74877a615b8e27dded4109dbf5252ca829bef490b81a522eaa29a383f5af3ced

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
Size

24.3MB
MD5

88a9d6c5816e5fb32dd2801c34cbb0d8
SHA1

5efae04bb2ab9021498e0cbbc647ef0117551ce0
SHA256

74877a615b8e27dded4109dbf5252ca829bef490b81a522eaa29a383f5af3ced
SHA512

c0d14dfcdfdde17b6815be74cfd5fe266f65e3ef43bc997dca16df5eeba749f20dd0d7b0a5f452e9543b16b5e35d603b5bf88726513244e45fad2272c5e25bb9
SSDEEP

196608:fP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018QQW:fPboGX8a/jWWu3cI2D/cWcls1U

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4656	alg.exe
4724	DiagnosticsHub.StandardCollector.Service.exe
4244	fxssvc.exe
4152	elevation_service.exe
1824	elevation_service.exe
1384	maintenanceservice.exe
1652	msdtc.exe
1948	OSE.EXE
3536	PerceptionSimulationService.exe
1048	perfhost.exe
3748	locator.exe
3924	SensorDataService.exe
1760	snmptrap.exe
3180	spectrum.exe
1624	ssh-agent.exe
8	TieringEngineService.exe
4524	AgentService.exe
1264	vds.exe
4736	vssvc.exe
4220	wbengine.exe
4400	WmiApSrv.exe
3252	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\19888cae85ca13a2.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{202F91EF-93D8-4437-A499-C36C67EEB76A}\chrome_installer.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\javaw.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000110138809d99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3e15a819d99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b79b5819d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086bd9c829d99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073e4a3829d99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006db4b0819d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000082180829d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe

pid	process
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4244	fxssvc.exe
Token: SeRestorePrivilege	8	TieringEngineService.exe
Token: SeManageVolumePrivilege	8	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4524	AgentService.exe
Token: SeBackupPrivilege	4736	vssvc.exe
Token: SeRestorePrivilege	4736	vssvc.exe
Token: SeAuditPrivilege	4736	vssvc.exe
Token: SeBackupPrivilege	4220	wbengine.exe
Token: SeRestorePrivilege	4220	wbengine.exe
Token: SeSecurityPrivilege	4220	wbengine.exe
Token: 33	3252	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3252	SearchIndexer.exe
Token: SeDebugPrivilege	2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2532	2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4656	alg.exe
Token: SeDebugPrivilege	4656	alg.exe
Token: SeDebugPrivilege	4656	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3252 wrote to memory of 4460	3252	SearchIndexer.exe	SearchProtocolHost.exe
PID 3252 wrote to memory of 4460	3252	SearchIndexer.exe	SearchProtocolHost.exe
PID 3252 wrote to memory of 1384	3252	SearchIndexer.exe	SearchFilterHost.exe
PID 3252 wrote to memory of 1384	3252	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_88a9d6c5816e5fb32dd2801c34cbb0d8_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2524

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1824

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1384

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1652

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3536

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3748

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3924

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1760

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3180

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2616

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4460

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
9679a241615150f166f7489cf583e85a

SHA1
4aee3e746ce22372163e87a3dc0d848e42a6c1c4

SHA256
09198641e91a8103e09de418897839ad08a37b70d8041e79370a346afdb3da72

SHA512
a9f896b92db4118a055757329ccd939069674bcaa854423e1ca0d763ba4b7d1fe3bad20c636ff4d12af2416b50e2e7ea3f569f24d008e81394fd2cefe8567458

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
d4533ad8e3cb8b50e78a901de80a2f04

SHA1
268b0aa8fd3cf10e29816fbc9cb7739a9dcfb04f

SHA256
d813f9cb75570ead8aa1b746e68bb20cbfbaefcfcbd47519dddd5b820e887a5e

SHA512
de3daab72a0d572e1d4e6ee42e971f7b331dc7cdb0521fb29b6824c15dd244d6e10cae8b5eae40b9ea0c62cf18ca0bd520e9fc04f5e69a11e4a225a687209ca8

