e40801e83de5a61666816fe37d89e4b7bc9905fd21f5a852ada7d2e5b2a9f2c2

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
Size

24.3MB
MD5

3c0c7423954ccf1497938e5e61a3ae78
SHA1

be59d8e69ba4ed9f4407511ae73415a054799d58
SHA256

e40801e83de5a61666816fe37d89e4b7bc9905fd21f5a852ada7d2e5b2a9f2c2
SHA512

9ca19188ea0d9da6b977b26efb9fec932fab4acdfb19828645ba9f6c29245c79bdee9a0f0cda579bad7b9f6157673cb7c464c7b475835b18ffc2f541c7ab2ada
SSDEEP

196608:MP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018Cvccp0:MPboGX8a/jWWu3cI2D/cWcls1Z0t

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2920	alg.exe
1308	DiagnosticsHub.StandardCollector.Service.exe
1084	fxssvc.exe
3924	elevation_service.exe
632	elevation_service.exe
3448	maintenanceservice.exe
1428	msdtc.exe
3368	OSE.EXE
3684	PerceptionSimulationService.exe
864	perfhost.exe
3544	locator.exe
4372	SensorDataService.exe
4604	snmptrap.exe
2332	spectrum.exe
4408	ssh-agent.exe
656	TieringEngineService.exe
2720	AgentService.exe
5064	vds.exe
4756	vssvc.exe
1772	wbengine.exe
624	WmiApSrv.exe
4328	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

msdtc.exe2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\af149b558beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaw.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exealg.exe2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090ebc290ebacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db4ce490ebacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bc66192ebacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc25dd90ebacda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073652192ebacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c370f91ebacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe

pid	process
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	1084	fxssvc.exe
Token: SeRestorePrivilege	656	TieringEngineService.exe
Token: SeManageVolumePrivilege	656	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2720	AgentService.exe
Token: SeBackupPrivilege	4756	vssvc.exe
Token: SeRestorePrivilege	4756	vssvc.exe
Token: SeAuditPrivilege	4756	vssvc.exe
Token: SeBackupPrivilege	1772	wbengine.exe
Token: SeRestorePrivilege	1772	wbengine.exe
Token: SeSecurityPrivilege	1772	wbengine.exe
Token: 33	4328	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeDebugPrivilege	3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3912	2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2920	alg.exe
Token: SeDebugPrivilege	2920	alg.exe
Token: SeDebugPrivilege	2920	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4328 wrote to memory of 5340	4328	SearchIndexer.exe	SearchProtocolHost.exe
PID 4328 wrote to memory of 5340	4328	SearchIndexer.exe	SearchProtocolHost.exe
PID 4328 wrote to memory of 5380	4328	SearchIndexer.exe	SearchFilterHost.exe
PID 4328 wrote to memory of 5380	4328	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_3c0c7423954ccf1497938e5e61a3ae78_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1332

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:632

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3448

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1428

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3368

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:864

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3544

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4372

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2332

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1084

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:624

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5340

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
2⤵
- Modifies data under HKEY_USERS
PID:5380

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
ba69f45b2d3e0bf5098be7595edc3227

SHA1
449245139900e9e1c2094a6fdd1eead5da1dba0e

SHA256
3094118586eb6968a581778068a7813bb3d0da2d7f761c2d4f56442e0741777b

SHA512
793462c1f7bc6bb8599e150c8253034457d9bc21ad8ad9ced79dc58f0734ea10a96a4dc125332512f0fd656bf0b0da01a0262ad3968e92fc8d06989cc1d43277

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
7a773a0b2c503fee9b505402b7118072

SHA1
756478509195cfc823e25c1384dd828f3791d3e5

SHA256
66f24ca8edd49ca5c28c53a23bb4bb5ff6e427aac1fdd102c2f4fcd3927e8a84

SHA512
be7922341b9f7657acc76d2b1760d607ed24a44ae8e5f284d2aeec643fea190db50cc96bfaf3775fa7d09eff906fb689bf1eb2e433afdaf7f0ec1a64386dfcdb

