f629d88bc77ad488aac8095f3736c7b0b442c6a416f493bcf64676f2e2973000

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
Size

24.3MB
MD5

5ce9da2f6e5138ab031ee33a3984fb9a
SHA1

26bb3e3fd1ee6414ecae0a037280dfff6f9c9997
SHA256

f629d88bc77ad488aac8095f3736c7b0b442c6a416f493bcf64676f2e2973000
SHA512

8bc9928dab4e1260ece9e9e1f5baab22f4b16f31de1602fbfdea151210f5141f20d2d14fb0b8e5e14098fb8ef6657da9e0ab4d682ca89d3307d766dabd1479e4
SSDEEP

196608:fP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018WIoQ:fPboGX8a/jWWu3cI2D/cWcls1F/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4072	alg.exe
2912	DiagnosticsHub.StandardCollector.Service.exe
2220	fxssvc.exe
3912	elevation_service.exe
2236	elevation_service.exe
1112	maintenanceservice.exe
3696	msdtc.exe
624	OSE.EXE
2240	PerceptionSimulationService.exe
2312	perfhost.exe
1004	locator.exe
920	SensorDataService.exe
224	snmptrap.exe
4808	spectrum.exe
3476	ssh-agent.exe
4864	TieringEngineService.exe
4788	AgentService.exe
2772	vds.exe
3832	vssvc.exe
4256	wbengine.exe
2180	WmiApSrv.exe
4800	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7c4eb330d590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f242026e90acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f26a096e90acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039ffa46b90acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d76f26c90acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe

pid	process
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	2220	fxssvc.exe
Token: SeRestorePrivilege	4864	TieringEngineService.exe
Token: SeManageVolumePrivilege	4864	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4788	AgentService.exe
Token: SeBackupPrivilege	3832	vssvc.exe
Token: SeRestorePrivilege	3832	vssvc.exe
Token: SeAuditPrivilege	3832	vssvc.exe
Token: SeBackupPrivilege	4256	wbengine.exe
Token: SeRestorePrivilege	4256	wbengine.exe
Token: SeSecurityPrivilege	4256	wbengine.exe
Token: 33	4800	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeDebugPrivilege	436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	436	2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4072	alg.exe
Token: SeDebugPrivilege	4072	alg.exe
Token: SeDebugPrivilege	4072	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4800 wrote to memory of 3868	4800	SearchIndexer.exe	SearchProtocolHost.exe
PID 4800 wrote to memory of 3868	4800	SearchIndexer.exe	SearchProtocolHost.exe
PID 4800 wrote to memory of 956	4800	SearchIndexer.exe	SearchFilterHost.exe
PID 4800 wrote to memory of 956	4800	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_5ce9da2f6e5138ab031ee33a3984fb9a_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3004

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3912

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2236

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1112

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3696

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:624

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1004

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:920

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:224

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4808

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2576

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2180

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3868
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a31a224b27c4780c8cba491cfb0b2539

SHA1
e48bffab44bf6f479ed870a74f54e240770668e4

SHA256
c58694695303d7b327de501257a330308fc05a8439f24dcd00970a6f305c116e

SHA512
51c4a9d8e70292ceef4567ceb7451869a983361363271fb24534ef2d56057ddf0acb12761a4ebfb26d67b316c8f0ee03d88704a70d5615b2e9e978b2353195cc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
81794c3c094faf972cc0450bfd510403

SHA1
cb084b68f064aa00fdd8543018ffc69ef5d33058

SHA256
c8b9f774a4c3b1f5064bab2dbdae502bcaee8ee4bffb5bb3aa05415b07ad63d0

SHA512
765de645b30a7281541fe95bf68630a6ab874b0943034587bc2f8a33d70d02f7dd83b18ce3d623baf4c4a10157183efce3d6e47c4a04dfab4afbc0064ac530c6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4ccadb191afde8452e926efc0642b178

