7c8081b426791e6e32e0b45cdaf577be0442eafa964bd1c2c4e8e0c240f28c7e

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
Size

24.3MB
MD5

c8e535e529a5591f45b4c378dd16fd6b
SHA1

f654ab7075741bcf7ced6f6f5e445afa0ded7da1
SHA256

7c8081b426791e6e32e0b45cdaf577be0442eafa964bd1c2c4e8e0c240f28c7e
SHA512

008a2e6066eabe83c6bceb4ce113ace15e8f18e60c9f556519951a197355a7e2589e7589c3a1c7a9ba7f2d55592a050f99443bc76d5343362e519d4e50b78b42
SSDEEP

196608:gP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018MQ/:gPboGX8a/jWWu3cI2D/cWcls1Q

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4332	alg.exe
2408	DiagnosticsHub.StandardCollector.Service.exe
3984	fxssvc.exe
544	elevation_service.exe
4296	elevation_service.exe
4236	maintenanceservice.exe
3964	msdtc.exe
3684	OSE.EXE
3096	PerceptionSimulationService.exe
4844	perfhost.exe
4412	locator.exe
4556	SensorDataService.exe
4204	snmptrap.exe
4576	spectrum.exe
2824	ssh-agent.exe
4720	TieringEngineService.exe
3544	AgentService.exe
4408	vds.exe
540	vssvc.exe
3992	wbengine.exe
3488	WmiApSrv.exe
644	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fe8c985fc3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000abc8a1089acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002eb7061189acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007542d21089acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc3c4e1189acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049a4d41089acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007542d21089acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe

pid	process
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	3984	fxssvc.exe
Token: SeRestorePrivilege	4720	TieringEngineService.exe
Token: SeManageVolumePrivilege	4720	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3544	AgentService.exe
Token: SeBackupPrivilege	540	vssvc.exe
Token: SeRestorePrivilege	540	vssvc.exe
Token: SeAuditPrivilege	540	vssvc.exe
Token: SeBackupPrivilege	3992	wbengine.exe
Token: SeRestorePrivilege	3992	wbengine.exe
Token: SeSecurityPrivilege	3992	wbengine.exe
Token: 33	644	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	644	SearchIndexer.exe
Token: SeDebugPrivilege	4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4156	2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4332	alg.exe
Token: SeDebugPrivilege	4332	alg.exe
Token: SeDebugPrivilege	4332	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 644 wrote to memory of 5900	644	SearchIndexer.exe	SearchProtocolHost.exe
PID 644 wrote to memory of 5900	644	SearchIndexer.exe	SearchProtocolHost.exe
PID 644 wrote to memory of 5984	644	SearchIndexer.exe	SearchFilterHost.exe
PID 644 wrote to memory of 5984	644	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c8e535e529a5591f45b4c378dd16fd6b_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2812

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:544

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4296

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4236

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3964

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3096

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4556

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4576

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2172

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3488

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5900

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4104,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=1288 /prefetch:8
1⤵
PID:5584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
8f078840791f23a89cf2fe502624bd83

SHA1
d35f0a6c8d8e2ed1383005396868076304de523d

SHA256
47812e06be1f533e4e1e6fa7013d4ad029937b723f6ebfd9ac65b9d701a7f07a

SHA512
20732a77b997d306eb96db8c188ed53f3d7a30996b55f3d40511d6d911e8f036c6690715532ec223ce182e3ff08976ef40559eb7e89b8d6878160fd216183ab8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
4387566c147897abfdb48de27a4db5f5

SHA1
35bd024fdc5b59330bf674e193ebb9620ecd293b

SHA256
7b3cec313675cec5417a5c1eafd488e8e590b04922567425e435ec4f3261ddc9

SHA512
193cca2a4a4d0ced5676f6958182a37430df1948af847784028cfdf542c7185326ac54d0277a842926341095972001abe03ce7b0cbe6ac931fc807db9f817377

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
85da61b11d41b64603c6b19bd59e3567

