07900d5f2d0849447e2aa7eb2b167c5b84b14911c71445b8208a66b4b142c033

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
Size

24.3MB
MD5

6d7b3f63550b6bd7b39ebee21cb15ef7
SHA1

8250d96cb2808118eadc6baae9a89e1193a4c863
SHA256

07900d5f2d0849447e2aa7eb2b167c5b84b14911c71445b8208a66b4b142c033
SHA512

72561b92f9d01358b68a77136e2bdf2ef94a2207e9b4eb7b45c9f437b612226b7a6eb4a7620bce97e6c12c8afaa17c26af7c44929f8e2bf7c378809e5b570bc5
SSDEEP

196608:RP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1OpZH2SAmGcWqnlv018:RPboGX8a/jWWu3cy2D/cWcls1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
920	alg.exe
1108	DiagnosticsHub.StandardCollector.Service.exe
3844	fxssvc.exe
5068	elevation_service.exe
4852	elevation_service.exe
3008	maintenanceservice.exe
3988	msdtc.exe
1664	OSE.EXE
2840	PerceptionSimulationService.exe
4464	perfhost.exe
2488	locator.exe
3548	SensorDataService.exe
2480	snmptrap.exe
3448	spectrum.exe
3848	ssh-agent.exe
2852	TieringEngineService.exe
1044	AgentService.exe
1244	vds.exe
2460	vssvc.exe
3388	wbengine.exe
4480	WmiApSrv.exe
5144	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5e96e5a0102ae222.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{78904BCB-E140-491C-BF0F-5887E645688E}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4b539054296da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000687152044296da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000775fe5054296da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000687152044296da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0e3a5044296da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	3844	fxssvc.exe
Token: SeRestorePrivilege	2852	TieringEngineService.exe
Token: SeManageVolumePrivilege	2852	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1044	AgentService.exe
Token: SeBackupPrivilege	2460	vssvc.exe
Token: SeRestorePrivilege	2460	vssvc.exe
Token: SeAuditPrivilege	2460	vssvc.exe
Token: SeBackupPrivilege	3388	wbengine.exe
Token: SeRestorePrivilege	3388	wbengine.exe
Token: SeSecurityPrivilege	3388	wbengine.exe
Token: 33	5144	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5144	SearchIndexer.exe
Token: SeDebugPrivilege	4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4436	2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	920	alg.exe
Token: SeDebugPrivilege	920	alg.exe
Token: SeDebugPrivilege	920	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5144 wrote to memory of 5744	5144	SearchIndexer.exe	122
PID 5144 wrote to memory of 5744	5144	SearchIndexer.exe	122
PID 5144 wrote to memory of 5780	5144	SearchIndexer.exe	123
PID 5144 wrote to memory of 5780	5144	SearchIndexer.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_6d7b3f63550b6bd7b39ebee21cb15ef7_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4588

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4852

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3988

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2840

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3548

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3448

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3008

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1244

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5144
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5744
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
43b79e3af46bf95cfc37bcc1e939f331

SHA1
8886cce5363bf6a9e337b2c04dd7fc1b566fccbc

SHA256
7cbad8e3b2556e1e0c05e280fa1c530c3079db678f69b22a7df54820f41aad9f

SHA512
c07c9c965cfcf30eb64aad1604e758f5504a1d1f5a38fa5656a9af1d2d67e48d8bffce3c60567452eba42053ab34aa4786c0d3aa1581241453ae71f04f6cceab

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
dca6e78b2e4ece02df8251c783199e41

SHA1
42486c4f9bac824c04f6058a6dd3a602453e0059

SHA256
78ace9369fa409a344374d0eb7c38fbf4b95d2d3f2e82ef4f943f1e36c8c4d39

SHA512
5284b4e31896fb185126e1b95a8743d57ddb235a0d35811310bb3be3324b24e083845206e64d2c3dcd2ab4ed80f855d16071edc22e72d0e27c889f1705684092

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
5267fdf2c95f098ef6fc5f6a92fdb746

