b3ad5587444716bdafc9a4eacffe34c8f951c8406a87a7ca235e4fb3d8c60321

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
Size

24.3MB
MD5

b35be52f69776f6ed8cb4d801571cdfe
SHA1

0913f61fb8cac8c7cda75d35055de54569ea03ed
SHA256

b3ad5587444716bdafc9a4eacffe34c8f951c8406a87a7ca235e4fb3d8c60321
SHA512

510143971cf16de9bb5fbda949bbfa20df52c88cb48685cd76985c43738641675c571cbc79379e4a960f398d0e7d1448b60aee9fbf7eb3ab21423e961fe3d74b
SSDEEP

196608:iP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018J:iPboGX8a/jWWu3cI2D/cWcls1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3960	alg.exe
3440	DiagnosticsHub.StandardCollector.Service.exe
4784	fxssvc.exe
3016	elevation_service.exe
1056	elevation_service.exe
1800	maintenanceservice.exe
616	msdtc.exe
1164	OSE.EXE
5004	PerceptionSimulationService.exe
944	perfhost.exe
4852	locator.exe
4724	SensorDataService.exe
1844	snmptrap.exe
1140	spectrum.exe
452	ssh-agent.exe
2420	TieringEngineService.exe
1276	AgentService.exe
3368	vds.exe
3836	vssvc.exe
4072	wbengine.exe
1080	WmiApSrv.exe
4452	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\20d75e8eaa61dacc.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\java.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\javaw.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db0748ed7299da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052dbbced7299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e1ffeec7299da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043ab6fee7299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e801c4ed7299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000512f4fed7299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000117d5ded7299da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe

pid	process
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4784	fxssvc.exe
Token: SeRestorePrivilege	2420	TieringEngineService.exe
Token: SeManageVolumePrivilege	2420	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1276	AgentService.exe
Token: SeBackupPrivilege	3836	vssvc.exe
Token: SeRestorePrivilege	3836	vssvc.exe
Token: SeAuditPrivilege	3836	vssvc.exe
Token: SeBackupPrivilege	4072	wbengine.exe
Token: SeRestorePrivilege	4072	wbengine.exe
Token: SeSecurityPrivilege	4072	wbengine.exe
Token: 33	4452	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4452	SearchIndexer.exe
Token: SeDebugPrivilege	3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3356	2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3960	alg.exe
Token: SeDebugPrivilege	3960	alg.exe
Token: SeDebugPrivilege	3960	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4452 wrote to memory of 2724	4452	SearchIndexer.exe	SearchProtocolHost.exe
PID 4452 wrote to memory of 2724	4452	SearchIndexer.exe	SearchProtocolHost.exe
PID 4452 wrote to memory of 4836	4452	SearchIndexer.exe	SearchFilterHost.exe
PID 4452 wrote to memory of 4836	4452	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_b35be52f69776f6ed8cb4d801571cdfe_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1192

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1056

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:616

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1164

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5004

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:944

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4724

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1844

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1140

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4304

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3368

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1080

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2724

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
ec0e73adb285b4217560ce1fe2c386c0

SHA1
bebced9c054892d3e1e3128999d64cc2d0eaf867

SHA256
e4f30d6c2cf460a8da330abd8888fb2585d88a4b1f48c9c15e44ac62e3917701

SHA512
fceb99c1f0bf456de3dae5676e0ff4ae2c4572cc39d07c8fcebc5a63bb9aa0d80e7db04c211ddf713d7c991541f9a26b56f93e700aef7aad2c84ca112457534c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
632af8f723505e8352cc4cbc821ab3da

SHA1
9bca1a221a4da3715141dd37cdf065f390e1cc99

SHA256
a7bc390cb558402c90714fd65123ac4a61cec7892d8eb28dccb9c3bd3811782e

SHA512
111f33bf495c24c5cabfce44317fddc83aa5ed1b135e6b7865af60eb5fd947435ec205993b20288039aabadab905e80f1c6c984c034b217a05c98be54ce4a92b

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
a0fe3473afe2ce93d24f7050214789e3