SHA1
b879ae286f1f2897f6f021ef73e802ed913899c5

SHA256
4120eb6cb647eaca174a5ca0187b976a600b21b31b99d6b9546cfd86b7e40b31

SHA512
dd172597068a76ee417c84434ea95dd70a856451b48060db2d2e8f839df85b96f319a60777c3ec54c0e03187d5f4c750349ce2a94193ec406ecb46f192217e99

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
86f0854bcc7d96ca6b9da93e68fb3963

SHA1
a3d8d945e3473a03dd547f2e1bf700d64e821d00

SHA256
002016e64d84f269a961a437116aab142b2aedc3edd6845f57a7a98933dfe7ee

SHA512
1be33c1c72199b8dc54aa0d98369296ded0bcbc93e9bd89b19c51b86d373177c1b607cfbda2545272c94ee4724fee344c761244bdcf68b43d62c8837379b82be

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
db547a2083ebfc7071ad1cade04f63e8

SHA1
d50f298531e92ae1637fa9fb021f629ad906914f

SHA256
be3b287251a8fd2f0997e831a906a355f8ecea5eac27318e84e9040441155baf

SHA512
9be852cd601f6a6f9a09323c0455dbb3404f8377b8f5c6a1715c42b072967f2c68ca0777eb342f6b193f2f7db068823c1df5aaaf5c63316940ccce7732fa57ac

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
1f4e2d7378425b57e44917a42ad7e1e8

SHA1
9f490bff5fb754664982bdc39cd14ce6227ec034

SHA256
bc8681657413e5423c8fc02b1d230f74e0852cf6ac950dce494870d65874f961

SHA512
72288f587c1f94541635a65308f3fbf5c17234ec36d78a89091ae271fc5249a80f27236ce42c60916ea8c67ab7d9989d17a645533670bd077fd0e3e8c0215272

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
680351c9bff3dd6e8383b00c1ef10b5e

SHA1
dee4e8f330423d6569691363a6fc7230d75d39a3

SHA256
89f8175c069b53fa63e8eb2537224e68a90e764a37de4e480ae0ff10dbb2b427

SHA512
8e6753547f20e62342baf5d095f6141751b8d98d688a2d77026ff764fc1011db6d2c482f25bca8256711f1adaf30417832a0f75040fb5a48f90c2010ab36ebf5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
26527b2cfd82e6aa5c295daf07906089

SHA1
24cfd17f63d6fcb00d845fa62f3619d031e493b1

SHA256
ae54c11ae9326c7d21484735468ba7b5fd542e866e607387fd8d0e5b3e73ca04

SHA512
e679762cc1580a13fcbb6e0cd270d62d10b3f040034f533bafc8d72ce3825460887f94718cf331172c601fe41f2b7363886bb027df86e82ab4b628e46a0cefc1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f4bb74a0c85bf14d4d3ab32809b12db1

SHA1
5f78d32d6e35a5c238ee82caa6ee6057ec2e6f2e

SHA256
09adc513fba57595eacd73f1a5f0efb1b3b98968cf261a491e7fc762e92c9690

SHA512
716286882dca970c4101f2989b8bb8e03dfc0eb4699443e3a8df62cc54b3c2b3e0093a709e445fab155d1e19665e7fc757f88dafc5a51cd3dfe4d54ef944de30

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
76de49369946e0d9dc89fa10c381fef3

SHA1
438d7623f995f652c18d80adf05117ef4b339297

SHA256
058c285d395ff4116f8b9bf71c02b683e798a7c678079d7b6ca464adc9d5acd1

SHA512
052d10ace3bad55e1146b0c9416496ca612592e677c5035f8ccbefa25519b29ab0930a6702f26942378b71e015ebfd55b5a91d3721f3fe4bd6d899bb54727ef4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8f20cb6d74145bb4edbdcaad9a030eaf

