d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
Size

24.3MB
MD5

e4511fabdff65b9eab5d04f669b16857
SHA1

24b601609f05cf1f295afce2de83aa8660fe3dc7
SHA256

d3f26926044d6fbd5dc4060b7b37ffe712f36840d9b236bc51b073a687661147
SHA512

45eb4e51b63129f8428d719aa2dc9f7374a5be7755017a99629ef13800864f84895f162261bcfaa79c7ea4d4d0290f482e01681ee50a5ecd9afbe1d50905431f
SSDEEP

196608:nP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018F8d:nPboGX8a/jWWu3cI2D/cWcls1iq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4444	alg.exe
4960	DiagnosticsHub.StandardCollector.Service.exe
4540	fxssvc.exe
1020	elevation_service.exe
4968	elevation_service.exe
4796	maintenanceservice.exe
4776	msdtc.exe
4372	OSE.EXE
412	PerceptionSimulationService.exe
3948	perfhost.exe
5088	locator.exe
2188	SensorDataService.exe
1680	snmptrap.exe
4872	spectrum.exe
1260	ssh-agent.exe
864	TieringEngineService.exe
2992	AgentService.exe
4188	vds.exe
4064	vssvc.exe
3632	wbengine.exe
2156	WmiApSrv.exe
5072	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\76ba17887489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exealg.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0C98199E-BC2E-4534-8EDF-DBB11EF8974F}\chrome_installer.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd72179f6699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f15d9c9d6699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c534b49d6699da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003771369f6699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9fa3f9f6699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca83499f6699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2d0769f6699da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe

pid	process
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4540	fxssvc.exe
Token: SeRestorePrivilege	864	TieringEngineService.exe
Token: SeManageVolumePrivilege	864	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2992	AgentService.exe
Token: SeBackupPrivilege	4064	vssvc.exe
Token: SeRestorePrivilege	4064	vssvc.exe
Token: SeAuditPrivilege	4064	vssvc.exe
Token: SeBackupPrivilege	3632	wbengine.exe
Token: SeRestorePrivilege	3632	wbengine.exe
Token: SeSecurityPrivilege	3632	wbengine.exe
Token: 33	5072	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeDebugPrivilege	3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3192	2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4444	alg.exe
Token: SeDebugPrivilege	4444	alg.exe
Token: SeDebugPrivilege	4444	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 5072 wrote to memory of 4684	5072	SearchIndexer.exe	SearchProtocolHost.exe
PID 5072 wrote to memory of 4684	5072	SearchIndexer.exe	SearchProtocolHost.exe
PID 5072 wrote to memory of 3104	5072	SearchIndexer.exe	SearchFilterHost.exe
PID 5072 wrote to memory of 3104	5072	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_e4511fabdff65b9eab5d04f669b16857_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4144

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4968

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4796

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4776

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4372

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:412

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2188

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4872

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1064

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2156

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4684

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
57b2a9e18f620b261a94341acaeab388

SHA1
fc7eea8356d341f4dd752906e8b5df4b235842fd

SHA256
69e7d1ff8fa746a8e7aadc7bda84eb144a56460d8c59e304d0cb6a6509a6e281

SHA512
a707e8ba9ec15899eeaf551be3e00fd7ae6236b02f891b81c2d58f22076a52df8eb74bdb0ec2f1a13c726345a768364fe4791c0a124b009b2f2c3f47c947cf8b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
cf2d8a2aabdc4a4a5d3b3b8362a593d9

SHA1
55cfa558bb68aac08f8a4d659e49db7dec7e6343

SHA256
a0b36c7362027973ff7e47d987650776eda62d7908baf585fa41cbc33c24155a

SHA512
f25287687cba46991dbc3e3368c2d954496f403c2fcd09bc5a31391d0df6152d630c200c4874357300a33ef430b8ab8d647c831cd35266030d7d666741dc5fb4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
1526552bacd7970d0c5c71729aca53d1