SHA1
dc08776ed6eedf4c2e92a0f0706cad6e5801e144

SHA256
fee54c5e9b8bf326bc6dcbfe6f3d8f0f1ecafb269f75d140514ac0fb964b3f70

SHA512
ea6547629b6d9d2e07864c345d7743e2fc7c86b2ae991ae51bff6460bf5a9e5a4bb3a25feff9bd5c14ae67668a1ad6430290cddf6efbdc1ec769c2726b22cc88

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7e43f01007bd6d8c57d059bbe6681e47

SHA1
680fdbb8cb08fa3ba8dbfb802169ed4e13631bbc

SHA256
08c39ffc37b000915e0a70db9f601c21419ed2a6ab1a35cc37768d77d9b3e781

SHA512
4d382c32c275b314d3aa72ca5dc6e39c6b6da9a377fb152cbef80ed708933936ad2b9068c0ca1c17a09f46500c13b02369c2839237f0639e70efa7cc6e5ba424

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a4c8278b2200bc2a60c359cee8d1d10d

SHA1
8ea743ba77aad9715b43fb65cd68d6d6cf521665

SHA256
0021687da96b8b49509db03eb7251e3be7b580a576bcfca030eba5fd243ea992

SHA512
42869a9ee153c1be0499e5f9497d73ada6082b8d7c47a9764f8e89ee2211cee716e183586fccbce2c44b82eb82ecfa8a88de0d5526c15dd6f37d2515146bf7ca

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
2796672d3a3ea9f61d26ecfaa243c65a

SHA1
b018185cfca6797cfc9a2a6ea59926a5a1308f6c

SHA256
83b833d526c7da98112ee872e3b1277fd0cf4f4393c2e2bb19b523cce159a22f

SHA512
4d3fcb6b7d52ac2aebfe6765dfe4f843ba13f6196381ff56c99923bd4ddf3c4398f9a5d90cf107082f08140ea53dcf64e1faf688a565040c74b385a90a574862

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
d41ff706f5a7a66f49deec6cf5a31d8d

SHA1
1ee11c5518e9ef1442994997e1147c6e0f97c9e8

SHA256
684c50ae898738dccfd2bdcc242d4589943fe0c83266739b1b01eaf5e964f07b

SHA512
4767cb735d1bd72222b718caa3d636f168edd7419236df9809cc0e73dff55adbc4a4a0c4ba40c8b7406f4fcb85239254826dfcacefb051887e0822f1cb2ad71f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2ac52a903a8f98f8a49f3da306040729

SHA1
b32ea99fe7bb7cc49d80adfcf1f13253d1acbf9a

SHA256
0092c9cd32a8ccfca766f3ca24f3fc3d7d7f8ab60342005609c6095199624102

SHA512
2da42d681bc819f343d5c77078f377e5ff3760cbb5192e5406924169ee8dea5ef1cab6c6ed66b5072aaa190a0206314b49a62b5548907b7b81b0631bdfef8147

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ce6ba388b81aaed300bb657efa7999cc

SHA1
3259d4a9f6e995402a77a84721107f6c96a88777

SHA256
aad3ebc67381f28561c9a004d9d31283e7dd9cadbd6e1d3f112360904dcf97f7

SHA512
1e13f371682cbbc6a733447c3a94a50e76ad34c44d9a8c8340a579b98114e438f1e34c5161cc374a311609dfe4f99661f96abb71ac3b23cd2a20a1da4660f516

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2e822ddaa24842eb178559314b81b8e4

SHA1
4b620a4e4fc7ed884791ac891f44a0fd03cd6d17

SHA256
1d9f80a2db16287c0c8d643716516a5d4cab64e58ddc06e5b253e8ec3fff01a3

SHA512
0f975f2d296d5a619d7a419cdd839f6d9207c1b2628ecdc0a94406b462265f38df976a5fde4f3abd0146f1712bc1b6baf67bee48a66c09083babe79b60a16321

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0d97664f2012e52999e6a93741819fe1