SHA1
0fa03d24b7b7d8115e3587a283abc3d0a44ee671

SHA256
281395e60e6077768c68d453a5f20589298d11ef6cca5e02b6b8e3122c8220d9

SHA512
47bae957e550933008db3597656e48a0de852daa511fdfc9b7ce3aebb7c5d97f7a6f51b92c5ff57a9185255bb8781c53e0f519019941b79f9ea4cad89278cc6b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fcb25ca2d7d9f710d2bd465b15f80269

SHA1
7ecea5fcceee007c5a4b912768146bdeaa9d51a8

SHA256
3cd5798ed05d1c2b6739ae69aba78211812a75b7d313f53f4f09f123229317f8

SHA512
02eac2fcdba723f11040c5209c332d61c55f2ae62d10972447fec85831106cef89b6413bfa4e78a2d97d0ec31fbf69b58fee24d508ecb0858184f430ea3c8c56

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
77343a83720bf3bf80ba1c75b332882c

SHA1
d7f61c9266fe74a6c3d66a39f55381c4c203209e

SHA256
94e7715ceda1ab995509fe28e9b97a314952270189b6a5d3aab943d02eb47c57

SHA512
3e36d3ad0871261c1c7b20434450e13c4a5804448a8df2d8f0a8254846277c221ccb5adfb545cc11055f380343ee0b8deca36b2135aa15b2560c828923c4c29f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
2c92847bbf1ddc66962419e9e730382a

SHA1
bf762224bd76dce2cad9437297fb66bf5d057f93

SHA256
fdff844fa3c8abe95b787c937574c76bfd21813ad146992b82b20ec6d0ff6287

SHA512
39c5efe52938e63de86eab615d63571701dec5a1a77c45b38f0fdb824ac685a01736235fe48035388966b70bc2aefd63334f411579683f1a31d7c806eb2b1074

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1fec3df26329ea14cf5142642d4c5b1c

SHA1
4e382c4b844702922a7eb245490997af7b24f3d2

SHA256
a6f32385f11bb084af359528e628fcaba7f76184ee6a17190649f1d8f76d6d6a

SHA512
7a2f7814e4e189c9e08942fefb47ea63b5e0a875c271990df2119e86a05515f4e548e7d7a454fcd2b2cd0e6063f0545dc12f5fba265e4c5bec1f14f2feae0b84

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
942e6d97f22e9b9c67249cff3167bdc1

SHA1
cb5997e39cce0abfc46ed3d5445507144b347591

SHA256
7ac833138aeb0a2adacbfd7cb7218c3ac6ff433c2ffbc62562d3a2287bef7f72

SHA512
0be0ee4d76a146ce188cacc2354687cb6827630d8eef83f9c1f9e6ed2924a3fce09dfea9e47a00ce7b0424a5aad8f886b3eb28b7ffe2d7087f7cc1a812dd3d04

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
627e6065ac3015b9e8135fc8e7a466d6

SHA1
7a1d54d737b9d14082a82f6a8d72e74281101ba9

SHA256
c04a454bff32b1245128374f66bdf443981955a2bbbb8fe16d63de366c0ba12b

SHA512
e2070c87161126920926b07e86cfaaa7741e9fe35c371d693416945abaac8c17858953ae58bcc4940f667610183f6606227568ab64f27eb63b23eabeafef22b1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
95fa726b1fff9e37948e25ec8c94e2e0

SHA1
25f35a903d2db47c75aa1efab9ff17293052b9eb

SHA256
8e275a5c982e1e32639ede73983e3ae7909b91f31803459a2a90aefd3d57ea80

SHA512
f5a338670f1b340739769bd66d7ee03f631d0cf71fba380c2a824f832214d631fd5e8195dc848a39e39e4ea541bbb48f41ba9998c7fc0a06e83dedacfd42fd2c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
55eef020d093fcbf0c5d26689461df54

SHA1
445d114de98787e19ae8a71e989bba3c293924b3

SHA256
02204bbf86d3baba44c4d71178fb0fba1bc4b8a9709637b2c987510888422b9a

SHA512
7bf1f19766b6110e3a5e758813083b7a7aed47430e878bd6f0e1474bb1c22f483c002eb7503037b16e37277bf1c08808b5c5a16b2b53c5b5b6d19c4bf938f5b9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5d576982b15be4019d4bee7d22531c9e