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
3c46f7582d000852820942e78f457896

SHA1
b9828a5c7769973d808b306c6481ec398c2e6f0b

SHA256
a0d70316a036bbe00096d8e96445c109adc03f79a947652a9bb25f9570a2b967

SHA512
183721c0fa6d9a988a545ecddb95adbedba5ad4d9c5e4eb574ca6b9b2258ac9b5506813f3f8710850dc8861d0f4b2fe101edbf18aee67e2b4f8a7a2e2ddcb998

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
52b15596185c2810d130b333edee0b7d

SHA1
c1083f98f7ca01c49470bfc94ca2372d5c50e08a

SHA256
ec37afe9fe98e094a78f488fa439b5a87ea5d77241797d070a578d4eb5aed9f5

SHA512
f67c7039fe6381163b68561ef2667231cc897a0356394e388508af2dc6458defd207060764442c7c121ab91abcba55e73004ad538ff22ce77bff0261507cd28b

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
f825403da7b8331b55ca5ff250894f72

SHA1
1d97b63ad3128678108605e51b36c41171f79c92

SHA256
fe7b4a8f8b9425b58655a7fafd13921f10baeea7fde14fbdbcfd4c56abfa2a6d

SHA512
e0fa3caf714ac1eb115ad00d9ee8187e925b9f2fd3011824ce8f760390b46e7f49dd279f1c9bef7101da4de638651df26bbec67a08749a8b02c0b13cb3f483e1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
65cb9fcf2cf3335ba87d8b7c59e65778

SHA1
47ca762aac11cdea81a62f504e5ae569650778b6

SHA256
f97c0687056b2819f61b1ecf63ffe1b9a82d59e15a6e3417ae466ad90cb2eb2d

SHA512
8139f11a484cb0dc983ff8d7f7a4bc1ea33446cdf2a9f5c973a24db64f518cf040125455c84fbcf0439ef22d2d5667c31b4d5c5a76622708021c3119251273c4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
da70693da2ab09e468c2bed5423f88a5

SHA1
0e76923cb1980f78ee19647849314678349c5b4f

SHA256
34511cc9440eebe53b51ebbafa8fbe36abe92e516ba5e2ced87e49c4ba7c50bc

SHA512
96b5d52211c1afa3907c13bf1c64ac6c9f02eb1942ce46bc72061f3bbcd1f3fb9ea0ac5865b1d22f0444e3805e917fad904ff4fb837a33a4d663a39cf607eaa6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
052400cc86e34d9700dfa604858ed93d

SHA1
29cdcaf46624a4eb2aa787c2131aaf9bc88d578a

SHA256
ff4887177422473d17d51a597695071106c993d4a2af2006eb09941d4505c4df

SHA512
47c8e7d03d34bfe2fd6665b028cd09fb65e477cca18359c0806cb84490e512487d8ada9ff3c93e5b3e22637cd8aa097469377f5f01dd2dc5f955ca0d787721fb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
09f24d9881c8033480266240642ec76c

SHA1
458e602ed234a84eee621409e72fc7683e444e46

SHA256
d2df46db88b43b4303bf976af7c5c54daea0ee133383ecfbd764715bda530756

SHA512
1771a72b65b73d6c8c3f2e78fbd33032693eb3b32773597143fd7d63ef9793301a7bc0de8d73f1b74242853d675aa3067028dce12b40e16c402197d1580133df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
7dcea37da01d2d0677a740476c22fe48

SHA1
f454f88daa6444fa978090847cba30852c545831

SHA256
4b9d888d8551ae11be74482753f2140c54d1a7202081fac931daa01452754dac

SHA512
6e8b90d098676ed902ec54f68e4caf25ebf5b28f5ee4fbdeffccde2f98c55a04a52cb281502c4ea6963f3cb70def24f9648ba232b3a9543ece56c1bdb9a29286

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
c9ecbceda2a8d277715bf06912a16513