SHA1
2595bf30337a4ae14b2a4cfb98cc06583ebcc54b

SHA256
3248c3796faa059ecb42d901bfcc8e6c34ea2d0dbe0ad50f72e4fb5a493f24bb

SHA512
13429b968933c9870af7fdb4779127f68ef2c0efa73060ce0bb5858224d99f3e0854bceff23854cdf340ce408f3df1c6f393633acc88a43b076b59c24c6657e3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
24af8fed9d28e6e4cfdde82d1005328b

SHA1
54fe5aac1aca380919e0730e086743202ac53306

SHA256
58467c5d1d8ac526733bb187081c5bec0c9e468f397d2417b9401de9434c8533

SHA512
90e7d4ec5c609b58c1b0581e78f35f05cefde366255079de14a582087c894cdd15a7483f389f4b3ba5255030d3af29b1f751d4e5817d6282213d537a42ac914e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
148cbe2713b4a7cac7bf00eb75bdf449

SHA1
a4fb7a5b0657a1e5331f807748a00cb6b6bfcfbf

SHA256
f6ea113bc8dd67af34cbd5e0c507f1015c26ae3f47ad6fefa70e4a76ae2c65d0

SHA512
15f946f239219505a1a83b9e3027122807c5b9f115632cc354a88a3d76f219519edb5112615150b5b9964a5b95821eb183f43b3e9840a133cceb799aea0ccb3f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
315f6a68272f2ba0d4d0688711ef21a8

SHA1
b1ef43942b1e8f4651847b69c801ca9cb4443404

SHA256
925bef850a7a790db57f1485ab024ab0c420d9337589c700c238c8e72cbeeb53

SHA512
b494617b8061f06bdd150bbcac0363295d3afdf9e063956a4c0bd9ba87ce338f64aba524a2e73dca4f93400db10770c9548b6b5682387a31686ad25a1f02f544

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
45f9573bec3c61dc5f4e2be7060bbe85

SHA1
8ed3f3b2c12559b321b2eaaa8cc703cd7ffdbee2

SHA256
53aad67e760af32d2ae8ae4d0d7f3f25a13dc70892da98737a66ce22086d6635

SHA512
da707e7f1254188b6e2ee9ec92f591dde6b8185046b2d937cb030f5dd97d3c261b199421201fdff09ea0eed0efa7058c42eb85e511513b3056e7c844f9536abd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c052962686ecdfb3e5532a405c77f01e

SHA1
2abcd0ffa4d626f4d4e5a414bf7e1b121aaf0598

SHA256
50c6eb27f2f50cdb53ede88140e42480dda6a090d6c7156d841ffaa56843301f

SHA512
34ee76746f9c2a8dd03e738c275b60f6322cd72fa2dc560121d4104242caaedce47cafbae85b7bd78b913df355329df21c96523569aaeeaeff0cd683840ebbd5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
757645d1c3027ed086488c6fbacb26a0

SHA1
18df8f4ffdbee9f53a1aeb877226b65b2c963d76

SHA256
37c83768c9bcc0c2c3c084a7202ba90d0ba773beea0fa0c05be32ef65287d445

SHA512
9dc15bca689d52c909bf08f7ceb71b8dcaaa2f7643a35aa3cecd0c49f2b14463f0ddd39b928ec1252ad38da072d0d81f37f17f288c6141327e6ab30c78a38d37

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
068a350c73a32fc6324515ed2f76f6c9

SHA1
a8dcff91223971a7dd023307dc9b5e41d8c5d8f2

SHA256
18ee1f0695b978a8ab9e222dbed6bd18f8f304d4ca21bcb828c8cb348965e38d

SHA512
2842165bb845dfdb4bd8dbafc882d6dc02c9a9c48c20c7a3cd38952cd8e45df857f63a694626cc71762d0832cc70d4c884c65b72c9daf325641d40ab8c427645

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
48b453ca0d59506c9fa464f185da26cd

SHA1
ca492b9209b05b30a3230f2e237ba8b754509138

SHA256
9a637f0bddf19f9bc66df48fa766bcdeb9266e45b9e1a8776357556c09be245c

SHA512
66722ec359e34e976df554bb41dbc723c247fc1c53f98f30cb7e99ac1b20bb7964ca045df19b38e975f87f492a45904cd699e6570ab281c2d67a3c84c7f3f025

