0fffb8c907e390b0ce29757f1ee75e659a8699d64b91bc60e2c75a4bf0a152c8

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
Size

24.3MB
MD5

190bb06b5b254381e7d37e34931e3dac
SHA1

2939b822c361b0f389dcc41abd1d46accce91705
SHA256

0fffb8c907e390b0ce29757f1ee75e659a8699d64b91bc60e2c75a4bf0a152c8
SHA512

edfc9fc444aae4dc78327aec84ef242b4cb2dae654280638cd5546813007af3fd5e30f65761014cc6358d55ea143e1e270b01b8512cb2c82235b5cd6a66b8d3e
SSDEEP

196608:QP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv0181YjVqPdBz:QPboGX8a/jWWu3cI2D/cWcls1SYhedB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3872	alg.exe
3548	DiagnosticsHub.StandardCollector.Service.exe
1820	fxssvc.exe
1160	elevation_service.exe
2244	elevation_service.exe
4900	maintenanceservice.exe
1332	msdtc.exe
4092	OSE.EXE
4008	PerceptionSimulationService.exe
5036	perfhost.exe
4912	locator.exe
1628	SensorDataService.exe
3216	snmptrap.exe
5052	spectrum.exe
4588	ssh-agent.exe
3016	TieringEngineService.exe
2532	AgentService.exe
2988	vds.exe
3032	vssvc.exe
4508	wbengine.exe
432	WmiApSrv.exe
2112	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\557471d57489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exealg.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\java.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchFilterHost.exeSearchProtocolHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c56f95307299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7b4b72f7299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005466222e7299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cc8ca2f7299da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4a01d2e7299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe

pid	process
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	1820	fxssvc.exe
Token: SeRestorePrivilege	3016	TieringEngineService.exe
Token: SeManageVolumePrivilege	3016	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2532	AgentService.exe
Token: SeBackupPrivilege	3032	vssvc.exe
Token: SeRestorePrivilege	3032	vssvc.exe
Token: SeAuditPrivilege	3032	vssvc.exe
Token: SeBackupPrivilege	4508	wbengine.exe
Token: SeRestorePrivilege	4508	wbengine.exe
Token: SeSecurityPrivilege	4508	wbengine.exe
Token: 33	2112	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeDebugPrivilege	1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1524	2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3872	alg.exe
Token: SeDebugPrivilege	3872	alg.exe
Token: SeDebugPrivilege	3872	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2112 wrote to memory of 628	2112	SearchIndexer.exe	SearchProtocolHost.exe
PID 2112 wrote to memory of 628	2112	SearchIndexer.exe	SearchProtocolHost.exe
PID 2112 wrote to memory of 1776	2112	SearchIndexer.exe	SearchFilterHost.exe
PID 2112 wrote to memory of 1776	2112	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_190bb06b5b254381e7d37e34931e3dac_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3056

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1160

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2244

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4900

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1332

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4008

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1628

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5052

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4124

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:432

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:628

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
0e990eb5f1309d3f30fe53955af52f1c

SHA1
cf306d07bbb1562f970d4e0d159fa71e60d5161e

SHA256
cafbf80edb27e0606cad687e27f4a5e727f0c35bd498196132525d12b6feb469

SHA512
deddab125782c87d9fa2dcde5393b1b34b36cc33e67bce2da93968e45910215508970057ab113a916e0081ea7098e22ab8a3cad72eb105c58e0fe571f42f10f8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
024c22ee980560614022fa781e4cfa6e

SHA1
4d0d61695765237f10747f5a60e2ac0dcdefc549

SHA256
e0f71892d62d4cd4ef87a09b4c629fc8000598e11f1a50e005132bdcfcb192b1

SHA512
4720c9056ec1e90bb5411badd817076d7872e1df258a01a27c62a5d9d779e870e6b09eaffdcd890a00070554c4e338005cf66e42c100b9395862b1b01abf869a

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
47c5ce6dc01502e16e6b050daa5410bc