SHA1
cb1ce213d61b0eccbcfdd70b07cc554455cb77c3

SHA256
27e41a5bae95d36f8753b0797574a58dce294bad466a5f1185156e9ab782fdd0

SHA512
9780edb0e8ecf2acecd0aa0f5863bada3c13d651ff070bd29dc89ab77e27326e95e07e3a0734ab71a9ffd075417b421c81990642d3dec109d5853e5bda3bb828

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
09e31964f4f088259f27013c27a10762

SHA1
88dd45209bc9ea1df1b4dc90f392db406db16c4e

SHA256
7dbb86491dbc4a612fefa3de3fe3974561c8d7a1de523da2ca2bed410875dc75

SHA512
de2a67e0dc9c9310fd4a22f48927b75711d76a4d0ed821fa348580c86f51ead3a5dfcf5e8b424c051fa0d6216606324249a532a712aae3cd10e1466b8ea4c918

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
e79c1a5318bf552faba99af7ab85cdb0

SHA1
3d30595859b696ed7b7e3ab2325da3c1638e388a

SHA256
44b9a154e29b927d5b86844ed13074cf65b57e76bd9d9c8200e018d79565104c

SHA512
b110498263c65a99c5314f02175baf0929fbe59b67fe6f874764744609a5c481347a47f7790d5d9fa520cf5b28035f0842a727d8c9837abc4c97af78e19ecc92

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
c873ee27a058c60a14d34a08a49e0e20

SHA1
12ad8f08889350057963163323bce39dec4bf02d

SHA256
b3ebc4d68abbc21693b81741b45f82b7795b849083fc0df7ece5748e9bc06fa3

SHA512
300c3de514c43cbda3832b95c99350c1c57bbe1d46590fc995d730af07b84f790f5c720369660eb6b68daa50459bccbb092cac52a8aed1e138032fe6c5d5e270

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
8a1858abc6543a7e7957a99aa5e732b2

SHA1
59ddb10f31ed3d26f1c3a515f4bb7d6920a3f778

SHA256
bf3618c6f7db5aa4e8bd4ed2cad00fcf24487f39f39dfea0c5cdde57402f6270

SHA512
d0040c43101b43d39a00fcc771ae28559a487494f241ce2de47a9cccc727d77cc6b3763731713f98a83c04bb27ba4cd526ebce7ff2ecd6e7e851b3a265a371e3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
c8619b0f58066cce0f6ef451975c6618

SHA1
b1e73acdf4d61ed4bcaf9f5f635cb9ba3c0a3510

SHA256
f913a4d37d428b9d2167da0056fa4477f7fd2a78aac33227839fbbb5e79f3d7a

SHA512
f000b65b7bd59a21d7aa0de7765caabaf73131f529cd6cb98487e109afe5e8ce070d80f6dfbc8f63beddcaccfec2347e88a09188d6ccfd931679f5418702f969

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
d3cb67330e37d2d44901234b2556407a

SHA1
a82e3cc43b86537a5036835025950c10ac04afbf

SHA256
b83e0f9038dcfd7d112983faf283d7ca92fb48b0bb5753cfe15e6ac08a147f06

SHA512
149a6bb404cd8f3457dc1429415adbc21fb0b12292512e59bf3f944cd7ceb4385294ed9318615188c4c4d2de01f7f391b463f82b432cc7302d9aec14258558a8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
e080360c8e8ba38b5c7ba1bce8cb7485

SHA1
fd81524a2a43cf427e932d242b86f5f5fa38a8fa

SHA256
173d9527c21c70439d0e73e9feaf7229d15d2f8afc33b4af4045365eec1d9371

SHA512
095bcf8249670d3dcb8eaddff1354a2ae99912b994e2fec0e82cae28b5fca7fa424495643024ff7770b32c524b9e3ec52a4c6e5eeb751bd46eb50443478d4236

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
fdc3d38cfe1127745c4dafde2e6c6e55

SHA1
0c7a0547d2de9bf21ff44aa4a40e184a754d8674

SHA256
28432b9f9ef36c7eefbc03bfa7f2268e5f483af8cada886fb63b193033de9b77

SHA512
b67c13a5b7264de94a3805e40f1da1ef181ce20a161ef1916734de5be8dc876cbfa745b153b724e282e87c9c212bb31dbed4b479175cc22aa27ec18ceb3d547c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
f8cd55bcaf87d5085c3164af9df943a3