SHA1
09187e77cbb382ca8acdcfe83b2925f74918ade6

SHA256
4b85cbd0c864cc542a5b1d6dc84970de9d4690b3d78d4d540e07055daf16e3f0

SHA512
6ca67c83db29a52b645ed81fdf4c82054daa4c7d6f612b37be7cd30f9263936dd91e3cbb37980fc7b13f9a96632e1be69ed9fd831ff4a96ddbb5dc218b72a0bc

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
25ffaa01f1d301d0b554a4e841681d2d

SHA1
881ab68b79e8fd43e3dcac52ff1720d553508166

SHA256
2a266be6f339588d3614e8d17f770b7381efb1611e617d70070d88a8dd62496e

SHA512
99b3d59c4b33c7b6304e2a3959598dc9e8fd98ecc11a836cd869703b07aec4aa90d1ebd15f0f92aa028a810026bc53f792ae8734246355693b9e4dc1817e94ce

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
0f72719f2071a7af1c69095a00d8f4fd

SHA1
8048cc8f2a6b0d4e156fd0cf8644591f5398071e

SHA256
7acccf7fae9784d084927744314ab8af09a5193d824fe3d52bd47374a1fb666a

SHA512
2a6c2ef7dd8b54aa85a1664539913264912ca78a728e936fe08264b1e63d864f2bb2f3236449c4135da7ffe3d018ba81c918a83e3572e1bf50e23a3e313141d6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
2e5746c7d0c7bc6f10c8d33a79b66fb9

SHA1
0833732a8b6eab5c5b80bc63779f0d9901777537

SHA256
4c9e6242d6079851021167e026119ae448ce4104bc31e48556005b6fd88f0d52

SHA512
67434b92a73167c73631dab6bb8c9cbc978312b0679e0ff8869385ce016f6e63f4e6e3f43265fa2da0f23ef04052a6fd57c7e66ff644c1f5872ca282faa0312b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
b797bd17d75c3ce1dd723a5f11727cb8

SHA1
4e585a2c9f6e9fe585804f15e9b9c1bbac8ea062

SHA256
176da19f6e313e2470a7c78d8e8920bba83f59f64e4298e47763bde27aa17df9

SHA512
3cabc3968cfda9d39f5b315793951ed039a585a09e7d3e58f69ca4b2975bbc7379bdc7f0f9f5408ebc2b3bea8404e8e6b15bffbf2f933685aa4ca14b29eadb60

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
04fdf75ace0f740f70eb930f06e25748

SHA1
31ca1809182c8cdf78bb4d989c57c10d390474a1

SHA256
29df12de407bf4f6819fa78574d3829596d477a6b76573d1de8d6d5c258208ff

SHA512
9cc7834d54e9b69e8ad600d9000ad32c5ebf5b13010414dab47b9c79a127074dc7569a3378b6edc07b1e2de6d2e7de1bf8c34bddd3c7ec655775b9de520f5bfd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
1c543378c9ff1d28467d5a45eb82687a

SHA1
9dffbb5aa81eb19b5fc6e312555720b99ce12632

SHA256
04470f06d9293b5217007aded90d482a17e31c81b63b67d45d86225dbb37c51e

SHA512
3b56c086305a3c4cd1e8c34952e8986d67573cf29cecd8cfed3449ed83a686e30f43df17b4dfd82a10980477593ba267b8fbd36cb5b7188ac3acfb745b91c649

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
b6c4d45306924168f5fc0b7fa68f79c2

SHA1
b54752dd06f68669768d157971f5a5890db17a3d

SHA256
853fa4118d0712d995a41adaf0d898909319a02e1bbf0e084522de8c3c994048

SHA512
ac52b5b8c0ce77dc550fd40a46ebf3fdbe1e12d7f46a947eb35dd03b58bcf8aef3200cfaf32b6f6229b67e593dad8284e61d921b7c1f152872ddf544a8f78177

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
a067d482ea4b272ee3afd4558648ad10