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
bb00e6568aebb20b420ba7745f37a1ba

SHA1
edb5d9fc7f1becb2e57bcd3c7a52719464feef9f

SHA256
89d33fc66ad36ee6ab3c8c6dfdc1e755d07c7097cc5e6445ac67a6534f15daeb

SHA512
94d1f65a5591e1cc240becf377c7c5217ad255f04685df257c836a9172e87f10f5c369b7dd8e7eacde4e5037d7f431c99751e5194cc9ecadaee1d729a177eed1

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
4d8a5693228763c5c9d290374696e8c2

SHA1
47919d45a1ed6bdbb73f5722b4e17e55e6627bb7

SHA256
2228ebbdfba8730010ab4ff2ad19a78a9d19d447008f58e95728614aaba77c56

SHA512
5528a35df7c1ee03d3648847a0d01e2cfd01b62c379b371bb82876a7f5e81964885b2e07d18ad84bd243db69f3f40e9baa510e4f3176fd1989a8cf039119b06c

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
255200cd91565f8d8dc73252376beac5

SHA1
b023b609e13b40dfd19e535882a642f6c03fc021

SHA256
5a4f2817d24147380c93b2165dd3a7f134e5c2c6ad34e563c15734e5ef390f9d

SHA512
6b30a941abe6b551d699cd783122b2fb42f4c408bc0ddc1b82c2f19710d79cbce36ebe16d4eccd7cb64a302e5ab3a2338f4b51264a376717e751c0bb75cd04c1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
2a56b7176446070271b50af1db9bc129

SHA1
400da6471a755016d9bf4e4e6b1675f6b1a2b8d2

SHA256
7e0c0306ddc04e656bee20900045e8b1fa3a709bf270e5b0cf438ff416e24ae9

SHA512
08437769273d0a332fd34128bde38b616a48e8abc9328e3cb9d57d14e2d862f7d34500e549c1f57fb2a8074ada964bc1252af0ec3391d5a8e5187c00e69a625f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
55017b9fea5972a80151712da8e0715b

SHA1
09475eec764a95c2189344a333f8f3b8fe221282

SHA256
4a7a3312c5206b7cfc11c6fb5f9fcce9ec76fc56b6c445534f595ebeed3cd82d

SHA512
7164eae43f1e81e4d392b9c650086e6652544bdde764c0035a52cfb987c8b6baf7ed4da6b7da95cc331aaa41afa61ef7a41dbdd7748db2f4181eb4b170a17ba6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
adf9f4bbf74002793ea0fb48da704175

SHA1
82a6c1b5e0e4853a61da51c585c1039971a15e86

SHA256
d5db945bf4ad8c182e8cc48dcc02afc66b25de71c81e76288a846380e2c27ffd

SHA512
bb7b35b667e4d721b8ff12fef24d251d3558b7197f1a9f45c6543c8175eed4ee9747d8100663cd190029a5094a9a53e7cada9f8ef59bd2f6f12c9190e7950393

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
237baf9c1865ced8128259ea880696dd

SHA1
48fb5158d328827e674ddaad7eef6660bfd348ce

SHA256
524885d0ab9e3f818b8b18954af847dded2df052ebccda91417abe95b8cc9776

SHA512
d898b1b2ca63923fab0addc057f5bd323231c1894cc6efa596a578dfeb54e57fb6c26b835e9ce5ee4416c8c9f4a39e6d16b4e549ccb487b2e0f9e175a10d5ade

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
800eb9cdde014a6a9ce405634acf4714

SHA1
9f26012a0a50e5b64e03c31f2587798aa82029cb

SHA256
4cf1afa692662117f2a8a64fa8eab83d1592ae0cd08d239286053cdfe5d84958

SHA512
d5ffe0a2e0d63da9e44d6b755cb8ae195046d62dd24b48fe93cf783a8c03c2258ae30ea1f9b20befd18e91522c96cbb34cffdf83ab8f89598b35774bfa27ceb1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
9a45600372221ed8497d0ba8ae5e565e