SHA1
6b1cc5103adda31e646170c3b797adda91620c9a

SHA256
2c512eeed21c2a9ae1cac172cba6e6a481dca882b30ff57d816c719dbb4e6441

SHA512
3613ea62d6ae3f79bfd4137390758662dc388e0554ddcfd5799bc4777645cff8152dac7f11e6c95758c9e969c7acd996d043884a1931e9df9cd5ccc0c96ed9e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
e0e5d7e913cb7bbc65ea03760751e1ea

SHA1
98e4a4e93a9ca58b1dfcc782224079c17260cf60

SHA256
ca44fc573e01424aee45fdd35fa7d9514cdd8be8f256dcca64e62eb02764e03c

SHA512
cf02d6ce719bca71faba6914e2d4ca7bdebcf884805721ad24fa9f1fcfdd6775f43294cbd8f0af43be37a6676fb95ac23bc926c9f9b44d28a092471d5291eb28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
6584b750bceafb07b088be74a9e037c4

SHA1
e6c874e5990d5f7665efcd5d8be91e97ad9a9d9a

SHA256
c1b4cf671c593a7bd43f54cd8642fad85906400ba2dd6ad8fd34fc6d30cdcff8

SHA512
5b5596fb67c20c220e3561db92cc69d984ef9ba044a2c2ead098a54104936c6ad3d48df5b7ca49d757119e5f502402d6dddf9c4c820a3e77a91d62b146d98752

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
5e99a6cd084a83e332d75c16f472aeb9

SHA1
aa3c83f468c92fdd861e7ba860ee8996819463fa

SHA256
69a63aec1e7c1a5105e2ad91a833cc4f5f5310ec3bf8cbe43bb121185815caa3

SHA512
424a182bc70638f2340a88295bf830a0abdc4fba2fd91852a8d9fef4bf1f46f8f2bee86067f9f780cefdc31a33248cc0ac9d5d2acd007ea6b16ee6b3cd58ac18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
bc29eb94a4e31a6f69214dae74064fd3

SHA1
61e54fa50d73dbb2d1bb430ee9a1f78b50096800

SHA256
8b8e7db68d7466cab07d7c6b4f0a1db84d9774ba09567c0b653334b6c2b4649a

SHA512
5c099759e1197384d1e2174357e183ef398355c324f15dcee72386afbe49d5c792ed02274051f55a542d1d4c965f64e6af2f38b9b2b6804083084faa4e238fc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
62ef0f20500e2d3c4f4f6e10513b7da5

SHA1
4da2e84906bacba483f31cfdc884b83bb99728d9

SHA256
40ab4ef11407005fab6fce23c2f20222113734574421cdd448dcb59b766bbe79

SHA512
eb898b2668a90fc749f433fd269e14bd40bab11ac8a708a1214607fea1832dcf84bb29cf29b0ee37f846b505566efe315f5f7d926b701518e2df4889681afe2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
15d1b506cb5b1eced4482485ac7edea4

SHA1
3ecd3c27d2f9013895762c6c48273d5283098c5c

SHA256
0c93f5c0f604677d9b418034b6a5acfe15667bf6908bd57bd2c2320fc73b7c4b

SHA512
a1d85dffd308acd07365d518c3b1bf163acb48ace7d6327579cdd38b8476e5604f2ce117169c842ee15db4b226ba76fd8554748a46c186053cad67a0f7a314ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
5b7de261757e2b6e63a243452017bf4d

SHA1
811b5c535bb2c42604580b09366d9aba426509d5

SHA256
135858072af25b75c9f0f18164fd5d4e6566e160e9dcd1e9d27c37f50ed768ae

SHA512
583d8f9182656607c915be13cd3b39559bee7b08af9ef8ffd70581e9b04f8e30593c0e3a25132dca8cf45cf760c1180fc50382443f8c4439bba60a64f7ae0fe6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
4b2213be71b624b80bc06dfb0bb42517