SHA1
ce061fbfc6853483e2f987103ebf0d86db7e3606

SHA256
ea2d6807ea3af09ad7be196bebd18a02d85f636045a3f9b3307289b5c9bfae7d

SHA512
7ab29ca5b581b422048fb0231ef76ca2aaa18f144afe1c2bf1d9609b0c76d5e92287dda7d2e9df55e433645ab4dffb2b70e1839e92b1994583c0ef3385beed63

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3c2fca2603702ad9624b56166ad4bc93

SHA1
4bbb518eff8ac6a02d0bbf7bafa29a5553f11030

SHA256
055ee5bda2f2e82fe441f8bd7d8065949cce3e908fbd4733352bbc5f58c9ce40

SHA512
456a1b2688e7f8cb49500993fb4ba069887af6b79ea20a32562212498c40cc24d5a63a96b759749c02e5dda8a9afcf10b8250c38f00f3f38e6a8215958aa6c18

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
88f17eddd4683a61947773e480545399

SHA1
248c4852a4a5c2ab360f9194a8994f26708c02b1

SHA256
806d8db6dd6c2c41a7647f74eeaa69e15ad376e3bfb316bcf84dbc688bfb5980

SHA512
8a2a2d013495244c2f41466b9ac5f5611b2a8b8a5ed95b0eaa9e668626ae15230f377ad21e0236481d7149fa3146d4d9fcb4c074245a037e1b5ce897be8a2d6a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
74943f703e2d52d59ba773e8aa2cd1d0

SHA1
7b2a7119e0cab9a4cb6223370cbcbb7411310ee0

SHA256
aa684701add3741c0b964fd2408032e9acc797578a75b7be9636c3c214891f45

SHA512
1f9c8b72dff19d02127517d51ad5df60935ed4e9332e56a35cf1e680bd0a8607625590a74bafee2460d987b34c67241a14cbea41bca936b5c9e51e3817a0c4e3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
09566bec141f65b1c4d55c1a1b00ec09

SHA1
d5fa03d45078a4b2ff9db56a4ebf0425b939b673

SHA256
1bfa2ac2e9636a64d5f77845321db6a579be728d7e7cb1b571ce0b84bff94975

SHA512
9cba575ae23b0b84f2df7558a5de818e5d79e72a0d4b35a7dbbf47e37e36678315afb9a1859062085ec4db4bd7853eb2601b6d95c692e466fdabdc9d22e54d97

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
1ca6f8ef36f324a7b1fd38fc1607401f

SHA1
0de1ba243fbd1251266da6a7faaf897dd965754a

SHA256
a211362841071a54aeadc94ee4692f01784200b1844f6ad2c042d637b60ec7bf

SHA512
f23099b4a9ffbb32739f5dfd4de6f6daee4a9c52e205e0c4c0964494f09762b5ef7887b58c8d2532566d7d0986973a7b745a3b78c43cb5c87f3820bf37d7144c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
44d376c58d7e9520f678cd33ff5c737b

SHA1
a1f3c7a7caf26119272b8cd419c041a34a31a601

SHA256
20466e78b5cc6e3d8a2fede7d8c076c54d6744889bf8c76a454348f72247d299

SHA512
790f07ec0e364e77628762288ef73a8f5ed808fb8166c363dfbd51e76e0a9c57b054b282dfd88094c70d7e0616fcf09158c85372c1e7598b4a3d6647d3c8c474

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
dcb720dc00af67af972cdf033b4a4f7d

SHA1
4405b39c65f00522d09fb32abbaa7d90ca96f690

SHA256
8e54b7175f6cea0164a91fa521d4cc52da5f0a8fcaabdb3a765b093fa5947f00

SHA512
872855bc449e10c0a21d0b4824fedf9eb061053b4ab016ec71b8c1c7847de419c98760d65364b47ff3f844201cc308b565c37021550a8b1befc9567d0a003e4b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
1003be221384246e2fc84c3581f3f315

SHA1
1424073f16379139294224f0d4198d4a31a3095b

SHA256
6facce3835b759f1b8e627be6da1873a8ce61865ad6ae652f9875ac73738fcec

SHA512
45fd097095900ce89103a19ffd6b11df04fe26a2c5b33a4640bbfd7070f26fdbdd47abdb7376f653e6a5e22feae2b9e114b40ca28cb2ff08710e422a6ec1e02b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
9e9e7b083f8d829d04cc871840c973e3