SHA1
4f4bf431610799e95a9c3959801fe9003aada69d

SHA256
3e118c183b873a6e523f02ecc297b272ac96d7684abc7ae9589ba45b08218e95

SHA512
0e6cb664e0c17d7e738658dd8a7b4f755cbd57304e2e5633be7b5b33d545e4b26c183728b01975e34454249a84ebb799e450174c9c23a6dfbdb31bd0a61b9aee

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
34bf012c5408fa552e48c70fed39bc90

SHA1
9c7d9e0da303159b9111d2334d6562a328c227a8

SHA256
12af4aae5bde804424647e4a91ba8390e2f1ea2ad9d04a2b39a6ac4d0c581b7e

SHA512
ba4bcbf3c8bf296fac9f1866b4d1dd5aa1b5904cc933f6188ee21c6e9d2aaacb2cfb402e892f17eae8e4ddb6ef730ec072bd0eef21c00a206f3b80c4ad8b3bf2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
f68f2ae40928d43a12044c8abad1a25c

SHA1
3cc15953f7bde43e6e14fe91b34d9f94060c3bfe

SHA256
46ce9e9049c90380148c92c50400bcd0763c2fa47bd1dcb61e6dd0c337b5e930

SHA512
f1014d447d555b1b104da8fa7cd38379f6e135168e9abbda9bab670c3bcd490a9a3ed970e55767e61c2a4f6331714ca1e6c71635dd9bf29a0997c540dd9c7a87

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
2c8ea9c16985e759cccd0bb32f00e5fe

SHA1
4698e30a6545f428d2d3b9045d63a6d0d05c9bb5

SHA256
4e6907520302f0308abd88aefe98a70e06cd1edef92eb108b729ba37e4badd2f

SHA512
50fcbfb2bcd96126df20cdc56238986865292841710fbf6ebb675529271a449b212d9534a77ca7c2c00127fa947525201ad1f246e8817580357b8b7a8fc438a6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
1b6e76923a67535723d9f950f6692192

SHA1
e169694e04f9c5e3fb44635d359f447e599d5782

SHA256
fbc950f948fd370cc831cda6c8deb08ad68ccd17085223d9e3bfa785151f1c6a

SHA512
36d4cd58a7bf2496a324c47cd3483e9db6af52290fe457f0c6599a4f0e20bb336f3e2c413322c96ed7bfae84ed5b7dee8f0fcfce111fd6f8b41b3ed6cb5a9314

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
e275849deb069924e7095d6ae0498bab

SHA1
f2ac45ee44ef904113759a218a227aab6729d1bf

SHA256
8264fc4a779e2b438ef4f35c18108d85b8edc273d95b22f4e76c332ad346d25a

SHA512
fdcc23bd2e8693875d0c86c0b26f7256c7d9d54cfa8c461e2a94a578b7e8094645598931d98b125fe7ee81d44ba5b9fff0ff88fd2294b6020e1c161d2b15295b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
d707bf3b61a4cae0e85ea8772a27c84f

SHA1
ff7c64bba1f148cc64a82b25b271b02b1d87196f

SHA256
6583672d3b6aaa6cbd11d963eea7728f9127a4ce4c2d7936b7edcd6962bca037

SHA512
75ae666ca9065dade71ab9842f249a9a5a0bbd6b0e619a72de2b1d1d1030e164f7ef297c1b1816d0bc6ddd4b0ac7d7ff11c2bf15816a576262428eadfa643a03

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
f161ab441db3d96c7070a989a554ef54

SHA1
970931388be6bb0e26fc85cda398cc9c8830ba5f

SHA256
64caa4eccfaa472a39a3b1576380fea268a33f5e39c5d66c8ab25e0f979b90f7

SHA512
7645c76164e7c4c7a2bc364cc17b4ed284ce8fef2a139f09a8a32ef87a0f186b5fba2a19f96b9565ffa5bab70042996492751bf53557fcd9c1a378f9a161181a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
91cc3046d73fa1b426eeb581298b6161