SHA1
1c4f3a8f3a2a6651fbdbdd99851342292e7bf127

SHA256
8064366c6d3bc3593c9bad5320627c0784055f4bbc16f4829d7454d2cd477122

SHA512
97253fc7d3b9dbc9337b2dbabe6c2af2550e25d15b35c035df50e23aa079c01540932ba3983a5a83373a8f316817ac631d2d575af29f18bc2dce9727a67dd2fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
d02b0d996a323d255f0315d4dafa3745

SHA1
cfcfdf276d480f53e4553fe9037d65eb5c30afcc

SHA256
b1970ce13ea08c4c8cff5954d5a0bda59ba6e8fc1606605020fd70b7e99a1456

SHA512
bb68c2830fc9feba73ac1ee7575a21c6789c1f1a281fc587a3f9394b4fd98949d32c4ea0b39d7b672c0daeca1f01ea45984cfe087b7a8bf129fbf862c78e7e22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
16b146e727bf47a280eda18c2b12248c

SHA1
af2b7cf43847e67e2dddeb69e01a7ac83606238d

SHA256
6a106261125003f4ce7e07c3a30a09aca69453b433782b7c83b609370b1ebd62

SHA512
85b7aaccf4773725da60a93f8ebd0ce3dff85d49f28ad6549cb234b4a065421365469cd696a890f3fe672a2d8dc08e128e440edba6f45194b92b5c618c3ea688

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
7ebc50d8a098e37346455b03824dc96c

SHA1
202ca782e1787b50f06a15076d6ec13a038a5771

SHA256
4699736d7b25262fe8cda5ac85176e0a3a91b1788f1af6b944746a399f040c4d

SHA512
3b481d5b2f1818719ebae66c72a423fbabd16a4285b2cb5993e43ee058736ade78070d9c947100e66ac381610d4ff63d6d138f6546ae001966061a4d9ece217a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
096c8472bc2d5276d41c2ae09fdbe319

SHA1
b46fb67cd986bd603c853f9abdfcdcc8b9336d82

SHA256
872057d1e63ff8896df799b218974fd2e7139b720d4d2340020a1c4e693b34c5

SHA512
e12b8a2f16bcfa973cfc0163bf73bd9bcc2238d0124ff608f9995583da1a49701643ed7132aab1fdda2a93fd6fec5c538462a2b57bf10f3af8566faa529d11a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
49ee648a4833c4cca00f8a604a70a4d7

SHA1
379057be60641b9dc456e20a530232cc57165403

SHA256
30d56e18b871c581bf1555c918866d8faefc24c24acccc230e51e10badbb69e4

SHA512
1c669f34f6a3bc7a454b3c9eba720e49f079888f562923d0e50675432180d8ee755e8e16ed31fcaf6fd8906bf49829cf9d92352b1a819e8406874a1b36b16b0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
9f177a78f4b44c18181c5a507467dc39

SHA1
20d9708406cbd60d3acfb9f2c76970acfeca2461

SHA256
5c8a569e63872c16f98afe29363092d5962fcd07d62a90a9c5ba6fef12546ca7

SHA512
0a6b52729437fd8e72844086c79374ab63bb44628a9a3ac9333f0b53ac59e38ca5c6e6dfc4955042a64d4cb49bf1955132f24059c654c225b3e6ce1a3e5b518c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a91f67d8a8f7a47859b8c15811b6e6d0

SHA1
f6f5a8af998655a70e9f7dcc1fc1853ee07b7ad7

SHA256
6c91337e074542ee7347ae6f3c8c3886c981cb3acbd25cf97ffe6542b6213c9c

SHA512
71c59836ddb58fcafee54a342967beff14acd1a0d48382290918622880e81d9fc8b8c7043447191a46ec3919510db5be93d740e70c195c317e22c25fe011e730

