e9443bf5f02de4b8c96e043c3b02a9996867150fa8d50ac2fb208a4823f50dcc

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
Size

24.3MB
MD5

5417a8a94287a38d2c954eb899fd04fe
SHA1

32ee0dfd895f85fa29f0f5a4a4e22039eec99ec8
SHA256

e9443bf5f02de4b8c96e043c3b02a9996867150fa8d50ac2fb208a4823f50dcc
SHA512

b732d9d8ca0e6f6ede1bf39dc26c149c620a7311d219631edb40867edcc725cf332256bee124d0ec33bffafff78fa72ba3f3df38138a7dc28472b755f34754b0
SSDEEP

196608:AP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018gYjVqPdBz:APboGX8a/jWWu3cI2D/cWcls1/YhedB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4904	alg.exe
4424	DiagnosticsHub.StandardCollector.Service.exe
2924	fxssvc.exe
2180	elevation_service.exe
1480	elevation_service.exe
2632	maintenanceservice.exe
1996	msdtc.exe
884	OSE.EXE
4008	PerceptionSimulationService.exe
4776	perfhost.exe
2536	locator.exe
832	SensorDataService.exe
1216	snmptrap.exe
4980	spectrum.exe
2540	ssh-agent.exe
1260	TieringEngineService.exe
3916	AgentService.exe
372	vds.exe
2320	vssvc.exe
4792	wbengine.exe
5016	WmiApSrv.exe
4440	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\79b8845f234f82a5.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe

description	ioc	process
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004984011c6899da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036ace91b6899da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d15b191c6899da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066ae13156899da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c88a41b6899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044be64156899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b250a156899da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017f9161c6899da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe

pid	process
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	2924	fxssvc.exe
Token: SeRestorePrivilege	1260	TieringEngineService.exe
Token: SeManageVolumePrivilege	1260	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3916	AgentService.exe
Token: SeBackupPrivilege	2320	vssvc.exe
Token: SeRestorePrivilege	2320	vssvc.exe
Token: SeAuditPrivilege	2320	vssvc.exe
Token: SeBackupPrivilege	4792	wbengine.exe
Token: SeRestorePrivilege	4792	wbengine.exe
Token: SeSecurityPrivilege	4792	wbengine.exe
Token: 33	4440	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4440	SearchIndexer.exe
Token: SeDebugPrivilege	2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2488	2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4904	alg.exe
Token: SeDebugPrivilege	4904	alg.exe
Token: SeDebugPrivilege	4904	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4440 wrote to memory of 3300	4440	SearchIndexer.exe	SearchProtocolHost.exe
PID 4440 wrote to memory of 3300	4440	SearchIndexer.exe	SearchProtocolHost.exe
PID 4440 wrote to memory of 1220	4440	SearchIndexer.exe	SearchFilterHost.exe
PID 4440 wrote to memory of 1220	4440	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_5417a8a94287a38d2c954eb899fd04fe_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4824

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2180

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1480

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1996

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:884

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4008

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4776

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:832

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1216

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4980

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3028

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3300

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4eb0f5b15405d8543238626db32ce130

SHA1
4b0cd1475f5cd517a7e6050954bacf1271c98169

SHA256
c916b0c51d9253436371d4d19ee8f766e10aff2926281a1d1bd6284b93e42cf9

SHA512
988f71c6aad0146a09ad14e2c4caca8cd685ae728b8c4a1498350ef2f15d6efc728d250d3f696d207f3e944954b6a0562e43d64f5281b3a072342a3431c34bdd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
8e9acff0f3b225d5b257feadf7289257

SHA1
df32cb0503d47c7e8b015659c453208f07a0ce7b

SHA256
01603929abe6f09e1d8dac598a464cb20a31cae72cc0ee78ccea546b58dfef5b

SHA512
e8984f9267f841e1d0e9d9bd4920713f1f98995cb903da674a80cce166ac693625a274d60a9eabb80abdb8f43f57eb88c45cdbf258147ee8af284118d21c3f40