SHA1
bddb4157bcc70afb71cfb219ba9c8f88932af400

SHA256
ee03b417aae8109dd07e2fab2ef389774e6cb57f4f3730fa6c40397da2512e14

SHA512
1da7309a5d44a33acb19cb0a805294890516ef147cbbaf993a7863a442eb80ead8ef66da1e0e3a78bf5f670c02b029a20eb5a423821a9c419831630846caad6f

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
896fbf15a357ca1cff926f6cf6bec2d7

SHA1
10917212f8fd409af05490a69bac338ff4e68925

SHA256
a3fb8d39a99b7565181f4e20d076e3c3101b612044ceffbe06a9c79f28dc9a3f

SHA512
95450f659f3f15fefc235e08c6c727a6b518140de3b0bc50a2f1fbe43b0580e55962e5e2a35160c5ee76b4405a749dc9f84497c52b157c209f2210200155bbc2

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
203964fd97f0e7063b4a20a63f0b468f

SHA1
ce4771a532da9a1d481e0c1e23da84710e03b3a0

SHA256
04de3d1f605cb94eb36019ae4f6f36676d29445a0e28ec1e810d91e2c81653b0

SHA512
3cc14caf31a28cf1dc18dc1445a88116ccd32700896eb23c4f50acc6a3b07644596ae2d7b1b35eccc911e42f523c8fad5f066340a3ead24240e2d70553403fc6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
08b9cee93e2165138734d74d42e5948f

SHA1
185cae1a1a717c64b53c1dd69a0d0ca18726b71a

SHA256
1208a7d4b8073ca140fb8dfb2200f0767ea9992555e732497762414dcfcf994d

SHA512
1d8c16c3d04100276d2e004df6a5cd67db1451808baec1977aa3340414077322cab92b5dab45115fd4be66d6538c242c83759ec8c7a9dd1a9a3336970e735c06

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
9aefa4778c12344abe10f33182bda922

SHA1
393bf8cb54c8fab6dc86725a8be430248609ca35

SHA256
60506941e9f3433f21a5e51b088892c17876a61b3faa399f909b4588d997f072

SHA512
303ad12cd5edac909edd9f97b688b3c88395e6f2ec400f3366c142e075b9b971a8e5b8376c382374ac99c04be869ac4f96f0ef3f171e0cfec495f313de5f5fd2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
d18a74f4dbc77b0c2ab96de673f474d4

SHA1
b8d4dc58dc6147dde89e96ca261fb8a17db8ddd7

SHA256
03dbdc07d2bd2d57d9a1655f9a328d977f6b10c0648bb1e01ada8efbfca3e2d3

SHA512
54904c569a5a5db50f4ef565478c17f1992df30a5285dd968e2c4437b296385b46fb5d306605b70162a9b3a1d19d189388773976f8dd50b3a42e2a78e9609557

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
c1dcba0173a4857c3be393e81a86881a

SHA1
3b5e5cb06621ec7b22553dc7267afd061dfd964e

SHA256
766f594208d75c5c5c8d30a284ea938c938577956ce39ab4ff7160e4c544eb3b

SHA512
7e1881e5456d3880a49944f10565a53d1ca9f3d7135cc1d25d3802b028c19d3c4dc873424341a8e250da9f691d9211228959ffa0f31ae8d13125158bc6792c32

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
f9ad48ccc213ed22de16ceef8c847a07

SHA1
2d802d1496dedef4e65e8dc1a23eba1d1755aac0

SHA256
b37c300cf43cf2bcc0e73446d2cf72b692949f6db44999947f1d112faf827e17

SHA512
500fb2194cad0cf60a049ef858743870d1ea01e5f61c00ede35c421504ba76f05cba7ae484c39bddebadcf55393707443fc49fe4ecc6eab9b4b1f44f07ecd73e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
236b52531780908b8d41b8da5c936e3b

SHA1
e31a2014f6ab2d8870048ba18f9da56909d4c03e

SHA256
e190f6dc91e0c1ee3e75cd6ee36f69c79896523d4f634e8c460516c7490f8d5f

SHA512
e34028b9c2f910098319a3c850221baea8878854e2ea638ec90411555a17dc0b5077b859dee528c6969b708cd5549da6790438aa4e3a762ed6177fe7a0986ba2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
23a6fa269492be765f288963a6a73271