SHA1
2152d730c51855d2260b4fb12817e21eb0b204d2

SHA256
cfa27fde1387358a65b9646b4e534e2f09f1133cc3dd67084b5220851562c497

SHA512
250d56c41ca634f3d4ed628c935b8a178610361bf5e15ecf4f1c9328685a87ed983ec1907d1313ea25835c4f9baf46aabb2ea58b51a7dde76b902ae1ac6c2689

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
dd1fce8313ad4ccc0803abac95290a5f

SHA1
468136c30c6275933f53c84584c50ffe4043f1e9

SHA256
fa3f8a1d0e96d4d87165a50582f5111e7c49bec53176dfe76cb15c36b63ad7be

SHA512
46a292fefb2e441794a31deb856c99ed837c27b3e2f366b3c7b7b37fd2be38af8f438672bb787280f73723334255829df255111e91baa9247018cac09ddd2805

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
799dd53678295402e89b58c70139f214

SHA1
de7fb2fba244850ef9c8106b1dfb011567555ef9

SHA256
24e2dcf8dea0a894114623bc296dc9e4c66eb9be828985881454621c3b95237e

SHA512
0e175ae4ea9db42eca5c9adf6c37c6ee736d001347ae23609d5faedc3188aaa1bc6e6f5d362e09e7471281c5894fa5edea0150f8849b8789dbca35512c29bbb7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
0dc631efee8501d9cf6ade6454aa1e1e

SHA1
b2f84cb172bf85f8529d44ce7a47fc9198ad80f3

SHA256
493d94027b007bd2e5129d79c3d72908187e83c3e8162ba42888f54058903ffc

SHA512
5e85b685934e8793b52bc9930eaaf92824c93f3aa20e95fb36ff0b3477b378acbeaefd493af6152047654903a1567816958597e8fa4a9b5fa14409ec3513a3a2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
a3097f8e9f99b554953f766985f5e2f3

SHA1
cbc33459d45f0165d3825677130e85febcb86b8f

SHA256
79bab315ea9e64f70426b41c6be241deab8b6fec3c366c3cc166675b84ea2339

SHA512
0e9e4143d37cd1f67ea356d22bb737c0808735bb0c8053a8bda76b94779e8b48fc3d1de17493392f3599c14c7314cf2b7142b9cfb1e2362423c7ae140a7f6cd2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
c36a1dc70676e5642b63c06ddea3d1f6

SHA1
d89f2c528d9df9fd23a4d771271a33a86bc11b0c

SHA256
52675c68142d81d0c9101f5a93196372a1d6de3387f5c93f6d743e52d2181198

SHA512
f30c47ba2e0427034fea41ba4f3dd819f38b7159bed4c1bac8be858610bbddfadc348edede0bf61c0572c738ac9bc9511c130f008b27a2704d6e561dad7f9422

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
d62c4cbe2e40db6204f292fc53b548e6

SHA1
1d04f975476bae173b40b7e87e852525a8ee0446

SHA256
929af9a93aaf92a734ebd6723f43cbb2c1528f1613587b6d50c2b37329d1fc1e

SHA512
42ad4c3a94e8b15036fdc52caedbb869dedc0dc17fc69f230be5d1fe88af1cc37076aa6b128f2bd0ffe55b55bb94c650acfcd982495edeab2f9165d7888e648f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
d5db67a99c1cb284bf6c776263a88e4d

SHA1
f2bf174e249bdeb17f57023baabac73b3f00ba9e

SHA256
93cd1117d658b0a082725018db5ebf741276179be3fc48408cb350563d4e8997

SHA512
c7bdb519c8391b92583a9ddd15ea495fd24bb024bd341412da514bdca0e6d393bb84c4d384ff96e2d78a9be61d8591ab8ea9b7336b4d1f8ef38c2f97e5b2a483

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
0b971bbc92bc27fde16bfa7271764840