SHA1
6a4095844a409ef25eb503a44b37ce25bf29824b

SHA256
019f07c207f9d4d3519b93f0411d388d3cc9fc0b7bfaa762295c219e7ee4180c

SHA512
87739d3be4a304b0b1c23b271a0709fe23bd703edc6ab0cacae95b1ba7f1047990b65715c64451718effb53eee3a7919bf39390e16025f35f64dbbc3166e0067

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
910f534120fd2907b0d61d3f7c332532

SHA1
c3f0750ad213ad34e907c97a7954f7ca460db4c5

SHA256
e059fc202250f6fc839092497987c2284b1d57ab31e015342451f923c622ecd9

SHA512
cb9b8586a04a9102eb6338f4beba0e2a719c8548aceb79824bb851ad607777ccc13d2366a9e56162483141c1e3ba8d6051176c9043f4a74a394c1f7bc54918a4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
871ea3b9c6d14513b57ac94a77f6660c

SHA1
4d2d375a930a85bea6c66cd26a97222afefcb92d

SHA256
f6b021f63dde7e895cf7fc4c0ccd6e8f6da8465bc64bb0fb0da848784e9f9592

SHA512
aaecbe8c74c6bf4a610b51f3d4b924631f5d1724b3a5ff6d79f7b21200b1b69c9e12f241b145345ca8baf623751542990f0014ffb238dc8bdb596470ed41e088

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
11f9041aca60077957e1c855f4ef01ac

SHA1
42b5324bc7db1b65965885358afc7233b13be965

SHA256
45098cbe83958714fa0fc613a55728aa0b090cf9ee4c04f2c930695871805332

SHA512
65155f5a484fa75dcbe96aa455e808ee9475324805f4c4d5d4e188991d20c61cbe9517d14446ea32a709acea57c3768b4be4eb055b8ab42184d4c837888ab64b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
119eacedb05859955a2288f2b7040349

SHA1
33375903be41ccd6b44039539b6ac3b3284943c4

SHA256
79f1b1e02b9bf8fc73130346d3b47605694d49f99df1decac69c91a56bd41dfa

SHA512
08540a8311d2414725cc15b7d0a56a66e6fbc46c9f376db26353da113d5b36b1336e32ece727b59c152b4a4ecd85f2cd452d552891f1bb0cf468dbd8dc968239

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
03e3197fde11f3fdef3ead6251dc9549

SHA1
23f9c760cbdf62b7183be936802f5772ec0265d9

SHA256
4d2ffeb5431a0684f29e82999fce5f8d209a79059e2194d61be99151666ce4e2

SHA512
4ffdd6d2edab578e258b95456b1d1b08ee5307e0dbb4bad68ed843f1b236032f2c9f48e4665e8c9949a960e84e13ccfe87e3b0a790eae766e2c8257af5411e7e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
bfb0b22dbe1b77eca82881d11c8815d4

SHA1
1005f2ac11aff6c517d8c28683fbe65199b82fd5

SHA256
8e5cf9c9c33aa7965cf1cc8f87e4047768aa1205152347ff2027356c1c5951ea

SHA512
c3937135b7efb7552cb7535f1d1c0719a720c088ba0e9784b8e73ef7881a65e49df7bd2b6f6717da23caa2679118ce7c5285869e789eab085eb288f3dafd3492

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
953644eb5ace2c73fb94448d4de1840e

SHA1
6d2407ba95af06272b6a6e202b59dab9c2196c93

SHA256
b186f0cd4f9c8ff0cbadcb1f36ec6cc0be10ee8d36d86d85ab278c7dd43972d4

SHA512
e057f9fde734040d01c1f32f123bc0786a4106aa821a9256d9dffb4fcd3187b47b8e48879894b57bb916419f074c016ee3c4aa73635154b90fcccc5085b9f359

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0f0cebc63f161cf6f56269bc9f7546e5

SHA1
268a0385ba5803faf44a8f0dbdd085f959e99a3e

SHA256
3add46ebe0f43ac5d0ae97a312d0a77091669ed9919bbf8aad936b4c2bc0d5f4

SHA512
47d35c8860a4f0f576a7f1b7e346e9484e7881da7aa395bc6673eb809afaea1c89a06bf1f7161886f0af734973e99dfad01cc2be4915db0fc9e3c4e2b2df345b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8d2385b2b0e7d92217b12f93f5251bc5