SHA1
6dc8d1264164444082952236f0fa4ae3cb3a05d9

SHA256
b8eb2c22aa07e283d495904d2c61a7a873a2dd772b28bd7908b8df821c71dbf3

SHA512
6ef70325cab6647c95a3adbf8596ebf176cf271350c3c6d0937d991f5d0a5506db2a518041c6b8ffce2982bea0c7b9cbf884cca58ab506e087cf1b2e268d3d69

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
5e131e82d12c0fc4ccaff33ec1e32c58

SHA1
7203be4931323aca0f7e393d7e698f04ba25e640

SHA256
a932c7d73b3252b6b0cd97fc30836c8580574ec7e29f3ae74b2326e37cc4cc06

SHA512
46b0dea24f43ecd78df7fb74dbb2c5ea7eb51c6a3bf6a182deb4096a320f7823c04339f0443d79b395e6df46d460926c7e751d1cf575b3c313a2d8002f773f56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
876219a02a212fae9877292e34437f82

SHA1
a0ca846702e141e7d5edc3dc667c430d00010318

SHA256
97401d3ce9c8bb768e8d455a029e21598370ed6728e0d0a07aee2a5bd763fa70

SHA512
add3f7ddbb25d4574a2f00c5cef4188c37c0faf7dfc1fff9540ca089edfd479d8202b8865172c8eb00885c493145e30b92d1ba4cb3f70b26f05453862c6db856

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
5757f854ea6220329eb32bde2bd743e4

SHA1
51e828c3caef69e065d2df8070a577c9137c4366

SHA256
655567720d5fc8fd70c87b9b99880eb5ce01e8063e8a640d394e5fa0e43d5172

SHA512
f562152bce94c3b21c2de817ba76769796f4d485d560edb9dfe076cf3fd7b798040a7388f4468f3689a15f0ed577c05d793f0e6dec4b481f18ad7af195f160bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
a80946f11ec5440c65700edc5f1c04b2

SHA1
c5ba0fcd3a810031bd80447798bc1e5e21a3e15f

SHA256
6de75695c78c346aea8bd54632de9ee20fec55a875186d7ffd51373ab66a18c6

SHA512
743f34944b7891a8b6da8dd4fa0e2c5b556591d0424478465fd264fdae574d56f449a882ff9e2c14ef8ff50a1e3b2c188e428da393a9bafac586270a4a53657f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
a31d4fed52c16b78613e4a0d500b8424

SHA1
ce22e2a8e773d9a6e00ba5b39479e0dbf21b2d8e

SHA256
e75f9e4cd6c617c5baa83f2095e99205c837c72c0efa29c8d8943f4550794732

SHA512
39c348ea61a8dfeca32ecce793c83e9d1b0abb6ce6976d57b2d88ee7743ff70280f73571c35a51428ba4f861b9f54dc8227d220b02679947d6a535cf919ba6a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
0007170eec17d8a28cb606edd1ed8239

SHA1
6ef625f5409c0d3c6499ec8711d47c976730a33b

SHA256
fd7a8c8e8a913a1e06576e769d5bd5c4e298c486259cf783a64adb237b216dac

SHA512
f943e535aab338e4e88ca07f884517a73d257bcbf02d6aa851ea16e798f3dd76d2b93d0e2bb52bf1069c72bb9e6b24481cab1df2619570c8c46925b11922550a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
6cdf9752015aa5877d4da72ac7d0bf50

SHA1
b1431862f03069598e5e7f302531eb77038c8b7a

SHA256
90767efbd5c278ce5b482db09678c824f05096e2100627cf4b3c4bbee4c2136c

SHA512
cb47d7c004cb0510dd4a7a24392551ce1001c57ba1d01908affeb3c8d80f568acc2775138029e3a2e6f0e86076072968e400b89d071406b00043d9c64c7a07a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
c1623b82937b39b35ad8f16b17bdfaad

SHA1
aaabd28cc4bf6dd7fa9ea7264c30cf03d3552c09

SHA256
5d45d67598b1cd108bd5e5384823d240b83fb892891e59c9669482c82515bede

SHA512
a80ddd5e12a7234d7d5882c16d8e3c3995960e8711b1ce6fa7c0d15cda90f64c1ce9216b5b84b81e9ce65edb23b284bbc3051c40cfa26fe4b6bee90c6764018f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
49064c13cc1a31d1afe98c5a81b85155