SHA1
3012f9a1674544a27ba436e6b36aa0162912b57c

SHA256
6ca239d3570a4c99dae069a31d70ef9adab064d292bb457a516dbd64c1b5d9a3

SHA512
ed8ad8926ca33614ddc60bec0fbaba9ca229bde9b9340613d6c7f40f7d6d3aaed572370557ebacd46bfe6578a5eec90aa54d1c53ee05abd2a6d0f9272d2ae372

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
26b39d5ddafda539992b7943d56f5654

SHA1
ef68ab65aee09a12d9d49ad7667afa805251b365

SHA256
ec0e42915e799b28f27fc07ccc934f96accaacc60ad1864b50ac5f374430e741

SHA512
a53de92e8b8625b1189a06ad81118d316615827022593807416b90b8778e3f646d0d3744cf8afddd95291e6b9fa3955f2bf8218bb98d52a948341fa3178846e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
76a4de814b153a5f41e2c542676dd297

SHA1
a1f37c236210dc38f2c195a93f295d1f5dd54181

SHA256
e6cb2e6b63473ec02e03a925f7c54c66bcb4ddc0e27b4dff3488649db6b28198

SHA512
c473d8944bdb4ef80fc14e90b282e9328c4821815cd80e7d5d6140ce870e123f37b46ffb3e814869df2fc3b55eb7fb685a0d90fafbdba5590c329d18b4198bc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
463088d472de1f496407d3ceb816cbc0

SHA1
2b2cfb9d2094d4ff52e33637f674bbc46dd22998

SHA256
0dbfef535af1f05b5fa8cd21bcafe1df5784456f642ed69e759c5f0901f07d29

SHA512
b4a1c5d31ee5666cec85bdaf8ef26364ec657d5f5b80b81fbfe1170450a3fa21a65fb298ad38b6658b6a84339d35eb012ebcdd2adfab67f0d7908422597e51d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
06eb3c240eff9b37abe772ae853fd142

SHA1
8f19ccafb93913cafae359fdad62028707b340e8

SHA256
48d260a7fe4d07df39827ce0ecd8eaad6aa19cdbd3aa543a60fb20c675745c4b

SHA512
507f90489f7193adfc06473a6e23643357a1709b5eb7f9c48643e4e09c858884709489ee0ef8a3d32c9c8e3baf4356c3ab585237e8612adb4799d8c35bc77060

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
b1e91373cc2103b2f6a5e94223c31fc0

SHA1
df3bf5641c0af1d69ef28fde9e4b0f37ce766f2f

SHA256
9c96e2bdaf8039c726571a6e610c55b592238c5b2c9f100721472762872a8431

SHA512
6a70e99c33c5941b936dbd2c36e55fde6df50add51f994a491fb102c09d55c5128e871958c5dce7259e759d08a801a9f0582862d21860fdc753b5ef617c949df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f5af1abe39a050d5f3c4ae647c29702f

SHA1
d3eecc4ddbb9716d717df6dbbe865b7684adfe81

SHA256
9b15c8c7f8442fe1be8f01128e92d2172cb5caa9460b2b01ab99b03cf27649f4

SHA512
a70bae3acd290cecd6a497a2bad28bfbb6c5d6b5f755d1ec7961a98964ef113caab7adb67449982189614865177debc2e06904b025879b5de178ea6df5c1f906

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
c591872b971dc1b2f3319fe4c15abdd4

SHA1
e0ea0cbaab1f6883be22562ea24f7712465cf569

SHA256
439cbd4c53835ccc56d1037932cd71008975bad2f1c3de10131eb0a703a38fce

SHA512
cc84f2b4ec1d32ded246f0999f423abf764c8f78cf2c02584aeba5e1e13e98d4c47541abfc399a0eccfaf2e578c32b7849fe469d73b365733efef77dedfe7b4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
afff548adc91717338227dcf7545da46