SHA1
945aaf2023dcf1545c8a26f172bfefa86268a5a6

SHA256
972d0a3bafbfc589b7c0d89aa13629b3000461f0f643e0e81153a2e2e1b3d5f4

SHA512
c49f27ffb02e2bf2edd4d60043608387844d84db3a60a122fd1171c56555fb2c4488fdef77783b573e9bae75514772924b4b046451f368b357fa3b49fc58a3bb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
06b6f9d6044e58573e9d538a0a0eaeb4

SHA1
7afe7e14f82df0d802d16275c8d0bc02bdb5e15c

SHA256
cafc0e8212f5e173ea06c6c628dd73b5b810303392b07d0003cfdcc759a3b2f8

SHA512
079fd958b7282207d22b60f0ba297ef83971d2dba69275fa31c9420537b1fe8405a0953d0ffb3f348c3afa1981e49114c5b5d9eb7a6c44db965ddaf1c877bb14

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
4097e4c18f720142c0b97bb6bff342da

SHA1
e550a8dcdf2452459f866a36c24546e64c23fc92

SHA256
e791e9a75a1c4b955ba533aa87aa34224ee1100bba587da1e293a3eb8ce10a3b

SHA512
aa6b51e59803649e9ed23dbd8160dbfd177f74bcd5a13ef5da7bcb3791595f6d575a172567544bd22b6cf059ea5f23f830697b7f7e957008e725ee368e8f24cf

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
42bd52bd3dade4254210f33d12f2ff93

SHA1
feebdc0134f56b25bcf965028edde2484fef5d51

SHA256
d453b9a1829ed5a892c53cb2fa35245bc15f2720d4a607d8ccb3ee72e290967f

SHA512
712d1aba47726c79fa15ca0e566ad3228119e3d99cb2abd0d8e14d35176bfdcf43b558d729de651a528d511da8040a3290fee36037273bf5722a3353b101e364

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
5ec2281580311f1a830aa21a400263dc

SHA1
149e3fbb890e1b4c0412ecdee18abb44c0e5e8bd

SHA256
67aff68789c728d00ef8a223c8e9d2d00111591e8eb448c41ab8fba0c8a47a3d

SHA512
f9fc5497b230f502c55135a6978e2f898c688d41501afb9245884f47000009aa0a1445ac2735ffc813590107f74e5e9c4c3cdc1c46bcf6f0cca407735c52bbb5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
d6bc1dd0041f4266f53c062f7e8e05dc

SHA1
b348481d04290c4ad25c07da0e8cf3884f9b1e07

SHA256
3430dc8886874fd5673c43c80e358e46f79b75226d6d5d4c427ae48cf8082d29

SHA512
ae623c7d4ce3cf5dec81a3ffa735dccabdc35712478ad9458113eb872066336c7279c0a5f72585eb94050c31e1552ff72aba2caf63f6bc772d04e1605ba31ffa

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
388f8832d62b10c51eda6997d6a9b755

SHA1
98a418bfed267de0c1b76e72ca096dcbbcffcf7f

SHA256
7973230147be8b7728463207d8c8a893d6fe7e9742e7ca0fe5d0a80d7351d85e

SHA512
55b27eb72a3bd219b0ca795d9fdd4cecdbd63cfd335ac954e3a722875399d8a959cf6966b1f871890ff638e1f2a1be0da8c76bb5bc84f388bf70c0936b65a5b5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
68f41ad70bd73ef37d7b44a1f31a12be

SHA1
5c986ba8bb2b8b5da0be273e1eeb5c1b453f6578

SHA256
9dfbcf6f326fa4f322a70136505b4f571378e5c8e2842757ff271ccb70867bda

SHA512
e4fee3ec4fa0dfaba86ca9ef54edb83c724fc29faeafb777d420853b629c6e586f0eb4d25c4ad4b0dcf8db083b4cedd92eceb322268370ddad109bb9bdddc47b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
9f2eb0f3ea95a206880d34d9a50b7fc5