SHA1
8f84b9085559a921b83a4ad1d3c9b3be9fc827d2

SHA256
02a0e968df95f57d296bb8ec9007d9843f6acd48b86542d6e71b5320fe4736cf

SHA512
e630e65cc9caf68ff5b743c0f6efbe11afc4eb0967aed9553287aa7cf2bf3c9ade47fba722c850c3ed0c9b557a295e1d60f1d4882d612e91ce823762eacd6a5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
a9528a441b0ae7585761c65aed11046b

SHA1
28067f1a76cb30615d799976511a7c605be28fea

SHA256
62aa8854d2d8f2a97450e6fcdeb77f7552a399f723ed1db83a5dfea80c013650

SHA512
e4af6caf7536c5e0377292d3a82d745f71f188e9fdeac5990ad8392cee8dfcadd8b0883b23c2e02ef718b80c8cfb8ad0875d6bc5369cbb935576369779462059

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
8da2581e51847601c023fadfbbd8a5c6

SHA1
07d85458d5a72e21c6fac2d5775bb72b5f5f6116

SHA256
bcea7a4858e6ca7ca1c54ba17a5a063b798628cfbe90a59663065e985c5a7e76

SHA512
1f31ca3cb3853b5bb51a2e5a20e1ccdf90b7c00f7b396d6d3920f06f308bd461df1ab9380abc8d7f12dde56b240a9fded52e4a12ef4b1b59091fe19444dc0218

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
3ef9046da3f3f35dbf7b137356d4423c

SHA1
59d67be1ff5e64a82b05e539d91d409e4058f55f

SHA256
b0cc8619f68a2030db633ffa82c352a4efb0f9fd1f7a366b26803fded5ea182e

SHA512
7f70c5dea7217f02136aacc530411ea0f7284e98ab545a233de4c373a899ef57ffe2a02a6167da7636fd530d38bb91ddf7152b521391a44abc2c212629f38112

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
44d26b3896af053266e0d321b61e8bdc

SHA1
4b848a3c2e163fd5a64b5265862fc756b191d3cd

SHA256
940fa90fbd8407f92114d845c3f919b1d35851922f52e50d2a11d39a15820e7f

SHA512
74f9b10bf580ac9955180b570094c1efeb9999166262f4a961ace8f412c95adfb71712d72e48ae34dc3ae569700e32466a3c3e0ff761b634c8e3cfb052ae9ef5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
748e4357c0326a1175ee2fcd5445bbd3

SHA1
e79d99a5462935d7d48210c962b7df70848480a9

SHA256
4ac13d2f0dd20ef25bf617e6122a563ca288fad51af1c32b3ee1314c44ce9754

SHA512
28d28164c9142ac8c81e94d86a00c767c11189dab6061d8d75d06a8cf0969ac051f2fa358b78a0cf1940b17882ac8fdb8ff9c9a97238a7f86c213c39f5ef5c37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
66e6386e2154d494d96ef48f0ae9f516

SHA1
65bfd62c63a509fcc25f91c85c82f42d0542c4e1

SHA256
0f70d64c8aaf4730f90e260bd280d2e0adb1bbf07ff19e59191f002d0ef36148

SHA512
2bdcc1f9b1d5eab1009bda5c29ac9e530c46c49e8441bec5c63e5bb78934dc355e213adff10dfa2085849d6ad94b9d0874e168a0d81999a0ce67a63967f79458

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
9007484089745f929f01885caf3542ff

SHA1
e56592820cf4e89bb268b97659ca38d65ca20bbb

SHA256
53b12814653812cfca84a650c417772f6ee49fd34dd5c90f9655b505c3560e39

SHA512
e21cd2a33721d5a9f3978334c99d0a437629052d5e5d95789bb23319efd4afbdab4ccbe2c36bdb28da9fb9147451ede6178a91cc7c977d119a6d886ac3d657e0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
87c665f5c210475d41fdf0b2258562e0