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f8e07bd7a768d277d203060bc3c33c3c

SHA1
b7acd926b098df3c3d58a6719aff32625adfaa49

SHA256
bffce054c38fb7e12c2309bdb838606af3f5d54d8f5f177a0ea67b0447cdee6a

SHA512
b96aeacbc2d5776361f8808570d3d29bb6cfb09cf422fe42bbf5699a1aa1b503a46d70cbf198f16732246c8bea689b181fe1e5754e43ae71634d9ea7bba376f7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8c8f8a7cd8403e84d595a43c1d2a32e8

SHA1
27b157986a68867be20476c5577d21bffe015419

SHA256
56d1a7243df828cf4f65dfb429292eb2a267bbbefd0ab69cf5981f3bb6026687

SHA512
d639df3bd67dec5d32146843b428b58c8fbd6337d4640b881206f1c558f8327e9134a21d403506575a7e7ac49b2cf2d306195751c0ef573ebb2f46c8b91484d3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
464207ed91f97ce5b3d0d456266561c8

SHA1
7cad471ff0c20d7cd051ad86a23e8c74362ed9e0

SHA256
3bceaff2fc95bd0307d6395ef296874e1c7e08efaa124691094dd2c395bc52ec

SHA512
267d1f8c43367e5bccea9d2defde0a693d577248530966486758e4dd921c75c8f87633f91970f40d31e5461dadbee143fdc8a325a37767214522d92de18427b4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b76a0fc292338771ca85dc1265427652

SHA1
ca9361edd1593bacf92772689c3db2143835313a

SHA256
78851ce1b7d1b3aaa2cee7eb67fccec3e1919892cebcc827345d9382b778463c

SHA512
837ab89fa0c785dbd4c7fbdd1c0a474dd96f83a3b1cd6d2b5dc9421c6ce5554c3043d6f7d889b9620a8e11180e019d3708eadc06a8749d2ca48e5a015f29520f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
29c21ea8784eebf991a2817820257161

SHA1
3f48d70e44c921b4412b09018062e931fc58a30a

SHA256
b785c6bc4637879fddfb028e687357afd891f9c70af003e339cd07bd2c3852a1

SHA512
e4bfaee597245f7ac404285f08d06f1b08efc6f3315145390c96b388f840368cd095d471a8b84b3584f0998e44ece59573892cf9092f793365e639a5547c6159

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8a0eca467af058c3b4d2d46bda6c1a73

SHA1
0f697f27926f1abcd3fc750d7ee4c5d8cfb8e9b3

SHA256
8f7bf6570d8f619867bbf47405b480bd2fee18cbf285f251528c5b44a94ad374

SHA512
c45e4b01fea7eca87dd9ec063cdf2ce630a7e965f7ae30dc6c0502c79fec4c4cc563d9d6b13c1768b2a4b99cca16ce510d4251a41552531ba3841b802b4184e2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
1e55b1e92967472ebca1e8f1a764feb1

SHA1
a1e21ef0371fe5a66592a9892ed4d721fc1752e9

SHA256
a1e1a716b610bd871a63d3fbffa7f3f03c7032998ee33cf931753e9f370265a6

SHA512
def6520f4e8a1b62415d063544dbeb18f104cf58abf95f5535657c97aba4705fd22854a0cfa5dfbae8848b6178c88cb4c6ef6b1203a56035b6008c72f38ec7ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3ca9e6bb8918676d4eaafb3d41b6b5ff

SHA1
b276acce559dd1c6ff673bad99d3c3fe89698273

SHA256
4b03e1dfd093f3f791a6a1447c59f1ac616c86ff679230d848f2d0cc6dc0b548

SHA512
9322d0977d66cd9fcb815baaedda747655d9ca1122e4611ae58e6290339606b57a0b869171f64c956f6d5160115de3b6c1947cf7967c3b6328e430733f49d516

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
80a2df778549710f0a94206923c1f96c

