e01eb9b26db873c17db63acb6e62437b5575f97dd0ad7f3ba660fa1bd41099289aa839bb965f44f8f1ae385a041b9fd752cf98

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
62dcc97880b36054e9e84174f0edccd5

SHA1
10b58a045a7edc2896b1789799f04b9bcb2ae1ea

SHA256
3ae9cc2a699a928ab2decdc4566498f29ce9eb0c81d4ae75c1e62b65456c3afb

SHA512
b91f33ded8ab177e1afdc1cdf0a6c284b49304d1fd5da09c764b1265c414f863adb646fd3ecc9a0b43384f841dc870300f154e8b1fc224bafcfbf2e0c66f8791

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6ba282c28d824ddadff3b3e9f01fcaab

SHA1
4fcc2c1a52edc87750675f7e9babe4f95ca784ef

SHA256
7119a57f572e042b8e53ab0cc40acc3325e5cb3702b33259711a920d933600d4

SHA512
62be5e41a5d77aa940007fb2739a28dc6e3c844fefb2962dbcff1b75371c3da9c002f99fa379c083ea4fa1d7d08eb4779e6029d647856a42b95539ad7bb7df8f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9be6506ff182f8940386fb5d7f8f536f

SHA1
08aac6888540271d655a60aded18075dba9dc276

SHA256
426f194952916896400d35f830e4394a426fbebec7267c4af592e60ecfb80c7a

SHA512
5849f1432a47fc0c10e6f55d73d101168d3dd62ba445bc3aea5fb5662bf06745a53a01486b22df474df2ff353e1e0b2681211560e6ae56c0e68beaa77a384a31

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0b812584f37716353137b902aa3851c0

SHA1
ba7e1a79346fb6a0e2c93478e03efed5906bbe78

SHA256
26ae03b5ded4ee03797bb65df92906ef47b163c40b944e48991bc455383e47e0

SHA512
566fdb82b2d23df65b7a72aa3fd752e2082dff96e0cd23d9bd1f8acd2fb7b8e6607e2d6046582e302b3286e2ba680714700107625871b54c8eb272b11f7051b2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
29f16bbd2f2c0b3ba630c5ff4ceff717

SHA1
0085ff172875d3e73642770e30392b069d6f76c5

SHA256
88820d903f4c6be4297d321d119fcf5b62e25d82f43df986fda08c43316d3cfb

SHA512
7c12b887445717797113453838b1b41fe9cdf1633349a6e15a7303a0ea356a025109e42d153f1bd704fab9ee6f4395cf3d79910b3c89b2d44778bb7bdd6e3ee2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
69b8c5f5dd0a66e10415976e68a906bc

SHA1
3ec5b6e0e39b5ec78d8db01e00098fd731dcdade

SHA256
5e146d091d9c826676b265bd9714ec08bdfc427189c691044627951c481b8285

SHA512
fd799e8847e78c20da5b88c85214d0d993636e185ee2c70d0071011f023b0713e7e61fb480ebfd9ddac2611c26bbf0dba4d4782432f9c72175f467b2652b27a3

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9c3fc374e9ab1fa34cba6556a673ec00

SHA1
27cfe909b77360eca15b3e290ad1721465bf3751

SHA256
2cc46cdd3918fb720715e68c2d754b6e48b31ab99492c95cefc2a23a287a7a00

SHA512
3f39a7ef161db7f1a234005f4a5afc6ef74f0a92dc5eb2fbc3efa04b0ddf521c5bdc213b5810fa212679068009fe8c694dfbafff29fd99c5100fbf9511bf3786

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
62dd4f1538cb723f1374aa172e0f5d73

SHA1
536e852274c5aa24137a294d96738edd020a241f

SHA256
8b573b64a20038503e680f2083507c1fa256f0d171716a4bf71fa9b39fe92970

SHA512
69d17ccba5b4ddbd5c7c335039d1ae5fccf3fbc971565751387aea2739f6bd8cc544e3e7ddad35557ee6cfc46728fc0efdc887a94a622904c9cf5566c593445e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
36ee0cd91990c85a8df15022da963b8b

SHA1
9da1ef8358fb6e59dee276d2ae8e515fb7def274

SHA256
5adb92ba641b2d23a3525344ad873c3cda5bb285134e8974f29df7a54332d288

SHA512
169c00b3af1010c87e6a2bc0efefbf0f2ef4abfd563c1e0325b803abedf8af7480932a2e06dd1f4b48f45a8b727a28b47e340a0c7c194ee1d8abb332f733da5c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2d9897604df5143f9e9861cbc1565a30