SHA1
8ace207417d985300586dd186428ad24d9fc4ddd

SHA256
b0ba25df7f70b9f1098e1b9d810ed840b676a086341a3c2b4a3498eec6635860

SHA512
b97e535448f73ed5982d457a4c7e62e42abefb768b4d1bb72fd9fd6f39fde11dfaef81629405d96029dced98a17a0fb88d33e5121b8195c9f4de1123f5d541f3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
0b621624af43fca4147faa7f3c397478

SHA1
78bb3daecade3869e4174339c4d23be2905b476e

SHA256
6f71151fe4ce136359ba3323f82f6ea685912e3ca1da3c34b1e2e676778d41c9

SHA512
5e9ed96f3f17149a6146b20ba29304da92d87e4b6b4751290c1da697afe20889a233ff5791b122ee07a11aeb98b18f81c0894256e75894f37d86208d7b185ced

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
bb2a7ccde98b5eb65e4e24e25dd6e8f9

SHA1
fb1355046e1f68b358d832c6795358bd1bf9c97d

SHA256
8a2692d9ced515e67dd635cff87df5e7f8ba609e91fbb45ae3bda691ae220c98

SHA512
a183996009d1b3ae4813a80cd7b4cabba2a4c700f84abb52865e4d42648b98ae1bb70d70c8118e2454a4ae262aa585fb032df2fd7513fbd366b5dd6484681d0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
2679065ffe03a5cee214ed00f46d337a

SHA1
dd1d7cac8d91be02b4f976f6e10a3b9ce5afa39a

SHA256
ac732a808afdf138a1ac22f457d8a66dd82968406d5a392b2c6f0803a7badaae

SHA512
e3a9d2b79b8658aa482244f5c20c9f44f2a3542324877c713e87734621d6707a8a776bc1ec8677dddf1d47dc6c904f35b1437377ad0110b682845bedb46ff900

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
d8692b82c93963c8b156b4e6be6c26e2

SHA1
79d02d6399275647ce3c6cc69da0772c1cd2dada

SHA256
e15b3f411d5293c02028179a7f22e087bd5bac635da141914578c11e4802241c

SHA512
d6b66e647546ec9e87a12b17b9d0cfff3db1e7ce4fdd8ee0f06d7421505b19b9964202d9ec46d04849dd1dc57ac1e3061a677c32c5a3f6c65d4711a169b890aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
3c356cebda9e7c2009535572d861f91b

SHA1
51898c33b8c881c832042dc65c6ef1e114132fb2

SHA256
08b82f177e786800e7c7ab3b660fdfcf8e7bd56ea670f00179e2e1d33cce375e

SHA512
3de79d8b6627765ec4bece2daf22bcd413d43d9c9e16051134b87fd810464e8006f3e9444671191803c9bae47680a7bcec345405b51386cf4935405fbf29a2d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
0c9302b807df4a9cbdd7268b23983b8b

SHA1
dca6578d522fd652a280566f907b9e4cf5dc7544

SHA256
a7021a208a17e2a609ece3779de6bb383bc8eb81cdd28e25945af6bcce79b6a8

SHA512
79687141b7601ab55f01c9ecaf684f124247f977153de96626a6e2f83437f3ac93c1cba83abb36d5e6ec9b2d7e5b46db29210f6ec18a87b2ededd177f9492107

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
7cff7f78fd6f36e1d6982637a840a71f

SHA1
d70a351f70b65cd2658afef833b07741bcce158f

SHA256
179b8ae02825147444e1cc301c5b6f5c5b059fe57c97e9a8b661f0c07c99595f

SHA512
f0433956c72f4a704669a78060bb540131afbfd7226a804e42efc0f76f31b0dc9c6fa970e20dd6dae10006e9ec46065f5c8574b4ff11f201dce1feb94ee00cf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
6bab71ee8fd1339593640af09d5f7d56

SHA1
1763a2b78329993e4c10c172e05576d49b25c3a9

SHA256
35807d7d3b1ed11ceb13fd12b6b8acf1b31987d7710a3303f18f55fa94df5415

SHA512
df2306c77099b5504df63c6c8a9c0f84c1a1f77329cb3f223bb02f979e7f61527909925a09d757e57eb01fa02535a7f8adb2fe73d96c5168515b6a3135736b7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
cfbb0c63c3c95b3d492bcd4d81d122bb