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1d13a1ae3d11d6ab80da1fc079fca895

SHA1
3299001e7d41f2d0a497cc20dceb0b5f81e482d4

SHA256
8ca1655dad9add35a51fa39b7d9b65a3a1da8a981ab680ab1b0ac84c30fa8c47

SHA512
e0319a78d06ae4dfbddb395a129fb531770a4b6ec106a23c551c18ed796c4aeee94b471b455a3310a72e1e79f055322d66fe15a5afdfd471cf1defd9f0893af5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
dd576158723ccb42de854b1d368c5da7

SHA1
3804ace6af32e472308f15aff9f12623fe7dd323

SHA256
585ac0c26ad0b9d77194a4d8f5288a6a0f7787acb542458f4221347ed3277e56

SHA512
225537e613ddc2678cc708a0110a06ef35e7bc3b7105bb7b5d73cb1212383cdb125dd744060fabd2f00afee26e3cd5f0471ca8180fb026c59939403df3fb74a8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
c908fad0cee4c469daea0871fc271cb2

SHA1
a966d296688e06e80e3fc0a4754c914b0f7a2cc7

SHA256
f553222874f71015a8de9cc03cfd41e8a5d45ce8174df031bf22e22aef69fd8e

SHA512
1fad03d1cddfcb56abf1c86e7fd2bca7438419f3816db2494e9632c46c870f86f4cb974944298a7935e6983289a2300c9550c4dfd1e37bd284cc17e48cc509dc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0a23ec88b3b5f2e6a737139cf6149c48

SHA1
a9bcb02c097bc976ea327da392da4dc2aaeffb41

SHA256
abf5d2338400bb0767fd1178a1e2158b7b971407c2a839492e5d320ea5a390ef

SHA512
66d71776f7eb92244ad65ea965f8804c79491b84cb07c4c1e7a39988647d7956a1c1f15542cad6c920068fcee5e2bebfd43861a96961d66f3f73968901c64155

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
fd68df1fc87260087c2a82a88c1a2c83

SHA1
13a0278c2d662c4c9f1e8947bde309263b0ac07a

SHA256
fbe01ef2fd65e2867c9c1854eca4d6ddaa96a0e150f6404eea8b686215f3d78b

SHA512
865248a28b8c7eb99b4ee92228e943a660b4cf4a6c3ad07a1c9c2e66f82f5d3ae3fae0e4272c6d74400e49184685718480233bf68aa1ff1f3b0920b692821485

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
89273239ab73f02ce5febf0dbd5f121e

SHA1
7089bfcdb3be759c242ad749379cde1db2536fc9

SHA256
9b6826598e9b79b4807d26ee45e35b43609c90d21df02ac24f3e6d45841e937d

SHA512
d7a39394bda7e59eea8ed551866a98607cab33da7a3f9c6b6fe39ecb1f8d283eee6dd50d7dfe5b632c2eef4336090c338c233948e3e7a3c1af89db92f57aa476

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
777d6e55d747eb319d12e8ffd05f7862

SHA1
13c6fe1adec7928fd5a9c8d7c9208802bf1e12dc

SHA256
4c4181caa1321b67accd3c6ec22e47ff7ea5005825dd5a095e32d2587ad99936

SHA512
fcc9d6c85c10e82e2473cdf542a6f033caafe0c63195a73dccfea61934a212bc566152c5d943bb60a316709c879b89951086e5919af9423f664eeb0ebf6b57c8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
55f5e33f1342475682b9866264ce09f6

SHA1
7389ba7950569c45ec14058fa499eb6a08d0e8ee

SHA256
1ac7d6a72189586539deba16c3eb47ccd875c9966c16466ad400316f3f98fa5f

SHA512
7045cd936e0ca2ab6f9affa3ed03dd2ab9ad0c339cc91343a4f0e18bb374793c912752c51df50f21fc39ed7f90401f413cae90ac61fbdf0e1b672657cebeef8e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
f1621ef9211f416b3caff51fe26ca197