SHA1
40c6797571f92a24fd0444429a58a037dcf5c3a6

SHA256
8ee447b4e2b467c82fa933e82e1594abb03ae1aeb5c1dfa71bb63d637308cf26

SHA512
c2acc91c9027410e7339f881612967f0d69fd0598438e8721de289b979cad35daf65defbcd7e45efa189e88a1b5b97394392c1b1be021223d26a13e433528394

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
35cdc13561b2cb18c153ac04e6e44965

SHA1
f72e7ce1203ee4ff446fde757c39a60097bed7b6

SHA256
ac684bd0e6017aa49f934d6c28280c9242f1edb088ab1d379bb2c98ee2b7de7b

SHA512
aca59594473b21a987acbb02ac1272504c6e95963c0c95b522bb73ac72fd092f2d6f36b29985f7753bee799cc68d9606672b5d923b4e3c7f8500aaca80a047ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0bfca1e115830ecac427b0d4c79d17a7

SHA1
833d629dc9d7d920797be5847cc0727a1e7f92e9

SHA256
1b83584b28a6685edb9c96f87882273727aa04bdd65b301d824155327cbf33e1

SHA512
d857a734e0b5769675c3b0f550d32f020605d26573c57cae47bb74021e6691ff7fdb14ebd1a6c6679c85700bc4a7c94a3d421e6910b3123b5d0dee0a2482b744

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
6e42822d314657b81910a54e8b97217b

SHA1
3be25796a8a8ceb3b3ee2200212986391f21d177

SHA256
988bd883d945b48d3f5999253321eb6c2bb2fddc0ad5bd799142fb82df93bd9a

SHA512
89e3ad383c12a9b592a66d38cada06f23428f3e25f697e68df07484e63452f82ce52ea88f019e412814698f0ddeaade6e6c7950066ee69b3a640656683305602

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
0643880ebee9e1714037198fbaa9f2da

SHA1
290a18266713ade3a3ea7a86e720c75c066579a3

SHA256
e0ca9db5e67cc08f65de313293193eab6dfc75b75171ad14fdb5e77e1d6b4c16

SHA512
ec0186817319304cd32b13720b79928586fac86c32c7f3f840811be13afa90450ac3333d4217bc09a255fb744e8e3015acb28ba9a8970364e67920a6a3f3efe4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
bda378a78b0a17e5b4e05ac31657bcf1

SHA1
3e757ec13852decba5e4b8f37918fecfc89e585a

SHA256
3e4bdb55ecce5875f1ce0989a02a8530f39e89b13c9a6573aeb30ca56d24d68c

SHA512
7af7e37c4c462727ec1cfada0d9e1f48ad5608bdbc038fa801de834f143bf1a956a0ad5ef0151db5edab6ab4d7b37d054cb40c06c33044be7b66008b3a58ca91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d96b60d81cb8baa3603930b29ff9aa0e

SHA1
e7ae891bffb0f193be916e2a9924de9bfc8d8503

SHA256
261dc9de64be2ee4e098d786fb33f912d8ac20872cc3ea7b74e108854e80e962

SHA512
331264b21fd7d022332fc09c93dfdd68002f1a218d1c462a100041946cff3cff2f091a40887437ce753b01f8947096f11742c5d582d2e5acd23352e15b4f49c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
c581f814ab4365780f07520fa33ca63e

SHA1
42fda36144a621ea2e0bc821fb2f0a0840cf5b07

SHA256
c1bd9761b2fe93bb87cec874373de887be31f504c7d86daeeaeb34aba6ee0a47

SHA512
0589d2b7505c64f6bc3e59ec4e108cc56a86715c061a01683fbe9d720cd1ca4c575ed038b490f8d03578d9e4100718a1b46ac0df1820694288d8bc4fce8d846f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
26acad752f6f73b7b76b7f2c3a85a1ca