SHA1
53ddff63eba055616b85ffa22cc8120b69478684

SHA256
9de5fe057bee7e6059251f8cc467afd066bfaf866b0e034222b7ee63ce9a373d

SHA512
ff10f94813d6391312ccfe977705ecf30d259d11de71a22c0758976c4064526cc85358fbb6f7dd5f8ebb85db5bd10b2d2333bc338c83281f045a2e7a440695bf

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
3a6cba5efc4c1a1eaa66d5dec5433beb

SHA1
450b79f15b2f726a70f24dd53f8d97012e4964cb

SHA256
081919b8ed8f373790ad6bf2b0b6b45837dae7dbe294321b56e2dbad471eba36

SHA512
3bd6abf6337b5ce713fd5ef8f37a4eb95ad947c8417711842f38d75765e08f6a7590b8de6f21e182d672b22d460cc67621ae19f0cbed7114decfc079996b30f8

Download Submit
C:\Users\Admin\.node_repl_history
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
e0a004da17b2c33c533e01335d1ed5a1

SHA1
13fdfd522aa01e9f5182cb90569f4f5b97a4a1bc

SHA256
967a98b573258eda533ddfb65be5de6fc0356976fd946a6dc65eac66fbcdd0bc

SHA512
a37c482c6eeb0ea575e92739a2fbfaff1c4be554230d3d9a02e2a3c172b7671f0a3fb07ec181dece8fda856030d2b0beb77d413b2414e38f9cc195f4c78c4f59

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
b8502148946283d6515f4b4ca90a8f8d

SHA1
715e8ebd8265f6cc2823037ca0a3585622062d91

SHA256
e8a5d33e1052578b4e1ee164a72b9ecc04532486d77fd78a18a494bb121e7a3d

SHA512
e7f171c2de5c1ddc08995241bb00933ccecb7d38dd162e970851c38039c790b0addb54e0d5de232756f33620768d673a10e98a389035eedff1f2b1dff2b5386c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
c7796908edc4221f016591edd85c2eb8

SHA1
f02533c5f9d36033ccea42dba7bb5a4d020fb788

SHA256
dc938d84e5012cdff7412f711bf8c488567c945a757ea15e1cfc348064ee8c15

SHA512
f890dce6508deae94074d6e9c158161ecd962e9585a95c0227801513d46df52264ded4a5c69689f367aa54bb4210630edc702479dd267cdf9fd6c563597ff7e8

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
6b2dd786dc4e0862b93f763ac5e9a65b

SHA1
00f666db9840bddfa9f9f0e4cc03a958e1d2d068

SHA256
ddd1179f856b215262cde6d5a442bad04e6b1e4044e2b0756ce35488a6a70d9d

SHA512
14600d9e7e0ab4453a3e578f9322e0c25cb368f6f5dd635f4e8ab761c85db518ddf3a679e5d2b8588f1b34c6d497afb7bfca89e1d774c3a903fab39927f51569

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
56e99f9c5038bcca54b14b57b7492d9f

SHA1
ff82c38de25298098ffb745d53e3a6066bb328a6

SHA256
3ad65f9657227635a0d4b5a9e56a2b6a4a777b73752ae10652d6fdfad90f0f6c

SHA512
535ae531e803e2dd74e1201b9df8d8b6d22d531abfbaadde71e57efc4408601ff4e8e8ccb84b7181b02c9e6fb3f9787443d2032f2aefb6a01f96719413fde8dd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
0d297db1185ef39f5da5bbbc3204bede

SHA1
45cb27ec7e56da053d802e9f85f11e603899ba6d

SHA256
58a64f8601e7d4b5961ad6feeadd10bd55cce4862a32acc4039f9739fb8223be

SHA512
118d582bad3f4470f89e67bd4558359b54d398ecb96678117a460d563d0e7909618c5a9112b8ee02f8a73ffd1b1a36423723509f6ae161fd16bcd4cbaec33d87

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
28b3884576c270a94a445b6f8b841ee8