SHA1
4593cff2e66fedf7c862c09e5d4b57ec2deb179a

SHA256
0738b74ebbe7bb26414487bb766279f0063f43ead7ad3dd448ecace413a4cf17

SHA512
fba02dd97bf5f559dc696495b3901ff7930511ad56728513f44cff357d32433fd90ff892b78385658ebf59f56e7d6bba3658024ecff8adf06ee45ffe4bf3e34b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
b13edfee99d29ca0269945bdd042cabc

SHA1
6c271dd343b3392c7aa57b8830793be407e93003

SHA256
d00a3970a010fb1ca437f15917589206eebf40e260bff4ea36af5be51942666f

SHA512
8f3c9684a504ca6826e91c198a0a496c2905e9e9bbea3eb7a369d76c6298f3857a14fc9096c065bb5b2eb7d192f8a97323b00cd441fd7376056927b85fb2ecb9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
50b60980fea397b466b3b7465700a4e2

SHA1
a6b8d835090c1509c9bcf8f1ee04dc1fa2c1d7bf

SHA256
766ed06379267ae03a7a1def62058e5463b2799b7bf0e1fe06bef31b76df1dc0

SHA512
159d901540173fb632adf3e5f54f09d98d528cc365a1f70a57e441bfde8edfc4ff322148921ffc50941e326f913678a7565e21a80fb86933db2107e2d2b3e353

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
a2b90d2e5c75195ae9298e3ffb70a988

SHA1
58ee62e68b22379de577678468c9c91d27c311b6

SHA256
ab27ed4cdec9bde20749ccf8c67f314c46956f00e32f2595a458d86471c9218f

SHA512
651a7cae345f3d2cd7166b4966ae1b06d8d5e8a33737bf9b002eacc8590dda94fa3642092c3278dfa56ad23fb69739932c168076337e6287257d286a62fe7e8c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
fb8404b8b27393eded8fa88262e240b3

SHA1
8a57ab688e85406968a53f6eb832d9429667d5cb

SHA256
698cedc211549b62875ba676d93a6287967b1f29e515107172fe917e04744644

SHA512
544e98c3e8d43292f3f4e90fcaab786df57920efb2680bb2ebcbe53ee66b7432d8f2c5a7bf5a138107675e0685fca82e2d8963dd811fa4eebadcbf87c61778cd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
4d89abdbe764c6d72513c2ef9732b436

SHA1
ad5344200760e4dca4ee2ab1df0da1e1bc65ea4b

SHA256
2c2de8562f01e4f2c829dfdd59e3bde771d8a8f91ff276217a40fc75523dabf2

SHA512
d529b1ac791557df81ec0b593e31aed50df47d405b56c7aec7f89b3643b3da3c4535acaaeb6bec9bdfa1a8ba0c56b7561cb0357611b2f5929990f3357e6d0f06

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
a3b0f41c45f507214e3ca033df4a3341

SHA1
e9663af1c5918a5ef08bdaa73a63c672e845058a

SHA256
57f77c751f5e9ea6ed1dfb115a43fb48d3dba017e942352f752f7c7624cdd194

SHA512
679211d2b761e34da0f37f66259cd3254610ad0f2c4e31c021432d5b3efe1c40880aff26c581280eeb6d6222cbfc981ea69f688c6dd82d8234534e6d2245c8df

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
46f405e082dede49fb2de4405f60b1c9

SHA1
2b6e4fcd96a385519bec9aaf3a52a7c9161b74c5

SHA256
612fd9133ceeb0dbc1aa3cf2232003c36784c30723cba6f0b0803f2a0418bc4f

SHA512
a7f6a099a56602b0a8416feed4f1022476e1fb0e0e4d9a063b17682069be66d1d0ece81dc881fae627ce4c95637840c23ef08d32846ce0c60ce933c177e62c4f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
c1c4e3a1ffb4d715850d71353749c514