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
2f7c6c52372ad1ed029c8eea612d8424

SHA1
e2dcc6cae724a3a9291fc4266eb3acf8c02bd207

SHA256
2e44d19534aecb755bdaf5054f788cd672f5589fb1677d01632a72ca2bf84a84

SHA512
ee57e4477571c64463178c7e7b12e504ce8ff4ea8b3846bf9ceeae1bc07cab6a3f4354f3bd8b95142dc15a0c3ddea6f14355064fa05f4b7376a8947ef522de87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
6aaa6806d7e205ca2446d0f526b29e97

SHA1
4db22eca14753c33903cb93f0964d6a101a0a7af

SHA256
29f69737ce47b78f05623d852c93705a3ace40cf70165dc25f8197760dab4a27

SHA512
868ec2fa4dabd07fc838666744c94ad65b70ea1ac05a666e60c35d8a732a37f543f231d81ece4ba73b1c7d3210cf0ef3d5a30da4cf03b8fb9ba32fe490b0c2ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
044fe4b3bc378c8d830b628b05a2c738

SHA1
1f07b164d2b4b94b7b29d320853599f63f514f59

SHA256
85badd8621f2269575ff5d8a4d5b51ca73020c623dedae410f1ded553ac709c4

SHA512
e39a9ac4b119b9e19348174c3fb904e65da891c51e280ccfd8a400614bb8bc5a2247fbbca658a326eee4fc114c08cdf27e04bfe77d0171286894c83dd42604b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
6814237fd5fefd23c1f40741b3af04e2

SHA1
b1503c1bfa4c340d75dded824fe2cc07c9ea429b

SHA256
7ad1b8ee37a0964fef6f1e4695c4e676aca267fecec9b4049ab8adf608f97d6d

SHA512
712af6535407af2292eed51962ba6c22d8a6ee5d070bdadfbf0c03756886bf97982835c616eff6fda7f4e199ef704379a125778e1ab69b70e233b037f9e36943

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
07e3ceb686dfa54cee5f2d5b2c036b9e

SHA1
a54e59820f1df2f8473a1720edbbb4cb952d8e94

SHA256
030b79eb8d099f1114c312774a7f97fb30b00eb6c98afd1202c7d616235e0d71

SHA512
44a9395663a546b868cd703252dea3ff2e701c722f14f4e0edbc7f33c29f8070f9ea09a78c1adde040d4c37e8757df0e47e90a8b5f8dacd97cfd053a2b6ba8b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
37c2f33081b0eb8ac66bca17f57ef33d

SHA1
12794421f53565e7c9386310ccbc67bd5c9dc536

SHA256
70c21989b8db3968d052ea9e773ab1b090fc4a5aa908a9a1c8efc4bfffcc0fc9

SHA512
c876893ae2c12b81858a8a5a6a3ddaadd753a6899ba1795f63f70c3e4e714385fa1e35829753f7a55002740fe2d95e1059d1fa95fcac0aa25bd08fcb6b187d51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
eed0310ce2126a6c108444cacf3e7e03

SHA1
62d924863bcf7b137d1278b243719c53f8003520

SHA256
1108039877eb6d1ff3a78487c7e64903d7479f7db44db80bba61e8a934efb689

SHA512
aaba918d5389226a85aa8259f06e21d3a3d7ab865035288469e5bb302dd178b572051a4fb8e853b61033bb292dae84f3e489db83950d0366b50d185e6155b631

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
71e185bbb9a101db7dbd06e99aa73d80

SHA1
7da0feece9648dec2020301133b6f710f2cc7c00

SHA256
560643b08c259fb55fe50d535a1560764fc4e5dda7e972c2c9ec5825a3cb632d

SHA512
e0548009113cfb5c313b6499334bd1abdf38cf557e54ab417d76a349ce1f840d6c420cadfe7521c47c9c54448d1722162e604aec39dd3eca3ec8ade5def7088c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
975ddd061f2ac1c6b4b1fad5fadfeb2d