SHA1
fd28af380bfe185d3e53c5cdeb23c359f5b04a39

SHA256
7a61458e437a0c14b9c1d342b8a89073d3067954a8b2d405ab8b7347b74728b6

SHA512
09074c847c43cade73843f7d8749b2b6810d802bdda3836f2b2145f9960b9fdfb1da2deb3497adf77dd617b0bb6ce3f3d5b0d885de9bb76b18cf1c4d84a32ee0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
163e9866b15ffcef0ec2db3e4fc94734

SHA1
e9936dc8f8263cee1ffa3eb33f919b940bd685cf

SHA256
dc00d273c4c094fa13422d709d7876b9602dfd10a68c63f23f8174b4723f208c

SHA512
c3d4c10fd215ec633169758b4e7c8a0802028f23543df36daf7627859c2737aab263bf78b66724447d55dbf0001a90810949d1992fe39d8a363ddd47901af633

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
160e89e97604bb886a68a0783620a740

SHA1
4c804f35dd078b5818c8120d744fba368c2f87ba

SHA256
c63f4cf757468a301ccf2e8de8ed389580bb665a5089a7a19386d715b59dea5e

SHA512
afc2e573d0401f9b615bfddaff06933a319b57a86d194a3aacd38bc7395573d71fc0ddc439a5f8640334dace4cd881e1fc7b36c50f7d51de605c0fb736df1ad3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
989f29be4f13abff25499d255b5e95f2

SHA1
9b2e05fe136d01ae618ba98f1b0f416eac0593d9

SHA256
70777d42285d9e615cef5868b2c36fe960e3756d1dec277a319c6f0700a95bb3

SHA512
0f61e8c03dce15876206cba652ee7be4c734621f8e41a54d70f636731ced212bd61c5b2bd150a20a2191c7f03dbbaf4c577ae6f1902825990478464418ddf6b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
7bf552ff3e3b8593f77e2246b061003e

SHA1
eab41f0af0757b680aae14298ab26fb3f26f11ea

SHA256
2d12190877f03059c6f1da707a1d460ebaa9f23593c7c14f241bd423b5ea38ad

SHA512
c5fac6cb59e57854da7dd4c3786a1f1de9d0d2d172ba1e2194c763653157646d7a57cbf316a35dbf28ba14101b6669a4669644adacbe3b2aa5ae698e4f372e48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
e773fd1de1558fbc1d49cad0c1fdc92e

SHA1
518eec2a616c85963f398ac67326ad1e9b3ffa0a

SHA256
30b33852d545359f81dbf11fdd296e6817c8ce08216ee5ffe86930500024166c

SHA512
d6108b776a98951e54fde64989b8e05587983106f4e51a10691b4165d99ae6ccae019fc6b06885dc74977aec602825ddfebc65f99d205314845e0e8e26fd449d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
02afcc2d42c8764f6c81332a5691e4f8

SHA1
5ff92ea7a23b019b5b9d509547962276fc6e329a

SHA256
87cf42a794dc70ee6546e526d0d80e4a7161a8618417ae5065f6e2a0044f1c11

SHA512
43f3fda07e547a957430683f6e7eb2fe8c7bdb896025c40110482fb3e5b6f935915384a5a88eb1847ccdc812bea441328d357683407884f5f8700ba51482fbf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
514253ac13a68fff960f4dba5a2c600e

SHA1
e7f68f92f8bd1d1cf641e1fe9f816e10abdd04aa

SHA256
ea6312ebadad8d7df57c4475fd7d2d4c766cd7369566104e66d3990952f01e16

SHA512
e4a978e51ffa13fc75ea6d0412e12e51d9eabafde4e700a96b0025223c8912f1fe3c9e430b44c21c28219e3a397a0e164e5ccf6e68c938c273e93c6139092f36

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
9a58ba936a73763dd3539c677d7695f2