SHA1
9c59f3c0531cd3c85d166620db1d6bfb278c04da

SHA256
9af29cc0d9aba46d8f621cf4b3e6415bcf7252512c471e13b01dc5d8f3a8b89a

SHA512
2c9a2f88deb1266064ddac5f8f69ff8945cef064e252997d2aadeba3039ff240e585019f4aeeb0c01e3d955c6d6e61930d722f30c3463b423fe8c70de2c9aa50

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
308b39262b32c4abae8c3c6437e149f3

SHA1
4c3c9add62d5d56466bd80799153a6416e127ea2

SHA256
6fcb5aa5ca4a2ba543134ed9f0da1f3fd2227ee1b5defde9bc843445d0301cb8

SHA512
bf16a011051f4ddd627611c2790a6541be589daf3033e2b761cbc5593b46af7288a970b487b4332a4cfd997f9477dc8af9c6671078a94f73781742a1698dc4fd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1f3a06907d4e0a9495c1e9a13261e5e7

SHA1
f5873812cda2f81c29efc62aa7d82e18d9d9187f

SHA256
d753eaea7331288ace8aa9eeb997223e6e5c3b89d7183516831d47a55feeef6f

SHA512
765cc1308faf9a589013253fda10edaed39b513418a39e03400ca888b558f14d78e19a6778f5bbd3f54e763e5c4269490e226e2e81d0e669c77a9578d1a82565

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
62e16c4141efbb96b4357e17757e1514

SHA1
2d7720515b7f127d179f5306bef6b66cf7f63acc

SHA256
02c5405530534aecd7056346477af754e73d04189b3a057c5c49b723b8e212d5

SHA512
fbddab70f2221da9402fee7ed1b0b61d877c817bea2613d6587d6b1c58fddda65875acc58f4f25546a6c3b194e93203640e67b6bd05e284e9366362d2a595547

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
bf11d4e259812e3fa7c90c540e5a0e5b

SHA1
3a93eebbf8b07b9d4867ea1db47df84399f781c9

SHA256
a78d443454e4b6b34922e508c9340fb652e4487749dca8dc2c5c5853b9ccbefb

SHA512
7cd17870242930abb310d15702f21cdfc4d6fcc88ebe254d73a1dfcc5ab2bd6bf381951a81d335dfd73dd8b3514fed68f04708aff6a6d9a330b8eeb3e60af89d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
0834ce6e8be92ff13580ee3f11da568b

SHA1
6bfcf0df2be8275cd6f7d95a2ff196caef1db307

SHA256
2f8c028de09c2b5d1bf1a9875fd0614ce19c089eb015e12d418a30dbbd147ef6

SHA512
8a9ccd6c9f668bd81477db1a5948af16326d66cd8f7bc16975c84b0735fb1704452b6b695835a1ed6c92226c2245d8beb8aad1c941690cd85e704c6a1a712a80

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
fbd140ac7cbaf0ad61dbd511eb1de2b3

SHA1
b36d0f83fe5fe8c56d4f80e4f50771dd4f202317

SHA256
7029c974476555f67a4bcf6bf4fa9ff8b54dfbf18b5a029589638e35c2064dc3

SHA512
9d35453dfb20478d841550f3f7db6601b66ff80fad7c2a2e74b90754c515285752e2239a9cb3595d72816ba889ccef6291fa544f6b8630beadd7b12852e87f87

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
38002f1d2e156447bf2b3820926134bf

SHA1
3e256a97112de2feb4caf005cc08faace179c640

SHA256
65541a8dd35caf9769b33111365362fb9c9fc615145eeaee3ea821b83ae81076

SHA512
b9574f62fb6aadf76e88b98b39f0fb7415edf05761ef7017b4481a476bfca213bf82809598e233153054c614251b8aa319c1a3c9825bc2b47d600b483ade2b61

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
a6a9addced43afe005a14ad67c52dac7

SHA1
2b530ac29ef13a16b0a8432f57305df85a451449

SHA256
2721cef8643728ebdeacfd0e15e051808ada99c5832609f590cc31a794264455

SHA512
0566718aac79bd548c48337eb9d13de979a980b5e465fd51e37e5de91d9234597f84c6202279db615647696f6865f432261aee2fbdc654b70ecd2f0f7f4fcdb5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
8fe72b7a6b70ff7dabc9b230a969eb37