SHA1
f22f62b71aca8170fb1f3870283fd0e79baa0ea2

SHA256
66362b66b0a05cec82523948fbc305956c2f781a1421a4157dab4e819517ad2b

SHA512
80423818f4b289b512d8bfbc2615649ae6d659dceafa43991ac8174a46f80011ff29d90a3e9fc1bcaf035058510cf0ccc49f33b82dfb37ee0b83ac4751dd9d54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
bd5a48d7487e7aa1b29223365f193aa3

SHA1
20291d18410731c4ca12b058d3094d7bf033ba3d

SHA256
6ef5c928d68e3fd111bbce61d303620de3d92ccc570756b8bfa229f6924ac70c

SHA512
c848e3e8557711643954b4478d1a3226840b3f8fa5b5af0af1cbf81e236f2932e1def6aada47a5884f67b146fce84c8d2492fcbe9977bb59c82973e4d41c443f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
b3abddbc11f133c5482f54bc590874f5

SHA1
49ab7077ca4baf574112bab59ae8dbeda59625c1

SHA256
a92d6581b87430cef921f17867e8c76e06e5befe9713134337e9cf63edf01c18

SHA512
32bfbc470cc0d66e4055e5dbb9896a8e8d95d8067a52b47aecc46db5649eda083e868e6df44f1c56a890138e82fd3ad16469b4ed126e2ad05c6079a4dd395c58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
cdd9a587a3bc5d5059f00df0e3560b4a

SHA1
fff7d39fbc2ff225cb88349c994502193b919613

SHA256
41743dfd3a847d62336ed5654ed2ce850f155970b7637cef2dfd38a19c296c43

SHA512
11e67c326f044c55274ac7c05fc8a481428b7417a509d7101fcbe6ac2d9f2c881cbb0afb9e733a2056fc0331fb96c524881e19ec846cbc542c9c8b85ba819aad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
91661a247cb13e71e3d06e0f7b14c4cb

SHA1
d7aff81e17e46a0cded6c73f390a63f3a543c52d

SHA256
7c48f93078215a0769c1ff7c8c92700bbc83514aa916833be85d2ad186420254

SHA512
c1b655f9c41843d1bd09c1a1dc457da561a384957bdbe078b34e55eb900c00bacdbfb4690297cf4c9a61f296cde6d769a61971ac0eea276c0c81b7037ce761ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
1acddbf9585cb576bde177f8318f3a90

SHA1
19c98c357b0a26c69dacb09f62cd2d08ee9af8bc

SHA256
eeeb0064fd1ec3306123d57d1e97453293ee6e3bb0d4f257e63d4b9854d865e8

SHA512
69eb87288f2fdb46151dd0cdc38e7e30be9a1522dbc5474122361ed3e8ae0911bcdc1b1083466b0d464264ee6c7bd832a5e9affb2968a749279208ce4a5c943c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
0aedb208609eec154c754ac3a52006a6

SHA1
d3edfa1daad8e29193dee6cbf7b143e859ee5082

SHA256
123046bf0bcc5083ea9cfe29355866eb522ec16cd5bb058cbbb0f770c4e44f66

SHA512
f8cbe95f688b02c1db49f27d812b08e4ec27a4f8924d59a5cc78e6c2daba7ef2a00bf15917c46acd6eaa74a4021f0badcba999133fa9b4c88ba4eea8f8885fbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
c75c5640637503342d56442503aa6707

SHA1
50d4dddfd28f4d835eb9f935f24140b6ef34c210

SHA256
1d757afe76de3f37c52947ca2a24e2cd1f00ae90002b145add82e8919905f1c5

SHA512
8f64b4b79bc93102366c8b815072c0c6f6f1114122d9d8407d72a25cb6eca76dc203148a7ab416f7fb61a141993b38845884b76f792618d38b4a465bdb27f86a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
745c4a3d042764fdbb48b6f0f6a9aaf2

SHA1
124432c466f2e93cac1edc845a67ee69cf1ffa2c

SHA256
d426243a2a5b93a3459b90a20c521cd4789de72c73ee082d2d11f1b89a9ab605

SHA512
fd2a22390cd16ffd8704523310222e263916a525d75cef16705ff990f54a681ae28a05897f3ed663f9770adc917ca0c6cbcfa6a12a2a385dd119a3bc70375adf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
0ebb041c943376039d03fa6d4bdb57a5