SHA1
ff1d52f50a86bfd1ee3deba6b47333fe915186f9

SHA256
87f63103a6e551a0d28efebe227cd40751cb8ee0e1a1a3bb8a35fc70d448d445

SHA512
b73eecb2a94acccbd6717bdc1fc8b12808173f750b1c96350d581fca4560133b7fffe456a7cda19b54625bbb730fcac87b129ef885baf5a4278e2b91cd5956b8

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
f4f99e0e37f78e206153f0df6087bdbf

SHA1
09e36136b3bc475abb76f89d90761e1bc4ed3519

SHA256
f7233cfeeace19f08e5968f5a8dfca1bdfa3a1bba9e91f295b243acad0ee9c55

SHA512
25a66f1d193db5ceab68166c60aa6fdb6c2fc620aed8776c43043b1a7d46e3604bbb4468950814c98b6881d8872259aa490d9cf0d5a06bfcd25acee7b3de0438

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
7fd769e2ffa1dd1b45f5a676096c4b02

SHA1
6ca1022e403013449f3920a40cb9a2f1f79413f9

SHA256
06cf1ad15ce1bcc6a3d556225189b40c6ab150bdb1d9ac7401a261184b0c9f3e

SHA512
5cd5127fe3543b2ed8e9ef676e8ac1482cae5fede61c8ab3f81afda7ad78b5dc2e33fcf5be6007b91719c26ce74f9f690a7a90012fb5faf4d6eec332df66647c

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
e7f4387ce4e79d91aed4b79ce501dbc2

SHA1
9c02cfc31d77bfb24ddc522722156830e8c4d969

SHA256
89d8cc66bc3bc46454894e93dc92bb36c6b1d4b1c851ed965b9ce17e550f25e7

SHA512
95edb01f3a395adeaa386c1a3fb717d0d04a4f4f9bc3c8612bd1a6c8f32e8252613a049f7e398e26e81ab4f5836e18a1a685eb412751b689147f5b8771dec0b1

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
0cc4c2ea1d00c23d2b4a54a72e66aded

SHA1
4425779d90099edb9cea7b9fcd75c841c55f84e8

SHA256
8ea182093d5284a71769c94f6e58e91f44d9944b0fefdb16a93674c21b5ab38c

SHA512
0c7b4ab641f2fc8f698c656ffd693cf6d27c3a450c4b5cc603968b7ca6783c40fb10046ef7d6189a377ffcbefb2090001019ebdd6701f1ffe0cdd411b7bc148f

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
15151a471f20e8f0accd70a60e7ce091

SHA1
6270eb150b3ccd94792665f96602725517330678

SHA256
0f835458614f904c63d125bc2396ecb9bb39cc280b56eaa09fdd0525cd36f067

SHA512
300c1c91d5fb968765c4c176b1c5f087f1d2d7a324a3f320af508b1bd585d35a592a183d17725c7534845f17806a011fe486dd66a834cde55c77c72de6b7a708

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
4891c2637c928a5de39d7be59d905f56

SHA1
e47ca3c34c50acb52464ca8f90aee3458af87cd1

SHA256
5b32d3df2589181758340516eac8de1498b5047c3795a9d633410a9f23c07341

SHA512
7e01d62d2100392a667267589db014bb6893cb2bded061b40cffc6bc05d193f3a7e5a7ce9360c0bf1dd54165e4622afbafbe165c715c82c0ebc88bc88c24c678

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
b861cdef5214d4841e6f8380516af253

SHA1
a2ac26d77efe16021c94bbae773425701dbc1ce5

SHA256
0b7890eba62c6b93cd49b861f483a246156eec057cd47d96f8bc1f8d547b2dce

SHA512
24268205215a537afe556ecebd501c3da4e6642d0e439094c7838d0263134fcf9d3fce352dd0e71ffa1f2c130b9856ffaab4380e11a501f75f7a64cfaed8714a

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
4447bb958b570907941405498b6a30f0

SHA1
8888a61d15f009bc62f37e73a023e512b301435b

SHA256
add7112ebdfcf8f485c7dd68663e53adb26e2411ce60cf66c4c105e06d92ee78

SHA512
0e3ce061c9311f07712bc5ec1799d3df44031cb821d9651ae6c4dd329449c5ad35dbe5a3c7d1a47a76215105e5fc05e39115d223ffdf4462ac04bbbcff90f244