SHA1
a74cd1f5e3c233db3f86e660868f33e0e649c9ad

SHA256
c123bd4a1b86a153b7f739dec58c517242687986dbaee19113540eff5e0cdc35

SHA512
950995eb6096eaed6ff7534d3679c4a7322e604a8281f4ef4318ca82aa8b28e8bf53f471061d6af7f8bc614bef5df84011c06387583776694ac8d46127d52e48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
0c3f3ba5ee451af8ec1b130f9062327e

SHA1
2dbe91b57cf6f764748b2d9102da54aa64c2bcfa

SHA256
8a8ca3e2c64701d18af84ea3c5263d110956c88117722f14506fa31137cdda81

SHA512
301e6a04a48a5c651fa6f9d243a44eb4c16cbe451c5bfb201f07d8aa23735a1690556b9da6fad807944fe939293a4392de2ac4ca80f04fc6452dca41d7f4a043

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
5620426ac6f8f7f4815d3cbf06208072

SHA1
c6e3de875f024c86a863f20da141a8f8dc01a3ef

SHA256
1fcf0a346a4c39802314b3bb08e20038d125d038f0c87fe2f5b628b9525cdff4

SHA512
4205d251b2740e65010152ff0224f42a848706b17b34e8bf43420e9bdbb3f4ff0546f3f34203615b3a10e844e608af220698ea334cf83b2fff40f3c0932872b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
36a532e320281127658038f608350259

SHA1
18e5e4e025d8f7d033ca004be00234c7aa17a0ba

SHA256
9e15f93bc67be73d23ed61b8adf0aa1626d79b905e34c6c961165f486df81ba8

SHA512
00ed969591f29beddfd93813700dadb6af899218f610d5f2a106fce1cc71abd814630ceac2f2719c2a1d3e6f1c42d60a08ca802c84c92b7de00094a987ce1438

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f726d95e8b4854557affd4e4375dc73d

SHA1
9df969df400b573b8ac01fcbb1e385ae07b0a442

SHA256
c67e95b7daa5375a46e98bfa3b8416b7b6f3d615afa8cf5b9c2c5f2a7ac40eb9

SHA512
bb7eaab00d9b6959eb64b434b843b8b53a16d3d0b02e33f22f4f9e3ec63a40db69b2c29de03c7d16703e188235115a9849e5ea99e638520b7c530e2d49799c1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
cf95d21ff76c7a55e0d53b7d33cb7d6c

SHA1
1a1ceb262318b1ecbe2c35370cdb1b1c88fd7998

SHA256
7cd22101ec15b51adcbe87f01751980ebfc6b8f541fc0d2ced8f48a44936df32

SHA512
a631d40d1b5733a8669b5a1dacec5d6302385fa188937a94dbed90d2b04f9365a758edbbe6f9c9045c84eb38968dfe463ce4faf7c622dbe6f578c6ab0dc37098

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
7df3908b2f57893aba8c2a83ebe3058e

SHA1
172d86506162c7d12623a937e8f967a87a71f6bf

SHA256
e2069c15391fd333091e7edc8a46b36f1b3f649eb2140be5338df38d9efdedc7

SHA512
10662469e7b1441e266230e8c8f1ccbcd770ad727fe0aa9d3013d499cab59faad90453779aec677224df50bbca0d5601d45ecb881d0ee2a2d1a90cd32737b176

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
351dc72892d765c0d9da9aff7d58ed47

SHA1
45f4f45ff03b3b0440f90e8d27af3341bd16d4fd

SHA256
8f25483a6342db0d6138d502980b2297d9f0aa20eb7ece8a4c175031771332ac

SHA512
e10a7637bb965256e7d4a0b9ca7694853903c3e7332121864f14738370ff760c2bd62fd7446598de28b8ef6fee0368759687c6c35ab7f129d6608c8c8f0ff808