SHA1
674f9a6ed7d1a03d2b2f17dcbd3c950b6fcea903

SHA256
0a8c9779353afef9cb2c7df5a335a0e4e2df7e6add665a700249b32d5a777d4b

SHA512
4109f8b2ad646847c410ca14c5fdfe00160766fd086402b68374ceec66b4b24426e665949fdde70e4c866b2afa04464b7f00e1c78ee9ec3bb66db2e28b410a61

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
80f258e8ffb42de7c1d841c386dc8923

SHA1
f7ffe5a0ddef70e2b60a563a9be1857a7ac3cd16

SHA256
0736b563973d180c678ff6a290255dd5b9b92a672f1f85f8b0c72750bcdd8de9

SHA512
f39565887751e77c91fa53415acdeffa67bd8381af58e194b29ef5d51f353d23d1aa26eb328941410ffa29ca02e8e6f27a9dbc878057f919b1a298244ce8e33a

Download Submit
C:\Users\Admin\.node_repl_history
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
2bf93ae7d6802f2427afe4c291215709

SHA1
281c4a2690269db1f6d48d39c7536200dfd4504d

SHA256
e011cfb2fd9a8e6aa571678da726dfa01939c19313c1807bb70cf8aa14e530b7

SHA512
0158e101195c448afd73631947eea767ef49b58fb1d792deb86d779ec05b60f871a509c7936d1b56ade93e79234acfce4414fee616a405745c35ccefb5537dda

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
0c8ef43fa326a53bad47d442191da1e5

SHA1
4ab271c6e636040cdece83ad2f5ab45285ee66b8

SHA256
1d62163bd4aa142e7862390837b1927f1df400ee28d174e4a7734b85c1d2bf7b

SHA512
d587ca950479a1b5362b4e44cfda97aa6f20c54ad05ddc9a1a095032e7ebd07108ca23e5d9ef62da2ee4bcea3313e1b55176525ae03c80861ec2b7d63e9b5c87

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
152a59a9d55872f4eff0e1aa12023ec7

SHA1
a73df89a44a6f431c56dc13a58d8c1ee80662540

SHA256
a6bdbd623414c857e309f4ded4ceac4154ff7ec31d443d44531349e011bc73af

SHA512
fc2206e75c01b4d8b629277919afc69529aa40c119b7962518aabeb8f203e0e8cca177d6f2865fb44d70df36202a02ec34a0ccd2802d8a49d3c76f37b393a3fe

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
ffcfb6305f7439ee0a4faab576dc66f2

SHA1
a83a20db55c635fd82c2d1758e2b269f6f52586b

SHA256
75871f99423f70899d5e53456e03d946d49662e65cd29ee29d403a6aab2084f0

SHA512
64ddefbe194809ff9756fe1d3e896abf0c2dc85d16cc717264c41c83de8f853087d6e4f05df4de811069ee507fe39b2b8f311e9e8df2998e40e359827c6ebf8f

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
1f083fc60380f6336b23f556dda0a1c2

SHA1
e7fbb436e58c4f32d17d9718f2830b9aaf17d0c9

SHA256
01316bfa0a82a80a1ce3a0e2c6c7d2d396f335e4f54f7ccc3cd2fd07f2ce7b46

SHA512
c5f93bb999b665a879bcbd8a1fee541d05bf59bb4569e0c38c418fa07533018b323fea4fe89eee0ee5bf0f89097ea046a319cccb263296b0e64741dd98d6f25d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
9d6e0e18b35ba69a5c00e7dbccfc9772

SHA1
bc46559bfbc1f5068e02d4a42d6ebfcca41d75e2

SHA256
f31384b556791b2a620b5a13aab5bfba0d553fd381a67443a6098b56e697f30c

SHA512
9e7e42143aa67b86aad4fa8c7e395b8506b0e7f36485678cc32dd20aeb1ce01bfa9b6f3cdab7dd193cc6cc20ad0ddcffbf78731535ee61b1febfd924cc4ac387

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
6b33f57d25c325fdb947c3937e0b47d6