SHA1
0bd81920b5252faf60d5922ed0a5085e0ff6d661

SHA256
2f79a71fcce5424ede6949d2a8c919abc93da58d77494b6d641f9985790e9e66

SHA512
fd13b7855f1fd0c7f37d982974b978f2f0bdc901486b62f3beb4cda4920bf29228b71ac172132ac0957850e841e2197a08e904fa91fbd6a29ac826b66f40a062

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
53ad97b083684fe6346e5e152ccbdda9

SHA1
988d65e99064c636c0e1fa17558da072a65fda2c

SHA256
15d56094ec8157729f5d9886873355bf771898aa5a0e1c8822bcd2a3d759cd51

SHA512
3e2693d134244c878bd2c2857daf48aecbc7677f380c528ffa3d20719aa40a59153629721aafd949449fb35a87c62d082bb688f921efe0c7d61a132036423348

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e82e69b69c0fb99c8cabef082d1d2504

SHA1
dd22969edf66447f4c228ff06ec567ed45b1d0e6

SHA256
3bc2b79a9f489f889e138e34a87305a61e67bdb43b89b7998868639de822214a

SHA512
49d4e7d60491fd4f4cddb1b3b37ae1c5d0dccc63a3facee66b0cd31082bbf52d188d8c58136eb4037e6ce3dbc2b77c89a5463a319d0a59c719f33ca9a7913fd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
f0261c01e43f395300b3e370e1022c9b

SHA1
e3f3ab6160041e2cb615496ebe97dc98ace22eb6

SHA256
807b273177e4b17d88af9421f876cf3f0ae36e99b835ad8f16f88b254a8767c6

SHA512
a157ea7fd8849db315313ad6c582a7718f5db5096509cf07e76c5b22ef3c7d97dedcb45a32162deaf7adc30e8135ba3f1f9bb66d7a2ccc2589e6c660d742855e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
6694cfafcd3604af17b20d9064ebc97a

SHA1
5e8f93d744625c05f965dabb6fb41d8341115dac

SHA256
20fc63e244cc20edb8230c4073ec8e0dab0fbf7674389d77fd3177ee4633b579

SHA512
19d5e3b3ad27f9ac5d66dbcaed69c44a4c803870d66b10bc13a0b43683745d93c3a4bc14aaf3b7b03209d59b0af75d677a10c54d05c67a2d7e62ab48b4fa7ea0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
5b5b020dddfab173dc3351c69776c2f9

SHA1
49776cc09690bbe7e1b944506133cd59397b2fe4

SHA256
c13e893b3a9447f5bc648e51c34032505359d037f9a2f0025e93e18c7fd095bc

SHA512
77ac5742860d6b6a2aa8dcd942415deeeb423ade2380e4422982a4a6750bbb60da0c9ef64ea01114e3efd5113bc376b9535aa8e1422a4572f0bfe87b8298fa91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
2b23f22b047f38bf5f519764d718867a

SHA1
af1640f5541e0bb89da995cd8447b0635abea721

SHA256
9e3fbba7e55c7d7b83651006376aa01aac55f7508d129fb9a6e4ad5221716867

SHA512
6802b48f15f2fe34a7be43b44109835dc5e6f67603008be1f937d5e4ecd64843f02afc17c9b70bad1008dc26743efc06d8213856c4a6fa0ff8568a0239651cb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
5c2546ca9a5f3d42d5e86e878521ec22

SHA1
3da77046d62cabfe3e6d4e8f2931dfdd52d65537

SHA256
1be7016ebe7ea284694f4506a778bcb155be08c4144960ae9e445e4b08c1d7fa

SHA512
80d5efc804ae783f36f2fb6ed893d24409d406001375e2229d6f7e9ffad8aad06ff1fda4be0ab1f8857be661b9a8699a58f753c6d8959528b6745184d490b622

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6af8ae65461ff20d0bdad461207360e6