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0bb1c1a9b7940b2a67664cae248d2e70

SHA1
81cd4b0418e74da3b8e9a2dd774904234f6dfdc7

SHA256
f7ffc7422a0ff588000a50cd849d433ce065427c22b44cfed74211bbe965adda

SHA512
812250de1c90e303862a623e5af32a8a5975a0bbea8ecbeb8b5d5dd4a2370ee293b983bcc16c763727fe7582b6b29a57c85fc8cd992af8c86119bc9c15d1ebcb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
4e9e2419ad806f7cbd83ed599f47138e

SHA1
e34a19346958b8cb6e09a08e386b93634b75506c

SHA256
1a64da00182aa209c66a2da3cb9bcc9e5fe98ba87574bc1887bcb2d26e0cddf3

SHA512
087d797b46d673c37a42d10451d266d8e0627bb89f02284e5601cf5ad91a7372ce78e5db5198d5e05e3b876c2d55e2880041b85a8dcc4063588d56a727843185

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
6fd89fe2e43e7c81acb80d8826a54818

SHA1
636e7c0477030ca7ba1a91e27e3acad93d7b35f6

SHA256
582c9788bbb6dca494b7e31bb98a8779525f7d2937d5f8d1581aa7400816147d

SHA512
9b4a735af9eb1c17e6abaf63e72c18b514ba976edfbe382df040c7bf0ac61d963fa097ffb320b196bd29a544f7bf691c310efa78765d08612d2bd8e0546ac217

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
3d8d33bbd79fa74d3ba315d7b6fc70f4

SHA1
50e82cd2f46e5fd1c0590e6f3f3b45db7dd39608

SHA256
fa52af5e72d884b01b900504ca7b08c44506c45339f6c3b3f173dea41e87d226

SHA512
a449a6f4edbab56b3e2565f06a3a4e7b51df4f7b577b5d68667befdea5c912346a50acffb9a41d6c76e4cdd9b369dfb799eacae0035b19bfbe09c307669a5aed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
ef41ecb4549bf113b7e401a3f8bcdd00

SHA1
a8f8d4ea4877f75593d38bd012b85208559ebae4

SHA256
c56bd25fff56a0afb4f58af20fe893f3dac80805e4e0738d1dfd9a6a12f00d91

SHA512
6384d251d986cceb9b3a41a669a591b888d21c31beeca12a0c7df28dcc3be26770b634bc1d238fa7127b5c7b41d03f207a40fc54bcf19a06c6ccab1d21763f92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
a58570d419f18a98c2a274d0e6ff79af

SHA1
86088a09c4424917dc9433ed9b4e69a8b684f42f

SHA256
a47d1435fa62a75fe395e08654b03dbac5949b38b18eece1a0116f308a5eed54

SHA512
c0aae306a43bbff2599f9d8f7b906d35b41ed87edb3eb16fb2a0c86d311406dd4eb7dade1685c65770d0fda230edd3dc458f81fa97a72980efbdd38721f6f2e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
9b380cf956b3e5d3a542c5a688288562

SHA1
df89038ad59631d9b01732e63560da0843a120d0

SHA256
ca6e6bc001d7dee7d4f07a75ec201a4dd89d52f58068d947339d0cf91451aaad

SHA512
d2f2cbe66af0e6855bb5b08e2381b29aa7003555f68f4cf00bac38d2bdaf0478f5d8ea3f1ba0af93f922a048b23f2da44970b2cb45b1fb68944ff1faf87277d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
0805818aea4310354c4db880bb62b307

SHA1
ff50144df09c02141b0d36bf32c08cfee7c5be19

SHA256
cd6622a18b714b7a0a19c0f523684828369135582f97b622736b741c0550b17c

SHA512
df5b2f24b06603a451bd730dcb0d94278d0d1459d39310fc0439ef0c1e611b0b10fc63753a8407c573667b091f91ecb19accef44a354e308c26ebfb6dc33af76

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e8b454d095edac5bff6de5fa86f78a12