SHA1
1373bcad9e0d037fcc96d99bb2b7d3d545fa5185

SHA256
548032ed566111ac31406431f09ed89add500b5927dc93d6c612c5b4574936ac

SHA512
1aefa14bd6cbfe446404d69f8c099360eaa17ae398a5218feaf3d3cb81dd6828e4542685c4ba2681ba6a801269dfa4f2dcfec3f41ea8cbbf0ac921c8ff8c65d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
0f9762ce73577368b588ecb1d290d7ff

SHA1
84eaac4f2391c471effd4f72b770fb11133bba92

SHA256
27f97998e18971bf17862b96b0fa8ec7a20f676f27a272f9a22fade5ce0e2c39

SHA512
4413fbf543f4cf99bf777890a28cb7e423825af1aba0f38577af94c19d097a137e2a886c5d226608d1bbab4613f3e59dd2e84cb6beef73b0257aaef25ed1add7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
ae0e0a5b740c5a5ca57d8a9c1b6d5387

SHA1
1e7ce6c90afd30f37566220600ede11f619b7b19

SHA256
65d6ab879ef2fc1778c61910fc6a9127d27a434af72b21dd72bb592e793570fa

SHA512
43ccc5283fccb1d5db566041f63fcd449879b114201d42d60260f1551c57a3d7739ffc8d3ac769050c92483d65c3f6fb927a23c7af6e7a8d1b869bc83813e068

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
b6c617358eb9a06771ed7643cbf6c2cf

SHA1
bd3ebbc12046335068e837a7928824435cc4bb7b

SHA256
f649abf11d2fc956b813a61167ee692cd592d38e3ab57df6994549cbaa286986

SHA512
9cb52aa8d39b8e3ec2105ce20bf2902ce17d3cc8aebb48fd73e8988f36c0ef337465f58e5a1ee56983231cc89032b8ae2fcf1a57f94a626e6fbca513e7c8786b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
a71f72b19e6ce57c763c91254253d888

SHA1
c4245f0318b7d576c85b7d4466bcaa2af792d565

SHA256
1191d8bf8d6c04f4ff578451cd6fb47201787b47beefa3284ed8b4c8ea73d855

SHA512
eb748973ed372cd230a0216471776a11827370b6264989e8626b2b9850fd2fbb3d353dc61887480ea0198130f61ba13147db5074939bfbae8ccb1df2c4007e7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
800abd53490870cc3b38b9b3571b4429

SHA1
1b0714cbd4636972160046cf3a601f4c43edd2b5

SHA256
ef5d3e63f393aa5f28354d2919778acdc45495026f5552811d42206934cf6842

SHA512
f841756a7f6386f276eb60b817bb82b11b92523382d5c67ea347caa5eb3aa461ea99332b40e10797134afedc13cf81491eed33dd43d9886fc6a737fa857280eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
d265652d84e9d4c88b85da7f96af5c21

SHA1
eb2eb979496c5b0b9fd573ce68e7c3a71d715018

SHA256
436bd187c9f26afb620a30d21b7e39b236fbca4af27bf089486c1c828befd4c7

SHA512
6bea7940fe272fa88c5a9750d28089e7842a3609a376cda665d193ff560c448c95f81beb171eade63d8a571b367a300e66af093442e2c627e7cb4b55063f34d2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4d422cc5a6dff38eb0a84ea70472fd26

SHA1
a69b093729e125b5214e9920c7bb9bd9a0d72de1

SHA256
01831d701fd2e9abff787b2bb3d2875518beeee97a17f415d9b120526ad84bef

SHA512
561567ecc56aed9fd280d756db08b8e3a5443cc023c28ac5c042a8af2c64cf08149ccdfd45b3c39e9e9d9c99b9b38b6ac141650dd1f70a96056a0f03ef2210c7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
4f4967128b5fa650ddacd9a249d00a87