SHA1
f2eca0bc3c9e8b5b0646eda8c39c705861884e5b

SHA256
77ef1c36e12a5e6c60ec67a4c08ca713c2f9bde6cddd37aa60bb5f4f68fcb8e6

SHA512
ca15644e9d798213a981cc571696f410d25e50d32b514cbd137228d1ad7d56595749c461d2ea2eaff4f164e3e144c6d03b7fe8a64a839726866e86ba6f5324a1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e30c35a973cf43c9ee5c98014deccc29

SHA1
288d2fb7f3ee804201d12a05b1e91a66cdbb1689

SHA256
fd26a034a74841e1ff60ae1d927cb0a1a875535c5e25dd6b3cb4c62ff286ccff

SHA512
b7819f4b079841e587b7cfd63c70469ad8196f39a998129e9d5284713d6b6417863948b2aa50756e8dc6c0a055ed7ff097be7ac97a22efeec3e2b32eacef1ade

Download Submit
C:\Users\Admin\.node_repl_history

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b90b39405b56293e1b4cc26742f44a3d

SHA1
f557f1fe596e0269c239ee4c58c42d2c3443fc36

SHA256
d5b0f66d3fdfae582ffdaac7239397c0655f1bb859e6033fb6a3679a79d93aae

SHA512
953a47fa1c52b77d2b39248fc4f433b66bdc51186f376a7b7fbf51d21e15448656b41fdc3f527eea56dbcea868fe1827da3521051293a34e934fd2956c3b548b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3fba2bafb2615ff6475515610a7e2eff

SHA1
efe181df1b542fc2ae1dd5f83ea0c034c23f427d

SHA256
5747e54556b23e976cd1fb6ff4a40b550bb3a0e5e15777fdf3a8767b372d28cd

SHA512
33397ce06deb4901a7d2942472e07c185e006f91e8b85d391c14ecf6adda258b4828bc1df01ecae385823712f2bcdf5a90e3e433d3d4197c3718bff8acdc6592

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
11c0583c4527ef9e21a08deeccd0f0eb

SHA1
bd1344b69d924e2edce2ef621489d7cdd77adbef

SHA256
7fbda150690d5b9b94ac3d8142355caa11fb5684386d8c2530c099b6abca0a70

SHA512
2221f492f65432b52621235475f34abe862228ec332d3f1fae9621434bf811f36b00d26aaef327bf0962b0c376bae63d6d565708cd0efa2bcaf807f82c09ae5b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a5f678c92cbb2c6f56299e580ea66e54

SHA1
0871d668241734afedcddf7f25fbf8764b3370d2

SHA256
707d82b644cb74d62c978cd5da5e7c4044a6bb3c80e0354b695c53c584d7d3de

SHA512
e11c8ce07e61b8f49ab51ea2b475803a7c23694554d29d73d75534322c53dc139eb0b8417821586a2e6d8ea511b37c06f26c4d69d64b0ce7351def29650feaf0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
83f3fe2fe3fa426f4ac05641734b4883

SHA1
f1f4fecb712cd5802ea25f4b670c282de0c41565

SHA256
3ad83ca50d062a79ad14d2504f13b1cdd9f0af5f709611be529e9ad60b861174

SHA512
8db2fd983a11f36b4408820726afc5627862a0289d81afe0fde45128159d61254705a3812d75e8ae4b096f5ebb6b09c26393b2b09997c83e672963ee3d29aaf5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
eda2b8ceb9c8c05b85234147dbb5f766

SHA1
2af85fa961b28f803db965a54d5621e599873f60

SHA256
9499efc063ed582cfaf823352d8f2da20cad75ccb54d8213d2192a761e5b8278

SHA512
68844fa27a8ea9858b81a0f769e51a8ff029150cc5f124af3ee9185464b07aa838c1bcd0f1caff6d8067d6dad9a5faa120cb63ba861ad0c557dc1e693f8bcc51

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9580788b318a37c7b7e433ce6f57c441