SHA1
c1852da78a8d09bab281cf18e4eb31ee2d94b946

SHA256
2cd4b97bdbcc02a5461a5b50fbd8a861ac5f6ac1591019e8b6d104702cf5ed11

SHA512
d0e44a76b0552e6110342ff053b556cd6f6fe61fcbbd9cff48497cac19778ae9713dfa4122d074e1dc27f89d700be1d00d1aab3767e0f69db1702bd2f25d3d21

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
1182a0c0521acea8726029409a784f8d

SHA1
9d4c83099e879b6916178683d1a67c56327838b0

SHA256
cee150aa164b67901723cdfa6bd4b39916c5ae7823315bbcb2de49057a0538af

SHA512
4e88935e1890975288131bcf96fc66fe2fd0ce0eff32b010d88fcda7fa560e29af69e81d5702ec54470dc9d0efcb84567413de658b22e6c831cfadef6ef1a3f7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
db49dd74c8d7920f4208af460005edba

SHA1
36c577915c8e6802e9b8cbc3e1ad845e45da8e89

SHA256
93f8f456c08f4326631c663cc2b8dee8aba5f8ec2c00784120cb92e4bfca0f3d

SHA512
7978ac96760d20ea142848c3eda3451b5a73038d9c33811dd7a59b1b9597b049c46eb6b8cd028a2d065cc7d839527c734ea2bf6aac2dec6f505dcc12bd13060c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fe171fe0b15af2510910b4b7e7e9c5b5

SHA1
f2eb9ef121b6cfd032a04d0216290e029907ad50

SHA256
12ed2f3bc1e4d4b8d95aa722787c21978149738ea411195b29bee01836f4d88c

SHA512
db861d3c531fb403ebcf78a7944f2a4f895bdecfb93514e5d792785e8b28e3124400184effd4f49af18bdb8fc6b5f694cd5781d4cf6355d28d8bf3585ddfa811

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
3bddfcd662a0f9e4ede09e38eef33ea9

SHA1
22017de497b6ab28945b4ab2b6de588824830820

SHA256
2e47366023af55728b6a55543d95eaffa147b40518b608c9b8bf1f68699aa9b4

SHA512
df05504fef93b283593d1e2b77c0a8fb9022cea508fb63200593634053931fdd1fc3b94b9f86eb2039396ef2d04595dc20eb353e13c8d48349e3b27eec4278a3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
6fde17397e8addf45599b577750948be

SHA1
69a18c816033a3209b8d58f8310167625cf9715b

SHA256
ed256e972faaa3678f1c8bcb52580ec12f454d2976db4239a700263b4131f694

SHA512
1c1d8840e8bd510444a19b38cb8ecf677ac3c4ab659ba07f3264cb6096dc812fe7d6128fb781ae7a64adc94073ece190e0864b671f1b958f8bba63fe1d71eedb

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
fa2ff880a74ab462e6e53c86438fb9cc

SHA1
ad10d7d7778830e458804905d8c3df423803d28e

SHA256
699942e6548533c52610c02def8ae7833e975d3dd268d60e81ce00cac726f7ec

SHA512
b95690f985fe7070bc44b5dc4d6de1c01f92426a7cbfd95cf02350b8487f9a585f32a9f5a1fd0341efe099d04698c606f970956ab306d471ecedde796265aa3c

Download Submit
memory/568-257-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/568-264-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/960-251-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/960-246-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/960-467-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1072-215-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1072-281-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1072-291-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1072-220-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1312-185-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1312-124-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1312-132-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/1680-305-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1680-298-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1900-118-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1900-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1900-174-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1968-199-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1968-143-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1968-135-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2436-58-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2436-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2436-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2436-122-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2728-212-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2728-146-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2728-155-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2920-269-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2920-278-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3284-243-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3284-176-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3284-182-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3720-93-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3720-101-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3720-94-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3720-158-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3764-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3764-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3764-32-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3764-92-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4172-131-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4172-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4172-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4172-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4340-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4340-75-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4340-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4340-19-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4532-77-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/4532-229-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4532-234-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/4532-239-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4532-76-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4532-240-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/4532-90-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4532-88-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/4532-84-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/4836-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4836-36-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4836-46-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4836-43-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4836-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4872-167-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4872-225-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4872-160-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4936-268-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4936-201-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4936-209-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4952-67-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4952-0-0x00000000024F0000-0x0000000002557000-memory.dmp

Filesize
412KB

Download
memory/4952-7-0x00000000024F0000-0x0000000002557000-memory.dmp

Filesize
412KB

Download
memory/4952-2-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/5040-255-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5040-195-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/5040-187-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5100-292-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5100-282-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download