SHA1
32cf6ffd150ae72e0aee5b9ef99ebd7ce56793e9

SHA256
e0e656e63874477ff40b2593e718ac0889bdd5015ca2cc10bbd0fa7633c6c1c6

SHA512
b02dd74cdf59a77a4e370483e5dfdb5fbbabc34cd27db87ea60cc9d8292fe7e9be736a16cc01e17d7cd6b3fe06de4975d42f8c7db6bc0644b0cbef7d90959a24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
786d15119e42881a01b048eea74c266a

SHA1
e09c11eb47923aa10ddbb8a927c8994b7fbd0a1c

SHA256
c3d9618ce74928b68c87d0a18cc5dd0bfb9cce87408c50d7883af8f01416897a

SHA512
ca2fb0cd6d19a3667ebcd1436070179d37ca5a3e4ba0376ebe51e1d176dbd4131b760f73dafbe440d3bab897ba456d6e092c04508f475ad499acfaf1c3cc75a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
84e1b371888331a0ddf202aff7a4ec48

SHA1
893a81af1552408e56a982a9cee4c837ee4cac2a

SHA256
54b63f2aae2fb9c36713a26c93a281a588c38b3f1d94101509b72f5a2199edd2

SHA512
4856da55acb358fc8e8131c76f1a7e239609c78b1ec36ff50cddb782e6fae93b35934b6ec26c4e8278add34a9c1f79bed3fb479f78d137354808893ccc921b4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
926530a51aec1d337319acf82e7e0356

SHA1
18356115edd8f8cbcdaf4a1c21fffc0bab9cd7dc

SHA256
f9d818c65edeb96ec47e96a8eef027c9867f7dc8def4e26496d02e1eb660451f

SHA512
548fa7c83863bb5228c8218d48dac7e2a23b957a0f811383a5c96732ec31c57f14258ca6d8f60adc50b549920bc8dae2bd9c948ed19bfd77e88a6665cb399be0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
32d3aec6884ccb0b9c676c21d806b267

SHA1
50e9b07abd52756df8dea1a95b1798ae316eaef7

SHA256
bc6e29bdae1241e440b0d7758fe60701cb149fbcb43f42ac4eda8a4c7e051256

SHA512
9618e6cb82753d6f0c5f9f4bf18c96a1c85917440ae96c50c2133b80db43608d102815e21bfd141cce355efc2a8a00f87bc8449be795e1a99b17e89e2764415f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
6063b0ab33b7ea839ea67e5c171fab3e

SHA1
97a59e844add0539f8d3fef40c1e6ccb64e07ee4

SHA256
f90d762c5f76b84c1fdfd298f89d70863343b4aa2aaac63478e8f1ec4be34ab3

SHA512
2f4d5ee81d08b240ab6dcc1e7b28b2c84850f602b7bce4ec3756725b09548a9ddc72f05b62e8925a92d17db297c52618a3f11860172ba69b7ec0f5274d890328

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
084782ec1c8d64f2d26c18ef7c9bb2b5

SHA1
16a09dbd795568c9ed713900bc738547b56cc95e

SHA256
102409a25f71056d60a59f8cd7be9cb4fea7629ce742dff90bd5e0ec53ee8495

SHA512
107a9490d3f254d075b23e4be173c2a4e580eb4ad2b4766ddb62377d60d647d83889c8a0541acef0be5c23c66fa11340af88e01dec30921e5560209219aefef1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
5892df49667d0f2acc074e0cda538410

SHA1
6e7279d51fe62d9e15abbaa4afb488466c5fa71d

SHA256
5b1efe63ba6be4dcc84e6d0ded97c755e2df544df69e314b53e5f45de8779820

SHA512
bbe323d490af549715ea5de7c3f1806561a1e0a91ee58a8f0944103a62126697518b50c33f094cd0c73ce904b00f76b7f88c404f7f2b93b5b5f44cc17de65769

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
66145f9c40ac282e66bf262d7a531d3d