SHA1
0e1b54bac76afd89afd4c66932c712820a18fe50

SHA256
ac25673d623857b2699afc89f53b39f3bd25b33aa8cff961dfeef4b204ba8c48

SHA512
3912ff2ee244dacbf2b3676a14d18081b6fdb63526614156834e92fa2a6d90d6bb8b4d1594aeb7b4fadce7c026b0cc6c375eafc5e58821237c6b977fc1903552

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
fd0c3826f0bbbdeae58c7c8d93256ba7

SHA1
d26fa7f310fa1c95c86abedc048597a525db0c20

SHA256
932bebcb2ef30f7e5b34d5ecd5e1418a956f6b0f7853cf79ef2d73eabfe300d5

SHA512
1ee563b9cb1ed57c0a4fbcd3485f994fd9bec9a5511aff26ffbf6266d582513f6e30828f112cd940c67337523505cd5c4feabbb6dfc7bb6fd850729860401660

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b4a3bbac6d0c02bd87f4153227d9de1f

SHA1
8aa48e997e460b9891d3c3738e5e9620e01d2b79

SHA256
e5c81b31f20429d3412a0048202198a5462eeafd87e8794e48f0821aac563119

SHA512
869ab52915830575430a3ceb3d8b2c38135f0dc312b4e9e9689772ad943e6a4e6c7f42c81ef7d686a8cccd08df48959bd8dcf48f8a02f621d6e5fbcaaf3e0491

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
5a7d1685d5a126866c72027943c5ba39

SHA1
2a8ead867933d9ffed31378e0c2ec0315ade20f1

SHA256
10f658e7758f28720975fe4b9371d33788a1d08c2a3b34c44c764ee86f5d37d6

SHA512
73a618e899dda6bdb8f1b8fb3511a571d0149c501682716f8a3b233c212a8103947a77a1006822a4f7b2c0c7d080f5b1a7ca949092242efe4f2a1d61bfba6dab

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2e36ffbb8311e1be71b4371c5613f7da

SHA1
bab893eee23834984a2dc67ac056838de41f6d08

SHA256
3ddfb2ae8e2746059eae214e90badb36ad441e5728fda19cd6a1406f1e2d43ef

SHA512
ecef8307de2932e5c93fb289e5f5dce51e87c4b43ca9b05d6d2e134e7fe48773381afa71495d0cfa8fce47123713c1bb28913e15dd72968b238294c152fbaa2b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c6acedaaa0cce7159a687f4599b824b4

SHA1
af4c58d57a12761c71da9e1c4de2d321fda1518f

SHA256
89814df3d6c7f91039c2804dfbc60b87aeb041a68c08d3bcaff9d4e8aea103b6

SHA512
0036030a438d0bae98e674d766f5e2c99749cfcdc132bd22013cfb2a23377b29e15fdac19aecd7848f11c273f2e28f66e4c8d1af3880a003e0201298c3dd154c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
1521c26fe36fbd4c3a74a52a6b19d38d

SHA1
bce7a291fadb9b45299c1bf7fc7173b9123c8db9

SHA256
d19bb489d0bfb1425a1dc3454d78a77cc9cd4dbd0327ecbd9762f76d11602287

SHA512
d8787dee42b1750b24e125afc4014f01c0f676ba8e3fc3bfef0f64bcbf6de4252ef71f7e696339e43f8b49795e387037703f24e5921e319b61f5d4fb3df71dc3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
85003b1a0fca95c4c822a0d47d1815b7

SHA1
6463eb0b962b88d9f2fee2699b759194d3232000

SHA256
ecf52aa156b51499bdcbb3364baf57b5369a3012a577f4a4e39065162ca86eac

SHA512
3f9b5c9fb863dcaa7279f89dc28a8346c1d7b7d46787cb4c718d9949b3bfe936cb52e92e1893ff1c0c72edfd132261c07438b2f0bbb2b53103b3af30c7ccb34a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9143a9fb2e861c4ca33ade909b5b01c4