SHA1
9b130382d3e96c2bef86dd8f52eee53949da37f3

SHA256
32be9f6ef602ae7f1eb8c9b23064d4f9a2a0634d942e707c1e82ae167193a17f

SHA512
6887edce506a5335f704c57260a3d8656b74e2f18fcf7b693acf4a7fb7f5abaaca7620a679d7541b425006f8882adc9626d8a90cccd92dc9e8ebf990ccf6075b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
5ac738f7a1fe8936e8cbdf660336e456

SHA1
d2742e5fcc221b895b3ba49f71d22c798acbff56

SHA256
5a4f211c45ed600e8dbb0f239fadbe8a0cc63a3911b3fc0ce9aedd37682dd27f

SHA512
b5d6933e7a93cc1ba70f2f7a5da43e627a654faab8df9616b9b45d9a1010fb6ab33cad6bc5a87e99af973a884591ed250a9482d7659bf60ad92e66052ee1a380

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
2cc18e0b8121a4e93041acb2cbe763b5

SHA1
21fad3c369a9f33627378aecf454ebb75c76b45c

SHA256
59d036637c1e0703b9739eac50c6f366e93db73fa96c34dd74535701a8baf305

SHA512
10ec79c7e28391eb72a1e2d0d67a9296eb299be6beeeacd373fc7f53f6d9dcddfdeb3e57ff16d3dddb8667f397e627a26c8d8839e9773568a490af056fcf5c76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
ae0ac931575611d9aa1b2ac255e1dd44

SHA1
06c7bb257b625fd468d4e901a056c7f072506db4

SHA256
5c20e76e90f4c21b33c384f01d1cd6be31b8e21e8db0b6363c35f0b374d9e3b4

SHA512
4190fc68a9f0eb90e68cf64f8160741701f5fd86ba21bd04c4f2042a86b63bf05c5777ab9e0b81b7d777b6b678198f252577a1aef30232c22ac962b4fda69779

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
2fb4aa6a991deaf4903ac644890d15a9

SHA1
e51f60285909916af97de217ac337adf3e267d72

SHA256
4a40b0c160646a2504e58a750784fcc88ce38f2341d86f1babb0400fd8b6c58f

SHA512
ab3980799a78bea933ac10aae08affd0cb0592de81f3dc5c87a7bc29d9e25550e4e15dd37d5185f7acaebb280b45df97f30af6bf4ff7d9e5f41929e939f5aeec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
96606445254a1f24b9fb78e1c9a8d044

SHA1
483138cdccee5c9c3b134a6e09c4e78b6e786344

SHA256
881d978b62b55d2eacc44215839d32cf5756361fe15ce0b7e8a353082ac4461e

SHA512
7f4de949bac05ce0629123da48538f5e7a883bdcd95384c5fc455c3857e23f5460f28b3d8ed08cbc8e9785aeef0e03917c725a49e6de6bb190591216fedcbd51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
24b03507eb80c77b0e13ee7915c43d60

SHA1
c8475bd4c0ff9540b00c5b9e99380057c75eb8f8

SHA256
a1cdb0ff272e356bde570b9810a018bac501283a6de3316322b266bf4be3a6c6

SHA512
71530a80c872c8e3c73ad965ef5e77ced19af5b0f85a31aadbfb7a5cfe9c14183f3b1f117a0c604891c20ce79f50c5d4be7ef411a7351afb6379ad7531df5d53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
b555fd4fd8fc6ec1b48a3af6861fd087

SHA1
c734e7ef9f3b70cc931d421934c53e171e813aaa

SHA256
63ef41b8e4937d1861ad4ddda047ed963dbd20efd1961e2291cb5e9fe937707c

SHA512
1f7ea42a3b20ab85f4dde38220b54b3f2b2a5daa5376759a880baad6a130c85878d86c38140f71677e53538c551034c26a4425e9b452c996000bea5835f5331e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
8724c2b638cb1d86553f74d95dc0c4c6