SHA1
0f30fe72f03a456dcbb5d4cfcd6c5c13acc86d6a

SHA256
bb21d444b07084a3622783c79fec4d9edcb32715f06d283e040d8db4cc088ff7

SHA512
f488685061a764160ba6c4da73277a531f5f5e0c10497810b5dcf71e88d5ad6cfa69efe22145d8d61ca1ff0cf93b576de5249abde8b1764ecd7b2d0ab34c3dbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
292657275fadf08d0e5da6ce646b307c

SHA1
0a1b8ec7994cea07ace3dc1db769bbe6e1580b57

SHA256
fbe716bcfd9a40c6b765b16b746a901e5d11337c3870e520b9431556c4bf59bb

SHA512
8d62f1d35b66d65fbaad1c22ef489d4660fd245c4e1c06a3c32cccc083a961dc17f30ab1660ffaf81bd91d74042f74412eb3d2e65ca4f52e41b279275ceccc46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
70e5f6535ced4a21038c605f421166fa

SHA1
f4341c3795ab986b7ded659f1f46410f8340b17f

SHA256
22f4b93528d97c10b7ea484e5a13a7d5aac983f98848aaa1363cf0f68a47e1cc

SHA512
31888212a9895f6172806644bf9ea8052b8a9a17073eb5a8753c3c9993b67f2f16334e3dfc5b5b0d2edb15cd583f97ed26f1b1143b4b57c0061620a87187a1d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
8a2f73caab658dfa6129ef0346a01648

SHA1
4caeabb46fca6ded43b1a64ddd147e0941e01dce

SHA256
ef372a1556e2b5525c66e56022b90799d4e8eea2134ed515f57455ffa22a73fb

SHA512
a15a750942986f6633ee9494c3c99628f5c00f8e55049df1ffad00d487e36ce875a29196a88a1f66e3fd0f103e0fe6269eb7cecba4a418303a24be2a1afd9b69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
815bebc47669c7437b86ae13b0565e23

SHA1
c9a3b6f71c6f1e4cb4bcdaeb504af81f42501c0c

SHA256
c5b6f148452191b53ce40a41bb5bd6ae4f9ade19776970000b5589060894a4d2

SHA512
6e54009a1d599521b143a45c722ceaf3fc98773eaeae83f52799356ed1b864efd8420aa0b96e34a556f06c103002bd02dd9c5336fe72da64e1c98891a8f0b561

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
b9b79d93a116a800e5590ea8bca9e491

SHA1
bbcb9eb37e4f1094b13fa54739b19d1ac6638042

SHA256
d33f2db22cdc636ec238a0eb416a0aa5c38ccde0143a895214918f382da26f82

SHA512
59ce1e16e9d78fa9f9b56d1ed014d8f35c2299c133ee5b9c1414ae1195e050558b2007d0cea967a70394e2bbec2d9346b29cc12d82121dd5596b949493bd44ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
9d5bc5e35e3749f9209b00093bc7ebe7

SHA1
35ce5133b1497a2668de3356134a6f9eae84e080

SHA256
580097775e21ea3a2a78e28e244ff8704d44c6b5cce0ca414563c936286bc359

SHA512
4daf10368afe18e8001dc931e3c40f1af5207de4541e20f6abc1cafa8a33fd0df677632933fd6f24ced0defdd1676d7a25d0a3b6b940afca74f3a8e977350476

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
030eb019ea5696b13fe5dc754a7149df

SHA1
067ac0d2dc83b7e1780e20267828ccbb7d8dadee

SHA256
1640ea42dff13c7de1a589436397329f1fd76e7cd94025e473a7cf8bcf403e96

SHA512
729ae5e4bce43beade2bbe3511d8b637ea84a4344c722bf78b8320bc90996811f2d50a905cc27aad18229d9d462f30ca79db6bbcdd33c43e6851f2a527ae3ba6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
42e9e2bb55982ffab05ae87b6caab3aa

SHA1
44c511b46fe0b6b0e269692b615015ecda4a7811

SHA256
a6d599ad8e2ab43de2012795b4d6dbdf6e7d42809af7cb1db02d43f39ec1a545

SHA512
a1aa73ce60c1b21a9907da63877784d0cc00bc5a0fab0bff507728dbbd980ce4cf3e6f33872dcfaa51d0cc6e17d2a2c18371c593f6444f54374b1ee58bf1f0ae