SHA1
1100ff6380c46ff0e37142af01944d77987a0849

SHA256
d371302f129d46d138df4cd14d43def8fe443b64238751f9223ef50a3541e350

SHA512
8e7826e9df6f2e6f46a95dd70215f71b59c281054ea81cff42694b94a762b2422edb3b06203b50545fbc083c1d505c859383cb78684e09ac2b37024d74c1c1f3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
ba329a88c4c41c93517bfb941399abd1

SHA1
666f12cf730ff8ab97352a644f9a88c7c7e1fe92

SHA256
adc92c201187006e2c22849698eea160d091ff8f4dd04947896a84dcaf8b3e2b

SHA512
4ea949f201e98a5a793d661e14d5b0efdd6fc75a0383c2eb6d96ac0733c8651f3d140e41cc4b0ecc580e3bcb01b19e51b4e4b7e9ac5dcc808797360cb8f92d56

Download Submit
C:\Users\Admin\.node_repl_history

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
411df9d408fe0f5c852ead0f3a8a2f15

SHA1
e7624015150f1af7be720730ff82c1a173e0da1c

SHA256
6c8950e07e42622950b869dae0abeba9a651660ae1981d361f17204d54f10f48

SHA512
371d9230515291c3a57e2e9b3cf302dac9f085b65e05a478d6fa7a9beb752f928fa7de20c68c413ebab8bc132d58d6ac0c0ed9a51f323356d4005f5f41249327

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2462d16a23342215cf2fdd33e9124355

SHA1
f9641095c743ddf7956d9027980198219481e04c

SHA256
c651c03a567aae36de6b9c6eca2c87545ff029cb0a5a7dc6cfcdddb5b5861556

SHA512
39a0c9f1596f66dced115f07bf6be3f1251b3c8983c7c56a67c65c0c6efb571a52ddd7d89e7ea690b3f2d1bc7c149ec82f709848a79767c0efe9082b50e7a988

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
3af08dd704ec687681084bb78630b5fa

SHA1
e0e61c7f055c932f1c528a098b6b4c14bcc01d14

SHA256
18f16dca3a6391aa925214e6825e4921e4200a0794efcb751f5145895417ffb5

SHA512
f18d2c23645000e34402969cadbfb1e200d0ee4d3dd8e37bfcf58fcddb427c32862ef48c0dcfb51b59705ff1985c63d933eeb1e93feabb6be3616c16ce0b2c31

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b77bfce47a283ec01f5115b532ec4785

SHA1
1d3232c6a7e8a23687bc3ea19d46af2dfe0e617f

SHA256
3fc4297ed833d33e94c9583ee8b69c6320d36de5cb44e9d171b0879ba6ce6d40

SHA512
43bda7704ecb4f43be578d1b6227af429d3e05a00a655593b9caa9181cb6b5108350a11f4fcedee3f5bf766852fc64f581d1ad41f319be55f0c0d7344c8619a3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a00800ace3982468993c2a726a29f502

SHA1
9ecb15586ac27195f722557f1fe9f2355d79979c

SHA256
94f4d6b0b08ee26bf4a5e633c45a9eb52bb1aa170d94eac181fe1f2dc82e13c0

SHA512
f1feb2e0b1c32bb33638657215f888be9557de693364ef6a3aa53eeed270fe5ff2c7f5d3ad297bb600e2e4517f5d728823f8bdfcb57a95bbb9b9b4120acec6eb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
8c5884aa470ba34598a5226b845867a4

SHA1
c87695fa4e65d646d9b8466989d744d13f8f4a61

SHA256
6e06347e3c7bbf39c6404c78eb8cc7daa0734149902197cfdd4402ef232e2cd9

SHA512
f03ddc027580b311fa6acb597e1c3cfe70ebf09965b4609cb363f798fd2adc7c42a3ca69b963fc4a20e3383c42ab17ece36c967c4bb5675b026b3035243cc88c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e7af11752480da97835e6720a7330e35