SHA1
0e850c233a0c280cb88eca24349e846ff51b0dbf

SHA256
a7dde2e1c31a24ca880db74a4b99ca580db43e6ab062a3baa367fa22031f5be6

SHA512
02f6016820f0c70e75cbe15d61e14cfd415b2f2c03f4adaab68ff53856e0b5dff7c5e7ef6371895d6f6230d71832e472f9bcd09606622302d4cfe8aee59354d6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
feca061d7b042e2f3da5ac9165468d67

SHA1
4cf5de09c5f5b4703d700b88c90f94e19d9c7515

SHA256
88a8eddbfa501e8dd780a6baea41ab535cef5a6354b56418994715754fd7188f

SHA512
91b23e48e6abf0c6d4d0e6f6cd85130238eee8e4aaf61ca4d502f7694bc082d8fee19204d78ca099bbab59e67dab1d02cb701ea90a7fd460fb35082e3f78e0f4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3551b5479347bab1a62f3d1b0975672e

SHA1
5777917648fcfad93d0294e98c2bf9210c5c7f8c

SHA256
5bb8ae99751418a7b05487a1a2c955ccf338ac21ffb622a61e659155a459bd4e

SHA512
5d93cb36175c36fe6dc3bb9e89cbe8dda87c28d4a39b6a77af51f93c476d2bdea847f08f16a96be97a148fdfefc3f379c33099524db8f0a8a1f4661d31b697c1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
3d2887bfabf1d0a295d8294fdb11c624

SHA1
7380a99ec78c0fe5f9ed3b52c0d449a7ce58fdbc

SHA256
13cecd4ddcce5442ef273eb4efe4fca56f930951aaaea1066d8a8cf6245bed72

SHA512
64f03efbb8dea3c8ee5393f2aac794e0a400b75e0c8e93f3ff197ed15910cbb61cb265591362ad936383b35fb4b10b494442a31895e95dbadf490c25b9e01911

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
221ed01732d1fc64c8f4f6e54b040db2

SHA1
fcbe81a0fdb605d69b801f83bfb862a110980aaa

SHA256
2801749db400d47eb970d071d6840c16f78082dc6eb4cefef118fe25e84ba5ab

SHA512
dbf4e2d0118dba6c0e235f2fefb34622ba662a06e5e11d010d10451f667743b62988db7d6d01b50af5dfd664a507c59b3779c7084edb241f97924b684dddd47c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
071de24ffb5b22f164be1819ed373879

SHA1
c1a3780fef726270b793b41b212ce44a1176827e

SHA256
6bd9acd42390a3a7ba74633df47c3e0a3028793fc2918ef8189237e01c72beaf

SHA512
3938b1da90973a8d8ed3d1209e40b761ab35b37094dae6f919fed8e6f87962a6e037dc5c5073b47f0260a4d1f000d8e6b322e71a92619b60e9fc2a8a6c354061

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
787227fb96adee3209e0a971776ef879

SHA1
98c3756a4f3211640f2cd1bcb6e3c27379b429c4

SHA256
6d2c4b34aaadab52fbce5e3886a96c879e8ae7f0a1212f08ffc5cefced896852

SHA512
168915fe8bdb21d9d26b5883852a411cd346f39618e59aeb68152eedb32a15c59f1e7e48b437f92e87e601c4b63596e314e9411c7a22dfeba0f5fede9794eb01

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
2a9258b1ce8e664a06aa3c303ec45607

SHA1
c63b67313688fe386a1977a8b23c0b3bda87e4b2

SHA256
37eca52f131af8fdf351811de35299ad425ad16ab27ccc45aadd0a69cae1c4c0

SHA512
1c3aa604c2eb488774c6e586244a98cb9d68aaa630b4dfa7c7d93f94bf0819e5f51d6712a4f54c091b96328736dc99eedf8bbb9f864635c66d84a34f511f1cd1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b5b3062cd664d22441321cba9c4b48da

SHA1
70b588bc83ee8b98d306769d13f94f5e447d828d

SHA256
2d0795c8733fe904a07c1e51e9a424419285de86deed6e3539ab3ea38bb2bd88

SHA512
9516f8252709253b3ee5fab7f23c6b959684c9c3c83735f0a15cefb9dd12b4e06195c51dd3b28d0c9932cb09c1d4b2015fe1ca039e339bee2d40f62dc97dcd18