SHA1
480ce67da15f083b29cd702798325d613ec6cd29

SHA256
aa6a8fc8d6151681521cf36d5b14fb4ed98e0bc427d1dcd450e8b342f761e6c3

SHA512
0fb0cacbb1abca51545a2e5f29ac64da02211c05e852368e7e3598658cfe08400a609a5cd3c0dd9c2d9ff15a49fe07467e220f8ed0604ac55f8412d975480683

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
921018d594a80dd9592b463df657ea29

SHA1
629c6f480338478dfea98170f092c0d723af0325

SHA256
2fde5563dafd265636e897fd606bb2882965954511ce5efba39b504044796d15

SHA512
26735aa8014d6a641a8b29a3535adda9f2537d91c059df09ed294b7fd7065b505557ba846e3ed5eddc866eb4fd6487d59d33288ae5f08a4516e9676ea725becc

Download Submit
C:\Users\Admin\.node_repl_history

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
c29f2380a558ed65331a5a42a22d67c4

SHA1
95c96930018d0113bc5af56843f1cac55b14b8a1

SHA256
64f91c45412d01620963d0625aceee6506d8be00833f6182ebf3e05b04f4e004

SHA512
4c2d85a4c90535ccf20bedd650abd0979207e9e29f742cea9c194095d568e9c0bf69536acbb1cb8dfc0bef326246d5e34bd663b7af4acf3fc07a6f31316fe9bd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e2194f58534b660dca22e2ab128e312e

SHA1
f938c17afe2ef143fbde76c5434dad749f8f3f58

SHA256
52e5eea12eb8c5e77804667884f880ff686a9dadebe1fddc69532284622eeb0b

SHA512
e60ff1fac2530a5f5f75b7c5959531d12483c448d31f5bd71b1ee8de37fba097c7d7b3461b490e6dfb5bfbdd5f3cce6fbea20fdbb371eb1f2d2bca4575e3195a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2ead0bea0bc598382240d63f101a637b

SHA1
90c59666eb338bf2956ff812047f14c064a7fa9b

SHA256
ce367a308ced17281d62ebb050004c0a68fd97791d55c93d38ae69f16889c9a6

SHA512
b76158912d5344e7e724a61725320fbf3820ef97f304915b4ebbb1822af9177cf9a4934f95bca1e2ca4c4d35bccb2f9b98f61461b47e2f06c8e69c49695bbab7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
73c29c9a714549c2997a51e9a43d1a5b

SHA1
160e24da253c0c248ee40c1d15c290e2c0db2d1d

SHA256
fc1b9e98c7d5f792046ce97a512f2b2da28ac9ef8e0e003c2743f3fbea3696d6

SHA512
da723055e03abad0f3cb8b03820abce6a29097df06394ae95f0157ed1ff71783cd1c02a9a0b2f7ebde412d04fe6014e9052cad5b30b43c262a3c3ec8a3c17ff4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e30a5c7476e402df883260f0921a6595

SHA1
86a72b377febd6e6ee7a183bc2e649f0bcbb3033

SHA256
aee7023fbe9b516312b2054893eea54b6d88b3a5586d5fcc6b6e6bd3d6b2fe5d

SHA512
517e5f80ef3b764cda194c0ea58a4958fff570bf230794d6496975283afca343ef40144520406857b8ca9a03b15e8648cc56565cdf23a46cb2d610cbe355f36a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
00f9f666c7d064074815cf88dd47849e

SHA1
9091dbee0578bc1dd1503dbe01a444e4bcaf192a

SHA256
7c3d07d80880e9f92fc8ccdf4cf2762dbc88a4615f95bc24b23d53976776f722

SHA512
16a79d71d9dbe82e39409a65d8a858bd391a470cb325587691f141bf6c9a9c5df60fa6dd37a52ae19d135beabedb930082053f56a5f9540864ef98bb1571193d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a3f51b56080612c907c7917780219bd7