SHA1
65bda38e96fdf01c1e0768f11180fed74f339a5f

SHA256
c58fafcc950c14e62d7c94826e478b42f7106321cd97ea8b1bfe434186c43ade

SHA512
4ebc1a272428331ab1f509e7d150977bead6b25d631e30d824da66b5c0a8c6a361f2dac28617a0e57d41b814ccd67a9c8a658030b71a49cef687f13bf12b6079

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
803ecd16245abfc2a977051b40a7d0a3

SHA1
b53be895f3ef1f57949788c4a85661451b180058

SHA256
d7df121149e87a05b2b2e91b79aa5040646205c98ec9dc324edc1f3ee6099b0d

SHA512
222b6ab86fbc797affd14818250911213b9703fb75e188c6e2a5ece9761506106b648069204e15e6f33427ada29945bfbcd1f3b4e0ff24650dafd6483e242973

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
34ec45836e5b5bdcc62ca2948a39ef1c

SHA1
c14ddd6d95a15934bd512fdbfe4ae11275b3d4ed

SHA256
48998669dbdfcdbdce83838e8a14ef0e0813c7dc5d2de283c1a8694a4351638a

SHA512
cb4720a99b71004c558d3b998bb87ef5d71044e33ede19b72401e5fd12ea0ffaf758c4edf0dc61c40f5d8a1e1d7b6d764ecdd84ed5a9a456497997f9f2f94628

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
3b19495f918f83ff27e0de9b91c98955

SHA1
26de32fd61e54e12436025dcf26431b0638b06d3

SHA256
26f64bd8d426314b14cde1b3a2c5edc4fb4768f9331cfa4c7eacfd12efeaf670

SHA512
a1e35312303bbb8c41ea29464d0429e42312e2e9bd3fb6975e18a065455f092cb722e9cc4d1955cfaeb74cb45c2b24dde231fb46ee190f6b902b23b78a9e650d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
186f45447d30918a7996f50701636fa6

SHA1
97ff67f6311fd0b1433a9a7ce0630b79b2dddfd5

SHA256
18460f6e3fd6598f08685be78cc7543a22fbf1a45e0d54786193a3a06ed271a9

SHA512
d418a1d322c492cf4328c090d1cdf840aad840c1f01fefe50202ac64cfb8370f9c7859fdebf5aa583d9dc4069401fb4f1de10fe22cf8e1d48d4fe3b8b2b41428

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
a1b2fc5d1bd3281f4d8778eb885f3be8

SHA1
9ee4e041e373afb5cd02264546d1649c23b16e3d

SHA256
b4d92f61baaf753b040f1268be5ea8dac5529d8ddd3267e942aaa95071129049

SHA512
4976fe906c361687264d17e14e719edd65982095be286a9dee5029fc896daf2f9e4defac4a6ea5d34aa120609fc014bf0c3fb330edefa36beb710ce2fd6e80ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
6d39718b046ea44d82f4ea9959b4213f

SHA1
91e0c4dc5a40945a1f4a513662d0cbcc225b3509

SHA256
4152399fc33fce3296f8c238e7a67be10553c8b9b62805288fdbf3865169737c

SHA512
1b2552e95dfea98b012cdf49fc29c472ceda4a1247ef2e72b5d6edd1ad3e1168fb5f48d790e69870bed736e1ce0200bceaea5e81c56e7cd3fb3afd63066370db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
199c8e4fccd54d65a2ec0d4a2efa7e9b

SHA1
a0292017c87606ae4487cd204dc0c4528161ffd9

SHA256
4249f26020e6e63781d661465192d6130dbde8b71c927d07a621c8a635d39967

SHA512
7f35b08b2196e75ae710a31625c70b90c5cd6e7deeebb9bb9e3573dd0b386a5ce9ea9bcb2bd76bb29c0358403b6442ad301cf10be4a5cb5ddb74f6a3fff4f271

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1993421920f49ddacae1b303692be9b9