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
6256dcdd87ff7521bea54f62f21fcacb

SHA1
a280b055f14c689dfa22bd44147a1a4e389acbc8

SHA256
5d9aae8d3a544e59b4cfff4acac6c4974d3a2d5f23aee823fe333b1a61338f2c

SHA512
47d10b66558c342ba45696b516635d7b7754fd1d9d44c12eb91130b06f3ecf61b9ad29ab41a3b0b6e06adf583fdccc4266506baa547313f805481d1ca1c622bb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0d96b62b1deb079017db32993704c72e

SHA1
03b8feca6f6c21b112cb20cc86cb32d180bae3d2

SHA256
beaa7047cbb732c5caa7dee782da5e1f8670d23e7e565fb28645a0f8b8445168

SHA512
423414a8f21dbe9230fdc82f7097f43e71f7de9be1f97927acd7a4d2c16972b627de9711c70c7d68ef3ed1f1044556de1cd43a1de4e21756f7b2fd8836a05a59

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
576de28dfc920a5a25002b340885b3f9

SHA1
35f66abdd18f39c150fb83f9332d895d93e719aa

SHA256
609a845b492008f44fda1c52b49c06444e9810eb67515440ce4c7d5a0897ba0d

SHA512
fa831c69f6875b4b3f5a7adaf72ae5056670054607726268db659c89d66d51a4cb9a3ee73ad7d8c15ce6e4d2a1bbd1c854153e62f1d26ec7a838c93f80eacafb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
0399010b615c221b7835014ed5227513

SHA1
7bda09b25695424e1574b6e6c0f598fa0aabc5ae

SHA256
9a5650c115318f2dd05b30f05ae5a8801bce795eb9e8e6854bd580820787ce52

SHA512
1d3a11213e8425c18d2cc94eee845443dd2aae010b1fe24f265599b4b2a1c44fe3087b4be6d5cb6df00f4cdbe0293e88e6feebb905a3bed2f5324460e06f6118

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
1df0305a0477bbb55c9348594f13bc5f

SHA1
0ed48259ba444127aa4b669b59607d212fa6a764

SHA256
4b0d883822a8b1d39264950385d2430aca84a1c2424b0c2af7925fc926210df0

SHA512
d1111051f29ef8ce33d7a805bca0f93acb46c8ef062289c294157b57f1237a0b2520979d396862e3651ef63a112557704d4b94165d8f990e153b8ab843c75bed

Download Submit
memory/920-73-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/920-13-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/920-19-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/920-12-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1044-238-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1044-232-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1044-237-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1044-225-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1108-90-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1108-25-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1108-32-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1108-26-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1244-241-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1244-250-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/1244-445-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1664-116-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1664-170-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1664-108-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2460-254-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2460-263-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2480-240-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2480-172-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2480-179-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2488-210-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2488-144-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2488-152-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2840-125-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2840-129-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2840-183-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2852-220-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2852-212-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2852-281-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3008-76-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3008-74-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/3008-82-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/3008-85-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/3008-87-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3388-277-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3388-269-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3448-191-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3448-253-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3448-262-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3448-185-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3548-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3548-223-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3548-165-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3844-43-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/3844-36-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/3844-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3844-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3844-46-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/3848-267-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3848-200-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3848-207-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3988-100-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3988-91-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3988-156-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3988-92-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4436-66-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4436-7-0x0000000003DB0000-0x0000000003E17000-memory.dmp

Filesize
412KB

Download
memory/4436-0-0x0000000003DB0000-0x0000000003E17000-memory.dmp

Filesize
412KB

Download
memory/4436-2-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4464-134-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4464-197-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4464-141-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/4480-290-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4480-283-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4852-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4852-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4852-67-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4852-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5068-50-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5068-52-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5068-57-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5068-123-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5144-303-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/5144-294-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5780-447-0x000001C532210000-0x000001C532220000-memory.dmp

Filesize
64KB

Download
memory/5780-446-0x000001C532200000-0x000001C532210000-memory.dmp

Filesize
64KB

Download