SHA1
7bc93ff04db71fa8caa74986ded152286c5d29c6

SHA256
86666ba7e46d8fd321f85d1037bfc32d46a91ec62544561cff0d14cabe1990fe

SHA512
1a1b38d69088ae59f2637c74b7fb0c55dee0a884eef2724ee18f4c9d933797a8f3667aa358a6fc8769604e61a3c1571fe3afe198813041ae46c960c039aab8b5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
517f8e7c400e35822a37891b2a78e60c

SHA1
e466fae0fc99aca8588b910076c1a9335529dd2b

SHA256
7933d455034a247eca1b7e1807e9fc7fdea97b09a0716a70f220c232f7b403f3

SHA512
c9caf4798cb117ca35340c24283b167b2cbd84ab9e4c36f621a002fa2d3612537ef9edcaba6f98c93a41fd654605ad5f288e84fe667691c80ca4ef55641e4b44

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4c53aa033aae928660e7c0cdf29c3f1e

SHA1
12c66156745dbe8bfe725facc3bb79c4bf13b2e7

SHA256
6e2634758251bf84ec8b544e0006e699bd2b30018ab7f9e66b62b2a98225adb1

SHA512
34fffe0998865c0be4ddeeaba0d0e636ce653691821c18b81b730d8aacf6260df46156e4dde73578026f84a3454d79b87cff0482e925a79c8355a283a5f29197

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1cddc1eac4de0091804601db6889b19d

SHA1
7d2a9cf43cacc7f09ca74be157aa11b8a4bc3865

SHA256
6d7f3dfc672d35313f59e45c918a29845ee6e05494386e0db241cda9b0fae202

SHA512
ce077068e56380c2d991b3b2cf5fca7cf7c20bdcc9eac0a5f75785b03e927d8c48f67caa5566c7de65db6eda721aa8a78360289bc8e5fa9dcc1b9dd159c8a5d4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
8ac448b1a187bcac7edbb8d5143b39aa

SHA1
3ed67c960bd4a52d851c8f001d142522334fbd0d

SHA256
3c02358ff0bb0fbca3715a786dc8caa8e335b59bf7075affcd9807d40525990e

SHA512
e417093540ef774dff0a42a0db25105fff78137c8d71b8e9e1da3cd2db0d32d417d8b99d620dab9a1b95d1b934cd2ae9309b3a920cc09cbfdbe944b8b628832b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
56eae1f3276a493dd58a431dcc357ee2

SHA1
655faabc8aeea7aebfab91f1a3ec0322d273d1d8

SHA256
0cca5260ca96c242db7e66070dbbc8a741b9b10dc83b184c5d922a8c7e35c777

SHA512
85686e1e2c60be8e4dcfeb1ee3178ee3fe664e10f8675884dba299c038688f2abf1ce4723c7be0e5cebebb8690509401846d68445a12f6c951bf609dc7d1af1d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e05bb27e8cdca7a5170918f814e98cac

SHA1
e52804b808ac4d3bea4ba12d74c6e5be0b159bbf

SHA256
865577e72494809264999a2848615590533789ad7788c09b90fdf639f7a23a03

SHA512
555d285945a78cd106c0b326f001ecc7965337c285b08f0d3a0d6e67060ef84a6010fd92ec992dd8bb0493160bea1b31a7c49379a8994b5a497c12c9e8b49eb2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
f22e82d186185e6b0a5095749b3af4cc

SHA1
e8131d0519938a2640dd4b684ff622f65be6d12c

SHA256
0c7dc063f83c355e3be8e0efbf0de229ebbe210aa2630c36c4fe72bc46d95bbb

SHA512
71b6b0dbec6032a0a4fe191ef487c4e51dee9c509ac57028b13161057c6567d7d16cd884e2c6e368da1959c2d8208abd87783fc9dd2b59ff98050e53e140098c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
79da9826dc93be72738d89686783e58d

SHA1
a3107095a4508e0376ec5a68257283cc5e5b4b18

SHA256
f2e43c9148484ae1e4d2ea1c09344cc25e7633c17a24db7ce66ad727e6b69b6b

SHA512
4ac8c6f57d77d0816259245da3d06924032df2a631bf87b538b31c66d06e9537032ce6c9e202c3ec2e26ec1e032ef551ddb629fbfcbced9f81f325f7713e27b2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
06ed8bfffe248921edc51f1a03d123e9