SHA1
3b4a1f6a9b27bd206bf5552dc781431a53dd1992

SHA256
205f111f8fbf7f437cebdb3889957ca5f74306b620c732f14f6e00def2993d04

SHA512
167ad0e23dea407dcedba53454553eb72179b6c46e7f3c08505806768f2dce9ecc9e4fe8a78ca3574c67160abed69c1d73c02d363ba653c92bd71e709c7dbfa8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
0b2a04dd9672837484ae54d624dbbde3

SHA1
546e196d832d367ff8fe077fe0bbae4934298661

SHA256
a60a1be5e5eabf0df5fb70fabf376b6ae583315c6732171f5ca67103e25fc874

SHA512
1188bbe516a0d2f1cb6228b855d3c057a2ab766801e11cb947cd20832436cc5d781dea33405651385e6ef51a29fb04f6fc73d662aa3bad50038a99a47265f969

Download Submit
C:\Users\Admin\.node_repl_history

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0662878809b76ae6eef75f3688596218

SHA1
3d0a680049d0baa93e9c2fbefda4c697398d1ef5

SHA256
f68d8a3262635c3f71f00a83f1febb43e3fc0db1ce8befb24d78da3a57871c75

SHA512
c8709d95b95b0505731798ed4b5abf5aca3fdb67869b47e3c33c7bf8e63380cc411f701aebd3146fa9094fe2b1b96374442695f8fe90d90d21bf753af8ce85a8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7c1e555e4877cb4b1ac1b551fe682078

SHA1
0a8a4d77a56970cc3ad101c09c9e8ba55f283153

SHA256
111cb0f7bf71e1bc8b282799ae53ee2cc3f9ddd2f6e8072beeac762846f9ef0f

SHA512
36bb971c9a3e90be34c3998c8214f31e4032a42c734d8c8ff8e68b4ba928f4963f5939b79722d37df4a53c39426872fc2b89fb9934b59108db9763fd479b5bf1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fb0440a6b404c5f67466d805c4df11d4

SHA1
1c91824f9e2a0cf2e8ad36344e20a5ab9b9c2a55

SHA256
2e738a48270c0ae4f5cc0481b5dfd22d3db859e18a7d7984af699312dff8d03e

SHA512
04b78749e679ace121c7811a919fe4df5b7dddc1fb4dc21e6099dc8a7816480b018f274718fb5487b8c5b6ea9dafdd102728265d77adaa6c9ef50f965988ee27

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b9f895dd8b7d711a52a3630c5e68668a

SHA1
4205ab6874fc15634d788f8ffda6aa36c9e6ee48

SHA256
ed5326a665802207ab985481e10a9d0af353b1711e5b6bfc69ee08b26111d551

SHA512
b841ce10070e3d340a828076281fc28c27e39a0195c1305d701e067e9baaf5def1d92b098bea91fb3ed30fe58407d4aa88b3be5571472396b5f9a88918e694d3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
fdf49a197cd0260b221505ac38f06acf

SHA1
63c69770bfd3c6c112117e921381700f3cd90d11

SHA256
aa717f8900a75af18590a4e0d16a05a5b84987ca360e416659107495dd3f645e

SHA512
6a078e5c2e6f5d353a721e3ab264baf9fda1c57d1c3e4b422e239ac73c134e36681531342fa655cc8ce231bc72564f2067eb80b7fd873c89b74d35ba06ea62db

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
10136c57943a72a86b872ad39f865bc2

SHA1
8c77c3235001e288ce2bc2c2b3113bf421497ab1

SHA256
90d3e21fa1be008951fb7698d4204fd0c3fa747c0e1e7a807bf90b1de01cba80

SHA512
abe27b60648c8aa160d95538e9e988d03055c4405bae3b58954b3c29b403c435a2b72526f7b374ad5242acd53ed3c22ca14a186cfaac0200e6dfb6cbe0b97f3f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
58525d3c02489ae6bcd71323821e6978