SHA1
79437e586f01e19547de5fa817680b46dca43812

SHA256
d867ef9fbc86b84f3862e63d141dd25d5a2ad03ee750c64d910f7e547ed55974

SHA512
06d4d78a4c95bfae3ffcd3309bd89d2b82513ea7f1fb5308eae348e4c24aeafdd3f685b5899bb9fe19b891c7b2068c49f89a2c24e0723cbcf3073fdbd3f83b1a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2b656fe545f8208aea820aca0709f8bc

SHA1
f1bcdb47ad2a5969d27cfea031f129256ac1e869

SHA256
50912ccd298e406b2171991c007ed76334d24d90e35adc2da843c7de8967bb4e

SHA512
4dcf8281ecc1b678daa551a4604a23275def079def047a121686efe5bbc1d2295b2ed504ce8cd2d010854bcb9fc151d515ca91bcfac5569322177bf6d5209e1a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e6ec7448a91243d4ec67ebaeeb9dfcf1

SHA1
fad09959fda67f5b0bdd5c2c1310f5e297d7ef10

SHA256
637c1cf39637aa15430cbf8272b5762f01cf5315e7da6055542ae1db847fc784

SHA512
f96e82bb3e98b4de7d595e332ae8f4870ea81c06504c8595b988cc2de421d47ce94d7587eec87f8672b988a7cb2fe1608899f8879265973a73813aeef94a97e7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
caa5ef6ffa56e1329958ddf0c1803ae0

SHA1
757c0805430c8243ab35cb229b12a1bef1ab78bd

SHA256
15fb284cdf553a3b27ec123df4e6fc88e6fbe8e8b718b941ebde0abb9d3d83f6

SHA512
7935a8199d5a360d3bb370473c3af0f4e444b0b22a0315b453cd772c5076be32637479daefd7f30f977e9e601c0d2e48a91497c9b1226b4a94b951b523909ed9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7ba1df94df6cf7b8d0389ddeab6d731d

SHA1
e5c074aafb6e2dee9625897d35997302eadf2088

SHA256
8f51671c361b942e8d2bc843906aa743756e5c9fbd79baad3ad00a93a4b5ff16

SHA512
66fd4afc77f1cb22c6da90b602983a99b1238f924463cd7ef389bd1b6859ac435fa09d4d75325e6d212c27ba9eaf90b7da701a8d15eee0072578143ed60f5eef

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4b7656b52b485307e602a01f90e2ef87

SHA1
94affda0ef59f8391095bc5aee38cd9e1ee6542f

SHA256
43018d7cd800fc70cb34d8586ba31de46d76c9298e2e663c521a559a0d8e320f

SHA512
38ba0d90f81c05e6251b4f3ba806eb5ec4ae6b925e25979b91bfd3226a107b99a5a399c018ef5fb085885d8dffca0af221c1a9cb206b0d738377673652deaf36

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
1807c3c31fb421cffec1deecca2948cc

SHA1
e743b81a951243cd79821c6e9def093e76a6a847

SHA256
577bbf9e0bd3a1cf929a6c29a45e651943f1468742bfaac32a0525489bf3c152

SHA512
e793d3844ec8f23264bdde041c039431c5d6eecaba21ce37a273718cd71e3a58332f8f5bb477192e5e4157eef1bfdd955478a08abb279f526c637399d4069fa2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e4fba89e59fdbe6cc4305526e2e7d077

SHA1
19fb372d4a848f3aac4924ad39e7e7449947ff4b

SHA256
61f66d16e08cb8e43220ba02df03425cc8b1bdb4d696509228edd224c5ff7783

SHA512
517abf1ad409bf439a031792c68a50e3812942397ea646608622152ec6efd730f688aba066e33ae5ab532c297f6a30bae4822adb1fc3e072ac58e7110ed1869f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
c9dec6f7873500e615f0f18311036b96