SHA1
45ec58ef497edba6f5efe1a84729a6b3d90a3054

SHA256
64cf8db5ddb20e9aeffa70402ecf0fadcde0bf3b1f90e0fceefc5ed021001d46

SHA512
04a61b46f1228d0b4e10087001ef27719263f9bf75a39a709865a52ac89f3427e8c02a0b170ca339c25f89589f4ffa5b5642eec356461a6c0264b6d452fc7d9c

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
52a16503e1a3f28c4490c0a2d076efcb

SHA1
85691b57bf11163418c1830b2f3b31e3486b00d7

SHA256
552171eb9077b427844589b2a45e98a6e5f4189b1b273944e469404d8b576535

SHA512
6bc130c5f23fc846684f1d72c11105429a2c2f247d3a882acb65361a172793948b132b244aacc4783b53352898d45b82bf134e7c7d66fb808d76046d61338e99

Download Submit
C:\Users\Admin\.node_repl_history
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
57505e1f44be73f3d3977324f6a34c71

SHA1
03ff9d292a408143e5d5ae5d93c89dd308bd3e05

SHA256
8eadc5e0df0ceb01624be7002ead04e266abc440015b65ce5715349be5777dc3

SHA512
944c1e28b2ea38958454959aa4ef247e613f902d0fee25aaa724336ce1f5501d4320b7ccc85af50ff78543ec3fda6f9a956279aecdf05c69f770579ef48056c4

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
def8da26d56804bca0cb00037390ab21

SHA1
6dd0c121b5fa5a105d7ed55151e24dc72a7c83eb

SHA256
cbe0cfda772ccc84201b168d5ce066c66e32e702c060c95c97dcfb639853cd48

SHA512
607d7c01bed87fbf351e218dd81c8586d5234bfe33d52d71640310153323d8e044df065c9a14735fd01ef76063e83ec386d6265f710271f76ff4e8b6b133ce70

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
6900076d573568b5dcf14e12a0b344b8

SHA1
e2315a685780aead69760ef80aa94437608b4369

SHA256
952338f6f2c9d40ae6f5ed37464478a3b5c6cefa3323a011d38224fe47524890

SHA512
0bf22505f8a20d2a131d3cf0ed404299e145b492ba468f2f00e7a6bc1281e328b82bc0b663e279abb4493280bb1ff1728970142f910cba16eac8fb2ec8023e51

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
8d98a74385d8d80248322d86fb5e1c24

SHA1
eaca9cc2452cddc69bab632be351868fa39833fd

SHA256
1ac0d5342553b4b48396bfca814687bbfdc950e5533d04f71b1656842df8a8c4

SHA512
b476cff4226c6f9c08d5d74507e4fbd3c1ab5caa1bc620e1d268e8235382b1b874ae0dbeac26bd99e684d6bc99c675044b9e49d3b34666e1179b274b3137445e

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
68019b5721f8e2561ad688abbaa94aa4

SHA1
4089e05f1a8b395f012adb0a553efca9a7d0127e

SHA256
776fba9fa43b5c68720c27c0a809e887e72268bf47c28f583dced2258082ebde

SHA512
4709d4871bb1f79af24c2f1f42bfd8ad268ffe6d6482fb0d7a0970daad6086a4c91b84b15a2a8b6eefa9caa1a709bcd95b30667e897e241acf9d1ca73404ba2e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
6ef37bbfb143f2f0278a8aa81f518443

SHA1
58be5b6190024362dc4302d466e14e2784e39b2b

SHA256
6b5213617eb213484b9ba664c8084cd499bc66aacf6bbc858f097f132c48d7bb

SHA512
4f7c61f7887f1773ec94cf34a1ec75f20f03bdeaaac7451ff98da16e38d1fe5873a487b1f82bf27099be1b7924606c51a63863b68a0ffeda9c85d22b36e90ec0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
140c17191c0cc77febe3b13f330ef12e

