6b7befd2136ea8436bbc0decf0d890719ff611dd202737b5501003b2e33aaaa6

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
Size

24.3MB
MD5

f88c4ba487f2219dd966313c33b30984
SHA1

a9ab1ac00de2c501c35c723628d4445c9288ca39
SHA256

6b7befd2136ea8436bbc0decf0d890719ff611dd202737b5501003b2e33aaaa6
SHA512

ef5e87c284c6399ce1a62d35cc50e5be338c6b6eb3e097e445be7dcc6398780cea8be7e1f116cc0f0b0d450cd2f9450cdf351c265b9303d1587a4464403faf32
SSDEEP

196608:wP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018g8:wPboGX8a/jWWu3cI2D/cWcls1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3132	alg.exe
4084	DiagnosticsHub.StandardCollector.Service.exe
4416	fxssvc.exe
2344	elevation_service.exe
2020	elevation_service.exe
4444	maintenanceservice.exe
3752	msdtc.exe
60	OSE.EXE
4088	PerceptionSimulationService.exe
2940	perfhost.exe
2428	locator.exe
1004	SensorDataService.exe
4480	snmptrap.exe
1916	spectrum.exe
8	ssh-agent.exe
4852	TieringEngineService.exe
1332	AgentService.exe
5116	vds.exe
712	vssvc.exe
3692	wbengine.exe
1624	WmiApSrv.exe
3576	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

alg.exe2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c2d1cebe293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044e1f0edeeacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f222b9e6eeacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adaf65e6eeacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026e89ee6eeacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000245f95e6eeacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000096076e6eeacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe

pid	process
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4416	fxssvc.exe
Token: SeRestorePrivilege	4852	TieringEngineService.exe
Token: SeManageVolumePrivilege	4852	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1332	AgentService.exe
Token: SeBackupPrivilege	712	vssvc.exe
Token: SeRestorePrivilege	712	vssvc.exe
Token: SeAuditPrivilege	712	vssvc.exe
Token: SeBackupPrivilege	3692	wbengine.exe
Token: SeRestorePrivilege	3692	wbengine.exe
Token: SeSecurityPrivilege	3692	wbengine.exe
Token: 33	3576	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3576	SearchIndexer.exe
Token: SeDebugPrivilege	3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3208	2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3132	alg.exe
Token: SeDebugPrivilege	3132	alg.exe
Token: SeDebugPrivilege	3132	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3576 wrote to memory of 5436	3576	SearchIndexer.exe	SearchProtocolHost.exe
PID 3576 wrote to memory of 5436	3576	SearchIndexer.exe	SearchProtocolHost.exe
PID 3576 wrote to memory of 5468	3576	SearchIndexer.exe	SearchFilterHost.exe
PID 3576 wrote to memory of 5468	3576	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_f88c4ba487f2219dd966313c33b30984_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:848

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2020

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3752

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:60

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4088

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1004

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1916

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:8

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1632

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5436

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5468

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
f31bc0bb4ace9de2c6a44217a07576b4

SHA1
c205eb386bde5bd72757d5f2e64b94ecae8d15c5

SHA256
652f346265a539000e79971fde7199069b3964303c7a6dbd10245cb8f7fa571c

SHA512
0ecf09f9b330223940a1cc5633d2776c480e3650598279b47456c148fdfe0dec62f5cdf0282d60a7dc7051c03ee394053752599e0edcf0b0be623cd42e156ea0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.4MB

MD5
4f941fbc48723096cd742cf38087b21c

SHA1
9be15fb2973f7800884de6984e432239a6bf3db3

SHA256
990c46baf12d6bbc25f841b79304ea7a530ee4016a6c51bd52ff0a8d6b9b4b73

SHA512
80bbcce80c5ac682cafa73746b1cd5c07215eff2236d875183a5e2d0b2bfa3396e9a09ebaaa2ae5345f0e570f84f16df35dd2240b53e848c3f950fb57d2920fe

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
6af6a42c673790d367ff1d94f7dc5928

SHA1
ae8f381db36e588b323e5bf46b27a6d8843f1b49

SHA256
07ea89ac540606b5162e24ef587294ddac191b0f6b0dcdd92873a8b8c00c2220

SHA512
ef78a3d3c86d77b7620a52d8fb4c42ecefdf06ff999774789ce3141d00bcbe2835750923069defcfda06a59873d28646fe58972ca4f0ef828373b60ae428ec0d

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
f73776c59c15554054afa25e38637897

SHA1
a8ac5f5bc819109418dcc001031a0751130786a1

SHA256
fc38b0009a2132dee0405901491d70daad5fd562965dc125541b216b760c7463

SHA512
1193ba29cf01a0f16548cac44dad95777e2c54ecffccd7d17233091cac3a8bee17d7f7b246aafc60ba4e035bf65da4937c8a2919d5460af136c745e154ba5c2a