SHA1
35d2e3fe3df1122b844bbad073744231100989df

SHA256
6b6618272b24c5c98cb4db4a8436b2b19a576761a53af1ff23ef6f23b1afe808

SHA512
0bb40174c985b34109c78320470c030ac8ea2f26c28fa7405a068a0f669f57175416cd6ee1bb65d36c4df6412e83de14577a2005eb49545ce1cf71433318636d

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
b672ac40754fb0835b3aeba473b0ba45

SHA1
2660311210f33365ef37e215758f1ad235f961aa

SHA256
cc6476b7e76b6187268806a86b35f6e05ae075a1a9f3a486bb03fafdbb13a024

SHA512
c7844103f7316fc03a10499f1ec86f787a6fc25d10e1f0ec9942bac01c508a3a3cd2363fbfeafea8152237cec3d4b860a57df47e7042cc8d65fcb3560ba30ba2

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
35716addf3c35aeabc00e7f02a039ad5

SHA1
32841612eb7947c6dc80d4b23b26e66171a84a25

SHA256
ab61e641d02298cd9b4f501dcb51d5149ec445dc2f2af520ac6565a094c4365d

SHA512
a519eea7e2d439225698a7bb619f24aa900f10e2738f9a616e5371333ab39d78e125eca7215cabd600018c08a75b84b1ffb90f60a495a6e8876d3c7843707ebb

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
45d8f69c849f796e413e16159f535408

SHA1
8c34922e7ca651bc962c380dc2f2b2b676b676ec

SHA256
4e0ba4f0b40913a08fbd4d0db07a5e168003d9923588a0ed671ad00e9a622dbe

SHA512
6fdb7071d7a4ac115608015a42fedaed86261209658be37d6f75960599c9618e7369c5d7969416caf367922e4d7c914c4694c328c97cd6043a27b9f2f55272ff

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
406d1a1819f99d75dc8603dc9ca43219

SHA1
4b2d18ea1275ff50ab71a35bc28f1f0ea0e7d3e2

SHA256
7ab9ceaa4a455d5ad74805015198ac9737f474918c49599aee501b1f58aa638a

SHA512
1921e88e634e0dec94502af7bcab532b561f499ee6139a4e4da1d3b8bba0c48a0ca57a7806806d30559f8943008b0ae87717049accc9cd980bfa655e748ee48f

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
5ec42f14ddcf34772368cde6fbea8abe

SHA1
001c97ddf67e9eccf09bbabd07cba38cbcb75fab

SHA256
b391b6fd3740e784dbf7a89b5b4c8fe3b26d678f3e47e5adeb4afa21637ab230

SHA512
7e4f05064003172a1c4a1ba958e453663831f5becf4df982a14c18bad07ffb53e19f40f3c92ed951a5c2b658df508199dc6f4b953d512aac8085b3abed0ca8bc

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
2f210fa32bd5196f1977c9e94b47dfbb

SHA1
3409f0a6808b6cffb6d6068385f7d3a574372aad

SHA256
615e56b3b0d6d2054af0303c6929c4233771de7a67f2f66dff0eb8c3473dc803

SHA512
4c4dff970c8eacc399c4a1f344517ea7e0c4391011e010fa0fb7ecd0151dd4a9141c31031388a9d11ec40c1d1ee2765173174744e342ecba3cb106998f1a60b1

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
12f051c91c0b06196880da3720eb8c3d

SHA1
7e8da109157fe833e3938ebbed2792cc09bc1ad8

SHA256
0d3580191971fcfba9aad704cc1de310e33c3309bad5d9bffc60befa599b963e

SHA512
7b2bd34bc50767483838275321cd810d398e3f11346d80139ccf7a6679dae1eb0adf5a08c9223e1ef55cca8707da50a4b891127bcbb4a3921fcda91ee8d81580

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
de4fa654164afcc5b6c8f8906c66174a

SHA1
beb846b215cb85f91c65a2c8602a5b4127cb89a5

SHA256
ddafdb2947da8149f365ab196d7be2affed48e11c6d6dd82dab59bc17043398d

SHA512
fb1d246c5bd7a6634f6929d891c742376f679582f23c021a8792ec9a43e81df2c2875634f498a1dafadd2faff87fb3928490be06704d3eb5ca2a70e99cf8ea69