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
7968800cdbb33cf2a4dbe429a9d99294

SHA1
165915d305047389082450a99934fba752541525

SHA256
b667acae9f8d39b88d0b3c3c826f7107febc97e69d8ee90222ee8c656e474bc1

SHA512
6b07dd308a21c0a61496a90006fcc53959265c28c7a1694a257e72f53b12154809e48d9a6deccf588751ca39de683d74de9d7c0c8d02cb6158d7ba317a3d40d6

Download Submit
C:\Users\Admin\.node_repl_history
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
df7847528718ff6f3389ee1315cb2581

SHA1
01f4e0aca10d0f0563710af55e9ac67aff88407e

SHA256
3b74448559d409c5a799804c11cc8b754e00a106aa51fc8f8e8d600abcd8eb24

SHA512
b7c0b26853b85475b86772fe0ee60bc2ffca37794a0ddb5f9e9e49df59393c3ae824e872d53f7d12a756dcfa6e8a9d304bfe7293bb499cdfc85e7538d89bf222

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
56face2cb4ea9a2dcbc70a8437bfd078

SHA1
5d0981eae70f57f997039fc3830e789680fabf5a

SHA256
182c04fc9d9c04bad09040332fe5b691db8070ff4442ecbca3abe5cf685eea5a

SHA512
aeab308a4341c7315b687140951e9deac1c85deb00b357f171a359a512ebb68dbb3561c2f2e51218058ffb6e38ebf8ec2637f78f4cfbea81d6a7c01f3149b81d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
0021f4c3aa53d2a70efd80522670e3dc

SHA1
c829f5ca0bd093100e61c0b17962dd1597316642

SHA256
1753a64a4bfeef925353ba259f7cbc4632efe0054d6dd8c3b36bb8b99e50addb

SHA512
5e9c8bc6b29d0e0006c95dd976d0233304b151e3e3c0678f058b89c600a23513c7c9a382ecafad4e1c55a97d862b2f9f06d2fa7e46fd45c4cd4eabaa29e778ce

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
403bf819b3ef15b5771d2f0314117d3b

SHA1
aa4ba04997a26f4534668ec53236759ace36ad35

SHA256
b3872c395cfcd05055b2b6d9e912ab00c0d521dcd5d989b66db7fb2f9aa40c5d

SHA512
ba75d232028d77638e86d663c37a6633ad68542920285b13b89a21c676d8d1e8e5d2f890cd7b8c072ef116ce3273508949bd3e3aaf8dadb449740d1086dc121c

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
0f55064050af9e3dcf82b746ebb94dc6

SHA1
efd75418d8b492b2f12635370e7cf5583ff09938

SHA256
da1529dae78a2d6af18fe6a7c429cff9641336ccf37fc7b27940c87900d4cc11

SHA512
34d36b7237d128d5a0e3ec647f27ab1308f82679aea2deab5668d7a77d66ae6aa85874a0842c147e661067879ea374635fb9e3da4d5a7e1a4dd2878982b2cb57

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
c8c8058244ad2ea42ade33278ce73af2

SHA1
2d90baa0c13a71ca11fbee6dabb437bf664e9ba9

SHA256
a1c01fd559ca4826fff530ba5a475230812ebb95a4189f5afdedcee44dbd7057

SHA512
982af36e6106e8bde7a8bf4d747f18a88ef64ca62e7a95e83a65b8e36db8a46f99e44716b2bfac8f32066da9d0d530435a9611274b13972d46e63c17e0e53ba3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
7112ab25cbd2cf4dda1d839d5d32d2e5

SHA1
90dc3184cbc5cd59501832f7c6b568a6c2269190

SHA256
7405d81f8c7d253b7f5533c93c1711cc8226174bdd9f7feaf331be656077800c

SHA512
bec57461b020750f4e23025d726300314079870a6080491d5c31d21bdfdf4d96d9224d79390b70445787696d122bf8f8ce65f5e359deb1d39de8f49da27fd36a