SHA1
eeb157963191029220160b79d2a7721e95eb7b36

SHA256
b327aded11d685ba479d5f12a29b306da00e55037f4185e3913bb4feeefe4c78

SHA512
c913b27d6c6c82148699590a19523433234a2b8db580c9adb9592cbbdc23bb7693f28673442d625d550e69a0f2c07c1d545d2df203e2c51a53f2c36f842d17a9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6e1b03c2e5853418777a6fbaa7a176cc

SHA1
0ed625dd99bad8d51f2d0e08fdb23935281b1557

SHA256
62ab35d3689e280b6a222dde861d3232f4331f3c0bc971727ce2c2147be69ceb

SHA512
9bc35da433a760060797b22d487950cb0efd176a368ef9169c67d77d24090478c21f909ddd7e75b28de32229dfbc86bb66c813585744dc994f7b07efef50f6d2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
96e8bf0d4e7e60525c88f7d354c7bf63

SHA1
6bcbc34db92f9f95af096136a786a8671fda9a29

SHA256
7d00620d1f8e1344fc76765e96f950bdcb948e9c03a0fc7d51d4cc24ace053b7

SHA512
57d1af3b71f3483459d7b3f39f3b1e636f0c46ee769560bf1647535baef71a76a6d2a3510757850c5fe88430fa1d787cf9ff6ffadce9b15655b4c8695a9dfada

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
97a677dbb99410c092cb36da10799a83

SHA1
0410aa543b7ccdc1d509638e4c9d68d930dc4c11

SHA256
fa897e78ad42574a460bc39c2311fc4d788c023370456e645ee442f16c3fe3ff

SHA512
b4ff529b08f2fd66cd92fa52a57f6e2757f67491556a384e657cabd1ce67726f4c3b0598aad0331ff3a92d4e72718c919a82f0b72eea69dc7c7b0a2efcaa8abd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ceab9f30392726baf35ee5ef59feec0f

SHA1
e5faa492541913242d52b89127f2dc2c033508ad

SHA256
a3bccf0b0505e681e6dcb88702092ae0fd52bb7968c952725f16f7ca93ecddd2

SHA512
46a96f65ca488bf442e1f312361ecd5acd3bc98eeeb84e5113b4ec5488d9cf9a95b3d049fa44da334128ef30e7676d45b3757a2caabf685b492527f1c45e5f18

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
89dc82d2d9a8f0944bb895cbe2efc14d

SHA1
af45533e22960d20c32d37e6656c7c029e54ef17

SHA256
402d1dafe01fd2ba27c6114c3465b9d738a799f6701fdd690b9bc8d4130aa737

SHA512
030425862663ba6ece4eab6e27f3ef7c4f352525b2bb065ad057780f3dcf462748f7fd00fbc11cde553d85e31eb5f9ffddf5347232426ef410047d531c462578

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ff3d57e6ed549e8a25b2ab816021371f

SHA1
aaac77e776a707921056f356d54ba0849d3e0e9d

SHA256
4010ddd9d41eee99d73817bbba426d1667e36614ece163bf0583fdc24d131a20

SHA512
a8ed794777fbc98feb8719182e7924e4c881f9d82610638398f6b2764a2d1312e66075efc24e67644e8f96ac9c4eed2637bba0b068f3490ead398f23eebdde38

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
dd3d70b6d774d0f5fded201665861e01

SHA1
38508e937036c27e496cf9221cc6362ce9d8f678

SHA256
2c48beda0aef67fd17afbbb1f1bf3fbe9f0415fda7017856f7fbbe40e3a5cb5f

SHA512
7c9790699f6ddb8df9c30fac804129757811f4b4181e3fc8faed1acbd3e792f2c5ad9e0e0a5e59c1cece481e168eaeb1a23e5f6bf852aa505eb1d5eb0b5bc249

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8051ecab116b9ca35fe9a02247d84df7

SHA1
d72f142999726ad3eb3c220cc3bec5a4f5814425

SHA256
a79891d30610a30f593139cfebf8f1bb04f31829001151e0d946e45ec35c82d1

SHA512
8e1216fd5893a964bf9c8b787f36847c73712c4ec1c75d6861eb5265882adee565577502d42f7c280330b50394c16caae288e954e47dbc1a925592bf487cb441