SHA1
d199407d3a5de678b67ca4e53b071150ba9e377c

SHA256
1d2b64303fc883e01882fa97946b150208ca5ae7efe507fb99065f6a5b9cbb8f

SHA512
5e5e78964b3050f951e11b29c7f64c400013a97266ee8ee6d1e4c6def7138e48bd66ac0bd5d6a7a3904aa361e060e5133543d53f427b6874fe4fd2ad73634379

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
51b29347a36a84f283214087066c5f2e

SHA1
99fea1342b5c483e4b5dfacd2ca6e99abf652c3f

SHA256
297bc04fd0c78541d34e9bffbb9dc078dfb40b5ba6ead08e88e4e3d585245285

SHA512
8240bc2342b4fbbad05315a90633732cef3f460f77c80103dfcd48898afcc2954bace2c12713ed25d2905ee7d323db42902d0ee46dfae0810cdd15abdee3935b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d0b142c5dd0d4093b05363313f79ae53

SHA1
54b6d53321ffabb0ac5a85fefcde1189a8c416b0

SHA256
138f559cb470a2d483925d597c3fb9632f140694e77c5f46c865d6059ec784e5

SHA512
9c2dd72144a9bafb80b1af9a5edcce0e75878522886291b7e8a025442d9aaf8025e0789267786342cf61d298fa89888f35f760a13ef987a67df6cca9197ea8b6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5b1cdc1302a71be108fe0137e853e0e8

SHA1
7d22081a0a66a70b68e1d4cb6cabcfe37c8abb69

SHA256
a43c33e0146c3000d5efbba00782e5575a3b61d3e0a7c225ebbefe6be0eb69b4

SHA512
edad633b93fafff4d7f869d3d8867f26a6f13cb3badfa41811967b281789022d17f5add494b4f4c4868393433a1cd60c833f0c40ddf8b8bb8903cc63720bc690

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
1a099f3cdb977b23bd399751db817961

SHA1
7b1cef5a41596c03e585e8c49fec179d0080d86d

SHA256
c7d4824147a401a7dff8072f3e5d45f36cc698c99213daeb4304ec57be53cdad

SHA512
9ca2bbd0b4beeaddca6c260a523944137737b69947b0a4cac655c79ca28ed6abb9058f79b0a80487039dee978e301184a68cfa7e01adee227628f97fbebd8931

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e44bc0da2333c21642b98fe324806da1

SHA1
e07c37b69a91e829ed91b4f9554f9bb1ea7ca702

SHA256
51ad8e7fdfbce9e446bbcb620463a00e6b499b63b57374587092abc08819ac15

SHA512
8bc17fbd24825fb35dc91ff44277ff89482bb905d02bbae9ffb5e9ce63803c65ee98048664419f18b0b110c3edd146cf4039c059ab5471e2985daa3a1f6f1fca

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
088b748430065e982343f6cc58af51f7

SHA1
7d37719fa7c6765247fb40dc5d4982dbef12a806

SHA256
a21b0270e944bd5f4ae94e25911dfa768283d36106c0fd5069d41e799e06a406

SHA512
4156d82e428f2537bbfd4ed73dd6a42da09b188387e9965f2c0cf534320b0ae4499d98eed6a49e294aeb6ee59d0f3f2061e15fc82075d42ba9753c20b5e3839e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
07b12cf4c0b493d228cc4fee02305606

SHA1
2a33a9123de2b987c9608420f996528ab290559e

SHA256
66fe6d15df5a116df78e5c07e75a5dd5110bf68acc0639b571d7c962e48e2787

SHA512
50027e28afc77ead3d09428fb80369e15afef27ce3c6b44927036a40a8202922ecc3b2ef120b3a2cba991cfbd8560814273ff2e1b06fe4d3f1e93c250c45c191

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d5865289fa827fe0598838a7438ab3fc

SHA1
e8b684e6fa466d40e28bc1c629b2cd6bbfc62f60

SHA256
46e724761e3119c532575a4b75e427e08e8cf921d029043fc8a7de0d4ab264ab

SHA512
99bdd5ce9451ffc2a681507bb46b983cf0f7b546c15affaed8212d9ea0d66b5c410ec499d512e4694bdd559eea6e1429c6061afd4ec0bad1b23e231029a31ffd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
542a77da48b734deb2a4e8a621a1af85