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
5cfba50fc6d2cbfdad5cff51d4e36bc1

SHA1
e92e663872cdebe52fe5e0ab307d35eccfafce72

SHA256
5f1dc38bf4a7aa3bf6d869e0c5ea30b79b0d99ff45aef6976fbeecbfb8950496

SHA512
2a1e5a2c3c04dd6bbe1e27d020c2d90daed1caa52db862d6d4eb306c3e6b14fa3877c63ecc46b86bdf0bda59df16fa83798d8ff1fea9dfe840458d637174ea33

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
332ebee778f72c0adab63fb333a113f6

SHA1
56dafefd3d39cd52a9abb5d8024351fa978d414b

SHA256
f3f2f72716127458659f7c3254be99c1976751abad888524eeba92a6f9c81c89

SHA512
968aa513803174c6f353bc2d9c0883b02c82758e7108fa43cb06de4e051b4c43a3e8ec6718f8b9b1a16c7e615e91f871abd4d0a06f0bfae8b9fcae42b66a5e57

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
4fa3ac0c231e97a8423eb812f6e2f66f

SHA1
0f405cf3d257528ffab76b2c4b66e3ada67c9be4

SHA256
bbdf75bfdce929a3dc19af4aed9e994d3e5fec7389ef7c5a4473fef2e7f53edb

SHA512
dbe0f0569da3cc661a5375bf1ead549a11c3ddb7951610f7a31759d3970fb6a195532de53ed3c2f119c2bd52382f91519bc04918ed023d86b994adbeced2cb02

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
a1bb7e6753cb3a56d5b6f6c6408e7d84

SHA1
7ef7fa6644a4ba6ea0c39ae1a660ed90bf308cd0

SHA256
b0c1cc5a0cbd0ebe4831160bb52e40718f6ba0d97286f321ab63dea506b839e8

SHA512
479cf2301332d0636b9e4d167a88d3a7be5c43af0652adb90694075505c6214f3951eb58025a28641ba47cb85196fd0f6f9c1008232e4395a4be5ccf242af8bb

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
6841385ca3ebd70fddc81d96502dee3b

SHA1
3dec70ff849ead9ea3f2ebc3afe6055ec6988148

SHA256
73c16d032249414374d9c56cab8f1d8e9eaa63a720428f0bd03e36a9aa411fbc

SHA512
2b384b321c32db55bf28458a105d13593e50e59f28f1552296c4e9c36c6e04063c460334768f5b05b34c526a3be17bd6e9090c18fce2ab3a3392ea80e5a69c27

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
9389bd8110d6e9472f5109863e9f2c20

SHA1
300ef56a09d1567db83e5f57c254d88d15522896

SHA256
39a581802de3b1bcc1f2d8e0b69e97a35236fb6cbba42b8fb475323a6d558a09

SHA512
52bdb75503895489d778d68a473c0f955ffd4453e0e772398126ce62caf54c4d69dcde79d5786936d752f285870b795fdf0f965a6496319177b60c83e45d3de4

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
3a23e84515fe09d9b57223e2c2812095

SHA1
1b586232ab2fc9630eaa668a6b9419033c4c4179

SHA256
4fe0d97cf87f8c3a290ee53309140d3bab5deb5a4f7efdb17bf86f2b74e33e53

SHA512
8c62802c122653cc4a2f15893680edfc1b4045632878a5135f2b5330f9a3325f5d0df2adbeb32a26ed2ad5fdb9ab8f103bf1fdcee0e32affc665e99996bfcac5

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
c2cc9a73ab931fdb7920a3e5d44e514b

SHA1
5f066dadb172b64fb8d9ec185da5630580c2cd0f

SHA256
db673bb3eff09e5e7376ddb0d64085eb8cec7396aa9e1a003614e0254ade2259

SHA512
9bf035d3d90b259c35244e46d6007f1a11c75aa0cf14e987b26033d790922cb03da78c6d304973f8cdc3ee1f82c8e8ba5c56fa5f34d72e679c3544736addea35