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
c84014e266a55ce110822efe0747f4d8

SHA1
a28e565108296c95356a99612d77aa871e122001

SHA256
668a050aacfae15b98f40e3932cd40aad044bec394519f5b787c37f41380f319

SHA512
abb8389c07a97de881a876623127dbe47f44e0ed1741f66915d7080c1141d59388d4b1a4b3aa6402c92a2fb906ecd65d00be4df14e23b5177a632d53346918fd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
a6b0930d154e90e0bd27aacb54ae1911

SHA1
f124d8c31f2dcb4ee6245b9fca8ae05610643bdd

SHA256
3c8646c0f807da4042df84ac24d515ffff9a49d3bab9798fa9a17f7e790ae3d8

SHA512
f1c498491512996dd09f7f5b3220e3f921862c02edf4302cf342113e2a3cd5c3a017e95737dd3f2a881ddc9f0921927aed3030837f595d32abb4b7ff9a895190

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
73ee92c53bfa311bc892bf2d5ff7e118

SHA1
014194f33b2be7ee16b98166461f3d2e7215597d

SHA256
c3561f64cad9941b19a21a40b1c9afcb0407519adfbd65fc964abbd2ef7b752c

SHA512
e6270a650273b9f854f842544e5275c0e277aea3b825515b15277dae753315910802db6f89bf8d8b74ad58e6fd191ca86e0ee771c89d1f0ea9de1c2fa3dab600

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
17550f7e96ae5e05b075e014dd888c36

SHA1
c3d92471881234e0216d1f54e05c0ae2cedea802

SHA256
53ec166ee6252fbbb18e7ed04810fd96ce1f4db7627dfd716ce82df10c15c859

SHA512
927f463339f231375b7d87e5f7f8c9264cccb8214a4a79c50d3a76445c7043dd60c99b4dcdca07248f449115be54e71b0cd4001a0a07e46378069ce1041031c2

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
6ab0c275551b2c7536ce037e77cebac1

SHA1
e52f46340953e2efd8d2d640f9d801d208b30cd4

SHA256
e3cd9dd67d3e93a5108c75b0c4533e1f354c617ed63058faee2a35a1551bb4ed

SHA512
92a45c52249c85fa6351e111fa520188020826472d412102ce1899a4139426923ead7953dc08b51e8497c610c3f29f5c4b28bd84e97f54bf22dbde29246878b4

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
4dcee13e4f45ada9879d667349c25301

SHA1
4d6195476b4fbb1f1482b217856a093886a943ab

SHA256
e8ab06a1144a6d39154fb119e2691e2c0dafc7d50f64900e00aaf98138d3e6d3

SHA512
ed7d14a9c066dfb826f5fa51af1b17e6ec16badc159e84a78e2946df05a69fb9e937cfd46acc3aa5ff94010ba2f191a1ed96b4197380d6cb468c26324c2294ae

Download Submit
memory/624-606-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/624-257-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/632-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/632-82-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/632-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/632-176-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/656-196-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/864-126-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1084-42-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1084-36-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1084-45-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1084-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1084-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1308-33-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1308-32-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1308-24-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1308-125-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1428-87-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1428-88-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1428-199-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1772-256-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1772-603-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2332-591-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2332-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2720-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2720-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2920-113-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2920-11-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2920-17-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2920-19-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3368-214-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3368-110-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3448-71-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/3448-85-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3448-78-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/3448-84-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/3544-138-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3684-226-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3684-114-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3912-77-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3912-0-0x0000000002530000-0x0000000002597000-memory.dmp

Filesize
412KB

Download
memory/3912-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3912-5-0x0000000002530000-0x0000000002597000-memory.dmp

Filesize
412KB

Download
memory/3924-171-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3924-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3924-56-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3924-50-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4328-607-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4328-268-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4372-261-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4372-600-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4372-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4408-177-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/4408-597-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/4604-160-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4604-456-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4756-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4756-602-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5064-215-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5064-601-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download