SHA1
f85c43ba2fd114c9807c71d79ca2eab99008f636

SHA256
0d21c84e3ade068ed0e1371bbc2ab664b7c68411b8f0fb0cf111ed19a89df816

SHA512
a2ca7ca3654cf6ec8dd242f79996045814b5173539e56ebd0c2bad41c6858a6139984bceae3e390fc2327c5aa52ca745d23db6a8b48cf24642db7caae340ed90

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
751464dc84e2e119993cd938eaf58ba0

SHA1
88f3b43158549dabddeeafa95a3a778c1fbd26f0

SHA256
5051ab21a37c94e2dfac2d2778a1671bc91ce393c77d5539438864cfc1d59ccf

SHA512
f07b8115c6f2c24e56b58fc1de441e9097c6e2cd070f66ecd7713ce4a91fb0692f3d51f72702e3a307bda8baa5f9948a45f82567849612e72f6604570ab10bc4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a0e2648ad1c6138c9046434f6757a7a7

SHA1
c0906c76a5c30588fbe46d87883c155ae4ade42f

SHA256
f3735a2bd1470f7af4b2b46b3fe63cf0c8371e3fc7cef125eecd80d31dc0f5e6

SHA512
8fcc8144a795fc388cabd709b58ca3faeb6d1b05eebd380b248c1e8af188f5bd881d06a0a481db38f6cfbdec12a6f7b30c5fda76b2ff23e8debbb355a1e29d07

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a06653dac6be272fbf5936d85b96ed2c

SHA1
54c1680ce5456386fa980b344e9170a0dfdb2585

SHA256
ae57d9a31d3407f139b8668356934a6ef1549220760448381960aa862db1e78d

SHA512
df62fddecbe0a16858e5e231ca897439cad03444702aaddf83f712abc5dcd210f607663304256af9d333b97591015389e51fde946cbcef3880f5e7247d9b67c3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
81f5ad9ace10c4ea34bde4eacef67032

SHA1
2947daebe8fc4dff45fc5fdcc400a2283615fd06

SHA256
c98e4a34ed7fd1373984b07f090366c03802308f02503731734d0349054db2e7

SHA512
160e9cd2794da3937570027535d62cd23bbcc79a79a69aab8139cff0982c3602e407c7a14b39c8909650129a9b6e832f2dac7b65f423b3fb86df80922fb83214

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
ddda3fc3b8ac98b19198c491dba783a1

SHA1
7c3ccb75e538d87be6db2e85d76e75c74a626cb8

SHA256
0fcf9ba139b3714eed5677896dca5ea326dd90ab1c28e5582f1ee7ba1da74332

SHA512
7ee2d68bebee5ce41a9e16e35867ec1116f225d8bbe9849b906513bf53dbd386f82408941e882989885592314f2af6760b77b9bf339c27d153905802943f2ba1

Download Submit
memory/224-152-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/224-495-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/436-81-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/436-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/436-5-0x0000000003CC0000-0x0000000003D27000-memory.dmp

Filesize
412KB

Download
memory/436-0-0x0000000003CC0000-0x0000000003D27000-memory.dmp

Filesize
412KB

Download
memory/624-214-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/624-100-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/920-146-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/920-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/920-571-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1004-258-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1004-137-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1112-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1112-77-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1112-71-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1112-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2180-259-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2180-580-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2220-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2220-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2220-46-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2220-35-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2220-44-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2236-184-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2236-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2236-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2236-84-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2240-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2240-226-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2312-126-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2312-238-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2772-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2772-574-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2912-24-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2912-30-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2912-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2912-114-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3476-185-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3476-568-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3696-89-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3696-87-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3696-207-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3832-575-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3832-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3912-50-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3912-171-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3912-56-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3912-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4072-17-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4072-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4072-88-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4072-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4256-578-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4256-239-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4788-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4788-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4800-581-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4800-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4808-550-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4808-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4864-572-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4864-188-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download