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
e5f58578d3bdbbe98cebf80488f41db1

SHA1
5be7193bebadee58d1d3874772990eb44f95086b

SHA256
0fd32282c5cb5f13911f0b055b3682a275f7804546cfd039a24644173e37d5a1

SHA512
cd0dbfc7be7add05986bea8cc3c06da5e13b833b166ec1aa9bf8e1fb14b0047ffc82416930ded898785bd928b31b12ba009aee709a703f17c7f0b69b5f67fbe4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
652d4fcd591e010cdd98f7114965eb2f

SHA1
d569cccc26b79795b4c4a81f59cd072857328ca2

SHA256
f5c39bd007fd86fd9dc01b2be9d927e519af2693ab7df819b029f02f9ff01f51

SHA512
3727449d1074d3b1de066239cd5f9b266b3786d301567d915c4fe26d06e4a40ab716487a3ad660425c3ed0b4ae5c08f600783cd0db19ee23cc4d69164e9a8d74

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
63de09b34f74e975954a7d6d2617d27a

SHA1
56a9cf423a7438f67a88e00ed54dd84c51d1950f

SHA256
02daf092a47188f909f2e2576df4c326e8ec0477e260adb75996c9b3c9008a81

SHA512
20ab2f2ae0d0a741a1e6a01d4969ccce68e6eb7cf5a8c992160844f1b25a25e54bf5260784c9b3aae898eaf0793eea5f83849cfac4bb4be70f4e53c28cf59a96

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
4e179a195630fa4b8eef1adc53cd5aa5

SHA1
44c2f909fc7df6b9d21d93580cc7c2babfe2ca0a

SHA256
d7ed2b0916ad9ef7c221bfbdc4f3bf91ec6d389c10914c04529d772f434e7337

SHA512
7d6f0dd93d213be8803e95b7e24762a2a2a769c52137d32dc1003f7f223a25441c38c074483e6c044eee0679a4141e2cca75b9b66ae5fc7350b5c65e95304c7b

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
feba748defb56a3bcaf00bd52d208687

SHA1
6382965606981f16b440c197a6ea5136f4d356ef

SHA256
c865f64019a867eace25069f0666d8aa873f947f007f4038059d379ce1dc4fd1

SHA512
68b6f87fb8f9e7da994a2e3aee1ab0c29e9dea350b89ff876bc1983e46607d7c4e2030d0b629529e67fb1c794a97a40a7afb30db2655eb87b5a3a701c5280934

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
faeab3faaa2724980f0db00f204fb900

SHA1
3203b196bffb202a52374a805959bd424aad41f3

SHA256
c94cdada68a9da79215edb85445562d6ad65b2c50cfdb85f75a46827b031544e

SHA512
03abe727810f448c709aabb0fa785e3ad8aaef3ca373da8007c37cab369a46d6ebe40685800371c72608eebcf3afad6580fb3f764f5f138315b50895bf987dae

Download Submit
memory/432-252-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/432-533-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1160-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1160-57-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1160-51-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1160-164-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1332-200-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1332-88-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1332-89-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1524-86-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1524-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1524-0-0x00000000023E0000-0x0000000002447000-memory.dmp

Filesize
412KB

Download
memory/1524-5-0x00000000023E0000-0x0000000002447000-memory.dmp

Filesize
412KB

Download
memory/1628-520-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1628-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1628-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1820-43-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/1820-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1820-37-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/1820-46-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/1820-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2112-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2112-534-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2244-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2244-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2244-177-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2244-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2532-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2532-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2988-528-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2988-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3016-527-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3016-189-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3032-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3032-529-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3216-153-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3216-428-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3548-129-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3548-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3548-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3548-31-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3548-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3872-11-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3872-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3872-20-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3872-102-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4008-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4008-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4092-215-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4092-112-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4508-532-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4508-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4588-186-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4588-523-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4900-79-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4900-84-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4900-73-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4900-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4912-130-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4912-251-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5036-126-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5036-239-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5052-165-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5052-484-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download