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e1dbe3f3fdfd727b0771978b8533cffa

SHA1
f2db2f764030ee851fee128905390fb8f294ec94

SHA256
edd4f457e7546bf96e693cbfeba5deddb5b6bb8a28d17dbae599156659a57772

SHA512
7b37704d40ba4373b6b1c7d4d65117051b1c647d749606f761566f14501dd7c58ac55de451bee90f1e15551215556a7b1b6ac27e42b8987acc68c71ecc4c113c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
cd81f1fe9b0027c9790ad76613a5cfa6

SHA1
5b64dbc04d52f4645a2aa5133da5454285ab3c2b

SHA256
28dc84e0ec747d267f3043d743f96bc39507a132203094f8c85787b0b1f20880

SHA512
08f6d9ed69dba8ae63c3fe9eba591e600a6c64c9bf42e7e51f39545714bd8cf1f31584df399f17886fd4460408ad7e968e66ef24728632502b660341cfaccd9d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3fbea2ae54df7b28aca8321786d80916

SHA1
af65c13badacd9aca1cc8b17a46a28e590eaf984

SHA256
16ed6ce89edca02afee8aaaf65f040ccbccba7ce4e401b0641e47fafb2d4da67

SHA512
df8798e4de6342aa2a49afce2c11eae31a496352591983d3f23cd300f3e8097c7adf912409f76f646be325bcd89e4522f7348327a9ccc2cd5017d4ccc9de25fb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
70e7f7ef4e12cf0756885802d3a90c46

SHA1
ac049eae3fd88d21ee0c0990f4f069f329d4e69f

SHA256
d9ad9ea8b06d090220a633fb04ae51ce884c466310b40da19c5b5f4e768048c6

SHA512
43e59005050bed786e83d40174062e0fd2733c51dddda6fc085b4ec2ac174af659fdfbdbfa83ff358928eee197cf5d933c58f6a2ac5fff80076ed10b1c5b50b6

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
35ca4a3fa7f90a28fa3d3de8a760850e

SHA1
78ca64dbc0dd2cca77075b0d76f84c64d8239c88

SHA256
68392c052a8a253a4ea8dc3049a738283a62de9c94665f2b189e24f6d26307db

SHA512
b30d51d78fc1d3abff4d662cbffd25ded44397966cc63af6c59f37882a44a92b7a50a0b058af523171cb1e7cf42f21874cf1c15d8fb723626d2552efe0eee0ea

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
e625dff3191d077fe1ada5120693f05e

SHA1
bf8d155a9f4b6cd159d925d4d66d8e8cc9d63155

SHA256
cfd5a6c10fcca4f72a88df0239c2a22b0132fa6d673572d44f60c0b0f7afd175

SHA512
45c396b58fc3e95c8cbb8443c00b9072c97661cb5d6a4131476085336d9557a41333bbc4c50445abeec7b1ff948401440443b1545dabfb1e843547c57d357430

Download Submit
memory/412-126-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/864-593-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/864-196-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1020-51-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1020-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1020-189-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1020-57-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1260-587-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1260-190-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1680-433-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1680-168-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2156-599-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2156-257-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2188-269-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2188-590-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2188-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2992-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2992-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3192-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3192-0-0x0000000002590000-0x00000000025F7000-memory.dmp

Filesize
412KB

Download
memory/3192-59-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3192-5-0x0000000002590000-0x00000000025F7000-memory.dmp

Filesize
412KB

Download
memory/3632-598-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3632-245-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3948-244-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3948-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4064-233-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4064-595-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4188-594-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4188-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4372-232-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4372-111-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4444-98-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4444-11-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4444-20-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4444-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4540-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4540-45-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/4540-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4540-36-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/4540-46-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/4776-99-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4796-97-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4796-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4796-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4796-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4796-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4872-470-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4872-171-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4960-25-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4960-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4960-31-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4968-63-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4968-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4968-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4968-195-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5072-600-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5072-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5088-137-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5088-256-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download