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
c084c74b0a209e2d57c9744b8e096dd8

SHA1
35b0d2910dcaf77a594445227ecd663b8aeb2143

SHA256
b20d5eccba44c9276763597355f0a48e4cebf7d14d1dc46635875aa2a1797fd0

SHA512
d670a61cd74aec8753b7f911e532546acd111c008e107338958e1587237619adfbfddf2f874fe5ade56d2806d2197f949f118347494a1591269ff6f39cee37b1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
35cf7389de47e6597643d41f8cb4438b

SHA1
654d02b8b28d329da9e379cf2d3245b3b7f3361d

SHA256
8eddb30ec0f21fdb19b9df6d655c9992bd5b95509e7f09c1c5ec53bb1125147d

SHA512
da7b15ad814f93642c51f97676125b7999b0cf43eb003b0dd5eca576b0769cd7fd45a017ae3c76f3f2a56f314edd4ff9f4256794c209cba17123b75a7a4df374

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
e5f3aab350da5852356775fc812c1330

SHA1
20f3ece242aee305db9dd9e37491633b3d4c4da5

SHA256
20ca6fec1d8424a1c553c62a562fc52eebb3018f6c35b0eeef2c6fe1e112bd3e

SHA512
bacc8d4ebaae1d3476d74ffddee1e3f7c6f83b09a688db79ea4e4e3c4012e5a954ec130f85b8401206a6543c39542560fc6271ac98419d674b2fed144dad3de1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
d20d57d1f4ce0a6d370590c3208804e2

SHA1
1d1b218b017af3da0754c7ba70f9479c3625a8ed

SHA256
cb8e6b8fd48cd990b484e91105af3f3cc240f732d4ef3b8cba2d3d96c7b05813

SHA512
6d5a174ae5a2a8b4a6a0b81a280ef49ff595845a9048d2bdcb5cc113047451a87850b5101d2549f0d2f55ad3e7c04337d1c346fbec93aac426556f934df7fef3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
f68141b7acf0c6410945b8ed33272543

SHA1
f128d931fb976c92bfe133d5868888b2cca93153

SHA256
ccb6f6e65506448c8c74fe9a14fae4e088f05456a76d8498fb3b9a05b968f97c

SHA512
c807dce873ccfb19884f9d6af7d57c5e514dded4c44a26dd63306ae2ed0ce33ab46b748f2d74cd3ad9ad6e9af258e703be9c929839bf1041806d7f8a1de1a850

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
2dbcff425ce0cd42eada01797dc722bd

SHA1
61fb64fc7db5e52c5ec003eabd20b1d9edcea7f3

SHA256
88879de8172a873e1fbafc4c0af60d26ebecee636ebd0b0ffe2341865e083726

SHA512
c49c896376129f565f636514d57bb0da1c6fb35c5609a910ef1ea84cec63e7233a77d6ac585a53cef3ccb1d3dd9fd1755784776229729fa44025f9faf75477df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
dd034c33516207ee2c06060d9a8b353f

SHA1
4e35e9803e44505399af5d84c14c65dd2c0298cd

SHA256
eed67e32caac12ecb28893deca21c0c8c16f1f0e92c616909d27f7d7a4bae91b

SHA512
14d213bf79b817ad21e8e276ee6b6a713a915924d2adcf3d9bc4a6accb20eaa2197c949f7e96b4878881999c99b2cd9682c9af0c70498ed53596016eecb9689e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
5de6d8f6005ed1b4211d6c61a98f5bd6

SHA1
f0780b32439b0cd5fdf2be004e00695843db34dd

SHA256
69033692d0d378902ff8355ca6c5c047116f815492770a54484942f6ee22fc6d

SHA512
6753b553a2a62414a497cc865cc8f4656aa643437ce61c107d990d71c8e798871b09e56aaa9a449da425d3fbd43786df338c8cea934df5d4e498f0fe0c98f7d9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
bbcd7326d0b76abd7e9ecb179b334950

SHA1
59d8ba3b526d9f43a06e777cd11a112f3545c4ab

SHA256
17917d96c1d7d2dfeba112c8cfe941f04fbebdd4bdbf168a662805a2533114fe

SHA512
2f2c0acd6fa0669bb5462a42f81afce51f218dda5a796d047c31be8ddf6ee1e88ab1c4ee31659bd24c706036cb01a83499679a61eec762e77a3c053c1d5efeea

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
379d60c441fdfdb72fb2079e8427df57

SHA1
00750898bcb69db417956be89c5c599624419383

SHA256
4b17b76e2f16ebd42d171dd1044a363eaa2cf41d1757d7fbc606b35c4e4b7fc5

SHA512
1998935cfe1c9e26b932a7991d75c39d9e25627c1bfdeda6c871ed502874ee4a8e69d93b914f245c51b6a1b3c6e9a16b45553acc81d370dfe2f570e809829ada

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
1dc5b8ee08d2189ccaa3a042e4d919ea