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
4b6ab7733741ef1e392596e6c99a7bf0

SHA1
32eb6143a98f35543c72758c78dbb70168446bde

SHA256
e5ada1de1ceb3fc800ce044e62b93fe8ec5ca2ed55b554d004b93594309d2161

SHA512
f2746aa2228e29a195dc5fad4111f48ab693f388da8ad36365fa4596f76cafc736f76614d48276bde214d7ea4d320cbaa33ef1b3200197fa6c4c095215964bd3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
cb403b85610c2d2fbc74c949fc21d187

SHA1
173526046170caf90e87bf1ae8db7850be2ee1b3

SHA256
a9ccd23b29f9ef8b83d38a66b3566dc00dbb13c5a7c56bcf2780e7fbdfc69627

SHA512
9134b6b31aad9de24a0c3f31b61b411a09d25fdfb529d6a61daaa6c4c89fcd3fabe20133dbba8841d1821f49ce7d39253216cd3b5d66e8c052c8762df66dd073

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
c489bebe3d212081d8d91ce92454a4f6

SHA1
6418965bf51e6ee9b886cd4a782909b25b737778

SHA256
b8b88148b0d1438a1f60aa52f3080164fb4d4681aa1249ed8473ae0f165b84b2

SHA512
51a46e6ceb15045839bf95dc20a59725192c468abd3eed04204e56f886c6104cfc71ba32a80f50fde08548c230a513ef1f72cde1eb187a39cdcc5e5ce76eeefa

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
6f4098c931b4f5087a6d9bffb096f0dd

SHA1
99501f2c527d6f9bbf0d7c6536eb7a0dea366162

SHA256
b6c0a29cc7ac537cf56300a9e802ceaedcace49e85e034bafeb6553af659a754

SHA512
c12eaeed5656c647e36fa1dbae60b2221f33190dca856cdaf1e11504585911236de4762718ac15b2ae5223c9e4bb18ff00af916a2dfb1ffc746c861343fe768f

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
debeb6a5fd7661266462c844f9653875

SHA1
7b0b1eb1dada32277a071e9da42ae58b5a343885

SHA256
ea36f5de03eb064e12077dfea329a4223e225653aba15bb8ecffb8c03dab5dff

SHA512
552f023c857b8274c33b2a0d3d19b95aea54abfcd72e35ea00eedcbe8eca5951359ff4212224fe39a2b2fc08e3d63875516980bd5c592811242b6b662ccb98e2

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
a647be73bc997a2cffbf874295d22456

SHA1
52d74c792a01d12c56efc0f04ba1a48d11cddfe1

SHA256
1722c453c03e88d7ffd233a600845c7472468e84081d4c26d3fe79c0cc50fe28

SHA512
dfc88e54dacf1c1b1c4aae3b22fc0d3ed7850e73dd541797a40d2a5e848fc62a2f6c989871e13b98395f807a9ee0b19c2baaea84f73102b91fa70a5a246fab9c

Download Submit
memory/452-192-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/616-87-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/616-153-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/944-156-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1056-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1056-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1056-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1056-429-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1080-267-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1140-170-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1140-593-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1164-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1276-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1276-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1800-72-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1800-83-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1800-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1800-80-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1800-78-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1844-169-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2420-594-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2420-193-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3016-56-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3016-265-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3016-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3016-50-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3356-191-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3356-5-0x0000000003C20000-0x0000000003C87000-memory.dmp

Filesize
412KB

Download
memory/3356-30-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3356-0-0x0000000003C20000-0x0000000003C87000-memory.dmp

Filesize
412KB

Download
memory/3368-597-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3368-219-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3440-22-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3440-28-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3440-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3836-598-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3836-221-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3960-10-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3960-16-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3960-31-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4072-266-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4452-599-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4452-268-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4724-493-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4724-168-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4784-46-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4784-44-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4784-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4784-35-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4784-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4852-157-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5004-155-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download