SHA1
cb3f83520234d8e8c6fdda14355f44391ff56cbe

SHA256
0d98b0ab94866f7f6aa74145a43c03b3aa81fcf86dd1a13adf52bc380d539367

SHA512
69bbd75e00bdebb8bd72304a23eb84abe1de330ffcc92e30cbb11470446b3d4fddd9757d43c8d2ee29f8a1282c617f674ed8be436a8834d61f5711c552fce1c6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e8353651fd5dd06a7934ab33090ed382

SHA1
a4638a5ffa3a619cbe836ddf5a1934ce653b718e

SHA256
9c4e8f932738eac61a7af4e874d4915460e67edcad566d02f7dc93485119f8ff

SHA512
7462fa5d1470fe17f2b20220d02d6a2e074b2e622ccce27ac323932962e3fa9b69bb219397ac8b7e3ec748491b88f30ed936e3013367d5d2bae56ef78c13344c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4eb65661fa30de2db19da960961ef200

SHA1
40e6482fc5d308bc31592c0eb4b6ac04e19612b0

SHA256
7f05763418d93e580d1c19fda10c5363400320475f8726002269bcb117f254b1

SHA512
ef43f48cf502a76627bfb07466fa0d309b65ce5ac844a4f995c2edac955d444fb5304318b10173d0d46e71803fe3720e2b3beaf10f1d5665c40d2ad0dc76e282

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c941c3eaf6559e28611a9e11889ff9db

SHA1
703e22715c0b3d0c26cdc41b0c800d14a632694e

SHA256
7f9251670bf21320ded98e0e76340d4c7829d62330633a44a4d723fc495e30da

SHA512
055a71ab881b4f404d913db0f5932725b56948a5d7c713d97ba96629052f273ca00a99af9800b5d61bf29540156a21ce7a50bb48f6deb7c755032267960a1582

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
21be27df155d4ebc07fd1593f6173b7e

SHA1
aa826ba20649f51d538ab98986936d63bcf538df

SHA256
c34efbc092857b2327dc34d279b52b2d9c0c6a08bb9636386b5949373b724504

SHA512
5b6892c6c4dcd78f049fb738003e9fa9cb27518a69087c5fd3b02e3abb766525a30b5efaa2576bf86b2de3e90d648beaba1b4ec640903a3d5875b812e6088ce0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
a43aadd68d7850a77e7e9525dbfb7989

SHA1
13ff7e7842a9694cfadd8710dfbbebd7bd825144

SHA256
0e5aab252a28ca646f8d692da965b13510a7f850ed818f972be4fe95a5d02f89

SHA512
498f11014fd878779ccf1a2e1c5d6836b40368105795be7285b1263830ddf4d54326b5a30193204827049a0a4e335fabfb4406f8bac637a55d80c921d2af409c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
a1e3449d8581062a0fcc68c928b5aad4

SHA1
55d7566e430249b26bfff7325ed9d130b700a57d

SHA256
d366b412168e9f7883b4fcc21ff31ef2ea855973bc6c9458a9903af31a1c9eb8

SHA512
b03d64912dca36a2433c9e12f242f82cd452c68c2883be71e44c3456058a137c87e2d251aa202496ebb8baebe006b8f5e43fe1a6bf72cb72dfc0a7dd6fb2543e

Download Submit
memory/540-305-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/544-54-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/544-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/544-571-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/544-48-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/644-574-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/644-308-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2408-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2408-31-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2408-25-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2824-302-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3096-264-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3488-307-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3544-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3684-263-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3964-309-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3984-38-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3984-44-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3984-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3984-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3984-59-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3992-306-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4156-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4156-33-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4156-0-0x0000000003C50000-0x0000000003CB6000-memory.dmp

Filesize
408KB

Download
memory/4156-530-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4156-5-0x0000000003C50000-0x0000000003CB6000-memory.dmp

Filesize
408KB

Download
memory/4204-268-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4236-83-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/4236-79-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/4236-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4236-73-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/4296-262-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4296-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4296-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4296-573-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4332-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4332-567-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4332-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4332-20-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4408-304-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4412-266-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4556-549-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4556-267-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4576-301-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4720-303-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4844-265-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download