SHA1
97421adade521b32b72482cb10dde51f5927970e

SHA256
6ee50bd8d7ff378359a4b87cada4a8e4e5c954da4896a99da56c83950a1c9839

SHA512
534090a8aafc954cbdb24a9863cd09d5778444f6a71a02b3e09b57f6f03346295622a230e60389e7b19c0e8d23a1f9e07c7c29d4740ce1a8c271bc747ccae939

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
dfb9cc787351c931f1818cd12c5beda8

SHA1
438167c77b313c1c5c03c115b885764116981573

SHA256
ff0e3315310e39fe37376bf5314cd0af2537aea635eacd4bc0438c6ed9172ec4

SHA512
4adb765568c63fce33ced8575348de3eca412894fad8d8711c7bf3a9f68411925774a237793c6bb81802f3a430806af15f9bcaede7af5ce935e263f75f6f6a46

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5bbbcf4f775ae2a1e02ff9973c146a76

SHA1
7d728e0e91aa03f31d8aabd3c370f19e12f21e2b

SHA256
a51544f6b239d16c90e434219ff80e8cde314e735e228e0c8c4d8b125ed61b5f

SHA512
99367f0bc14c3c2a0fc98e9653067ff24086bbeedb7fef748684488fcc572bca4a37bcc8d8dd140f4d090471a299f9e92f95b10c5bd224f55cbe45ae8347b067

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
355eea392b9f20eb7ccffc783a0df843

SHA1
b842bc1bc4556bd9467a6b0fdd00efd837dd1d6d

SHA256
deb3b49a00aa6ef340e9debb963efaded3a689de0a51aeee46379840e5b1daec

SHA512
8fbf0838c64aa347b87106bfb2ba1a4b44ec65c87b56848a2e5f024c03d873be6776c045e500d23147c3daaac53b93b41278ea3db6da9ce12d29ffc95f6f29b4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
30f6ffb81fa5a577d36e458e32c84af1

SHA1
e89ac5564ca40fd659b1d167f36b2bbafdb43a48

SHA256
460e5b46f331f14e8966ad78bfc346541c0fd0d67e8986eafc96b9d1bc4938dc

SHA512
aea88a0ac19a5bf07d7b20337f777276aa085f2a526dd19b6c7234f7eb7ddf952c5f6323d3dd6fdacc625eb8a41230a09e798a9216abc8ff3bbd1ffb178c55fd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
45b850645c1ab42f4907bcab5bfa3c08

SHA1
d8552cd252dd23a5bf4b6ecbcabf476c05c23c60

SHA256
82f4209dfb4766599423bd362b14a9b77f5daf976a1b955b3dc5d2dfb493813c

SHA512
d681cf432bc8de0e97e06114a797b86c262034ad9827af847eda0d10f1e7a880ea227878787f32734b9a0408b1955598366da05fbe6206fa5e003b7887373a3a

Download Submit
memory/372-262-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/832-461-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/832-257-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/884-253-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1216-258-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1260-261-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1480-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1480-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1480-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1480-563-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1996-88-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1996-252-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2180-49-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2180-562-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2180-57-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2180-55-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2320-564-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2320-263-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2488-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2488-420-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2488-0-0x00000000024D0000-0x0000000002537000-memory.dmp

Filesize
412KB

Download
memory/2488-5-0x00000000024D0000-0x0000000002537000-memory.dmp

Filesize
412KB

Download
memory/2536-256-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2540-260-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2632-74-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2632-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2632-84-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2632-80-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2924-46-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/2924-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2924-37-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/2924-59-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/2924-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3916-197-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4008-254-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4424-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4424-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4424-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4440-268-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4440-566-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4776-255-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4792-266-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4904-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4904-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4904-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4904-462-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4980-259-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5016-267-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5016-565-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download