SHA1
be69ae5e352be649db49c65b6b64b3e16c72a5a7

SHA256
734b0dad32dfe977766740102a14cf959c98229c1e1d6686cceb0aa92ade8af7

SHA512
22bd580d3b5da3794506aeedcd77ef811d15ea92de6eacccf17f97b398be689eac4357e95f4f3d2c3a2e3310f38e0139bc751242edc34d8de95faba784de63ea

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
a8bdccb9bf6e01db620d5e8f38741549

SHA1
61835a5c612d2a1ae3c240a2d394a613e6082335

SHA256
4b2443dbf0d656a0cfe5c3af5173c0032ba42e31b066f2a7265f7593f8794b0e

SHA512
5bc58d94d3156f59e312d36ebe1a821c490b3a4ce2f27de9187d78ec90cdf6c712bc7ff80376ef1ec9e30f9dba8ba1a86434b6ca3a775f50d8ddf3750b5b863c

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
9b867b684de647f22a808718dde3db12

SHA1
1300b61aa9d3c6af5dff29f484318b24f16e00f0

SHA256
4f35bce61bee510c0d038583e6bd6b37f3654e19d51da28981017ed3d62db131

SHA512
78b293c517bdb89902e144d4dc5e156c6d6ca6627f2d50527ee2971fc0506b89cdeaf4eb6f77f75462178a316f339300c5fb7f0a14f806ad32f887a737ccf57f

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
03a7a85129e4f64fd5cee22a90927aa4

SHA1
578bf610cff5c424073e1ef713a70b4b39108195

SHA256
48bc27dc26cd6f3182bdd3c64ee0c85100a45143afec3ac9f0f79f2298d11d68

SHA512
3d578eadc69b1a55687e0d01f7f283fb8154334454a989bb03e76b07a3cbb3b0502f1e5dff66d8ca453a9cb62256f01bd8782a67c4c45a2fdd84159fd5712233

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
715bd9f44de44ce83a688d6e53c1047d

SHA1
0ffa5d7327fa768dbf8e542e68501a3bb8a443a1

SHA256
0784764971a942091e72225f563ed576bff06bd3c4f19a9d979155128a265465

SHA512
4552db08f4d155a7e180101b359c1f76e1f668db62d15bb3cf6ebf860815f12a8895a5e2c4658756d21b200733aba95a92f0b5302b47845b6fe0ed66b11af1cf

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
ac60766314460206393d9a9a00e88f2e

SHA1
1c0af6e6b82afa92651f380ff59e5ad7c1765975

SHA256
30c3154d03a7736834a1b9ddbfc09dadffd27f898551a72bb22e972fd0be87dc

SHA512
f453650cb371f6426b7736641f92ec82a89d0a6c11e886e089921599a1bda13fe4643e69327373c24d8a6f8e3de9685a49b9b8a5fb3a1371962c335fa9456a34

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
0ea46792ea98f005937fca03035d69b5

SHA1
1056735bf4ae066eb2beee33d7bfff45a5ff8cef

SHA256
b7e733d24aa98b43fea9827be09284c89bb81a15cc5eb614f71fe57add4f4125

SHA512
a81a2f0cf7b5966057db2e4ac403bb14c9591b09451a2dd33c4f4c3accf9b16cd01b51f817c9657c9fb42d21432721ba3eb7caab5f296e370982021c393e799f

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
4b8b5a8fdb8ec98d848a8cbffac8ff55

SHA1
1231b49f05434816e8440c900809f46cbcbd738b

SHA256
051f639b92a5bcf95f4876677662dc1f1b348b0f81df82334f5f39d0a60cbcc9

SHA512
3e5a100ad3d138358a7592a4746e6eef2f7eaa53be335145cf7b61c7dd98ed081b34fd00cfbbd1c39b0c141e7b1d627aab96eb7fd3d5a0789b99454baf4ae531

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
51a08e76877970c9b9553b2ebbc006eb

SHA1
fee110a7db930aae948e4a5e65d1bf9a09975841

SHA256
47768c93b511657f31d3aab597206e9a077c09215f764c303da2584d765b727b

SHA512
c19f4872549f675a67d3b156b1b43c728692751c22ded1d51295ad63936387e6fccc9989527ae341e99783128569cb554c406a2d7bc2dcc0ead22c0cb92744b6

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
7b19f01a643479cd5e9597a14871ae01

SHA1
4ff2e00e3452130e2b58122e5f28f56060ae8065

SHA256
d5c36eec2f991e537f719d8095d177c6701665c9f363def3ebb04360decb2c38

SHA512
b515626893f467ea97b9c2f298a3aad1f5b862c4c78aa0d7829a0610db712c141213952e83e882f82cfeb02c72a52f0e1138ce43e44c2f264955177a959b67d6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
9c76afbefbe3cd1e3bf6c4476ac7166a

SHA1
b9b21c933925a55a12481ac35160bdf3dd6b92bc

SHA256
cd4299d8ec02c26bdaeca42fc0109063d5e8a9acb613f636bcc090d9e37f978e

SHA512
45049065361bd6205e85b221af6d248cd053926d4564753373c0bffc0ba17dafdb5afd20771fa1f2cf1a7f351cca19730be9a3bfa916e208ab2914356af7b664

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
8fbffdc0a496133e7366c93e38ccb5ea

SHA1
83fa78a665c7089c5cb3bf1622a5930772c934b2

SHA256
694052a3d9bbabe4845b345812283a1cd5ef6480728e5dffafc6bc2ad302e639

SHA512
33ab012ec4082d73f9ffecaa4aba2c2fd5bd3544fee5511db31c1c59c26a7430e1165c2d624ce9980bdfce3704bba2eeab96a9af96848f6973469c6868bf0827

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
6cb778dbd97d0b3d93645eb68b3e1c7a

SHA1
977809236231bbff7c655064b1e84c06fdaaa01f

SHA256
3b37a3c67db3a4144eb7d14578ff6a9964fd4f513569736302c97b4e17685ed7

SHA512
ec785ce6c462b428b830a2bad65a4c170f666a15fe33b20411276ca62b373c4be9e38e0a21ba2802aedca99ebd4aabcaf9c5c4887e05e4a330418dba6afc8ec1

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
092595a59f614f77e9c456b0b769e5ae

SHA1
68ae85fb6e9c266a9d357642614a0d3f4d91574f

SHA256
bed170d87a89e1bc865e9c2116f08cd67864d5d136cc8df43cf12c4d96753000

SHA512
a6bdf6e90ca7090da6e1d854dcbd98e75a1cd06fa4fa7f9ce42879e118a1319851ee91169576d1f8d48fae65ba9d54e22bedda742846570e3aab60dbfa758ce0

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
b199ff2713b3ce35f3e0a7afe3fb67b3

SHA1
8e77dc3f46f8065bdfb68daccd8b35c47e73563a

SHA256
ecaebcb9cf151a5914d4969158a16a416a0fca19543ee6d66ac09175d6ab0a9e

SHA512
deefebb8429124f6c8951d820918dac561201999240e9a99e802254cab57d5c18f815797b0ed4324a3c5d8989891a5c2c5765c9804e1fb6d1377ee84b0e1e389

Download Submit
memory/8-298-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1048-125-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1264-299-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1384-78-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1384-81-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1384-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1384-83-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1384-72-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1624-297-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1652-95-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1652-87-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1760-305-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1824-545-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1824-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1824-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1824-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1948-123-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2532-0-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/2532-122-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2532-14-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2532-5-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/3180-296-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3252-304-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3252-549-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3536-148-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3748-150-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3924-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3924-494-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4152-54-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4152-47-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4152-544-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4152-48-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4220-302-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4244-43-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/4244-37-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/4244-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4244-56-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/4244-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4400-548-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4400-303-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4524-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4656-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4656-17-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4656-10-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4656-145-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4724-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4724-24-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4724-32-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4724-263-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4736-301-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download