SHA1
783699704017246e2a5a347926931f815cba8965

SHA256
885b319339becff89c55005e23a77c346ca4055e44503f1fecd6ee5de9a8a188

SHA512
1402a5df5bbd77528a3985dc18ceba96201b598234251094c9fa9e9a00799c831bb61ddbedc677f6f6694f16016152d81b41c8d6b1f78a9068a8a2ea21968eb4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
ec3186e47b7e0489abddbbe9f10df6ae

SHA1
8510bb54a8660a4dffa3373ce21090e211fe018b

SHA256
8344252b92bc5c998f53556048f91503546d81247d66baf4aa06cd9b799513d0

SHA512
b680cfa3b24c1700785b3f86a01b2907259cb8c24721989906637bbe0c57ab0270f0b5233970bf9e009cac44d9fed76cb10e8b62ef70cfbea2f36876eb2e2e87

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
0490bf066530847dcd17d96340e752e2

SHA1
b9d91b7486ca6340c25ebd28a7d7d34a8d6bb2bd

SHA256
aec5a8708cf31fb1d6ee2d50554a2a49d3516cd21e412dcf8f70cbce12572318

SHA512
f2698f9acf8df313478dbe3a28cdcebc9da786ec220bbc3a26b051804c6172ce96529d72e422547b983549fe9620cfaaad6b4c72835fdeee647c0e5d3b034ef5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
460f5d5a3893e617f064c856255bf7fb

SHA1
2a8a1586ed7ddad693c395f74171dce55d305de0

SHA256
371710b19526a3c21528abe4d0061fa2ee063482d82d93d4715050d651f7751d

SHA512
bcb7dbb2f715fbe7ff9ff147dac674cc5459da6249caa65466336404ff8cecff308a25daf6d3a70b3989dd705645b1d9d253916c835d18a05923349c1689cf19

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
f30de0937302d461913d7f45815c21cb

SHA1
40f446100001da369e51e30163e561db84b8d08c

SHA256
4a6e03ca47c5032dff5dceb99b291c0c251607e2bb97aeda0f0ca0a55e9ecf3f

SHA512
026d4b9fa61ed39572a2615b1d811d1b318fd8cdccdc60bc01e398ccd59b6ca5fa230b6663e243bd16bd351a1588c7dae33ab532d4ee028adead0b1e5258b419

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
d4be19b72c29dda3b0b44b9ee4383e68

SHA1
1b37325c6b225e6e197f916d900fd5c249a3dacb

SHA256
791ddfb0b1b486fc5be379d1c474080d7db37d52bbd998dca52e835694060f33

SHA512
99ffa5106dc35142115ca064bfb33b85956a6ad4208488c616cac3a80701408c752c257166977d2e130a53f16c94e7ead06c2f878e874deee87670b4d7e0cd22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
c00013ac2c63caf425b3997b8fb28f36

SHA1
e7dbf19b746e20a5ba6871193b62b79eba74d1d9

SHA256
9808aaec3d9e46becf4f3ac9a021e620feabd41a79402cdbdc7874f6cc9833eb

SHA512
ffbdadf3cd5af9e1b5b8061f486eca8011e8e23e11cf77ff4323241cfb156c2d71ec7e14ad6f8e11be01ec8e29fefdc388f099e0f9c9573cd26b70539ea253a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
a280fae8c1024800a4b545386031381d

SHA1
d29c718e7b87b0d896ede89b0d27a34e7d2ce543

SHA256
9aa5618d4ff3561a9d62a95218a6070b2303de0ad8bcf2cfe178b3ef266f0935

SHA512
fcb0719ec3c735ae7843f7b412dcce61ab6457c9ce03f81c729f983359d95509b474a5cb36c05b61a9dc50a5a7f013690d4ed46514da5863d704a9feec51770e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
d61d8d28536735108e5b3578985a632f

SHA1
712d80553347f936347d88ff2825ee78504256ab

SHA256
23820f4d857cf0ca2bd25d717e412f346c580e12f708b79b51da0f5639437376

SHA512
28a9a69f35e7f4e102e6d29a707c859b315853ad11050529e4bd48a54939569a4ba6f4486a88b70a31c94cf9e3139623fbd596c0dd2a7eb2a42339e027ce35c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
571e4f6dc367850d20a0e04d72e4d944

SHA1
07fc213d6471fbe9d2545a6b04c017fecda21b34

SHA256
284c6130a14ff164b63ca313a4d21fd74f1bf124b12d400e01d2b7f494d70cb5

SHA512
801e84a6f2002e96c573a815fcf1db86778fce30a48133a0cf484505b16f6b54d185b64c328afe474075537ff6efdead1fd89cf9e80d22df03e2c08684e81b33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
fd4c0f06958b150b33ed43c78cadd69c

SHA1
15ca3d8711948752cfd93815a5b268eab14ba74b

SHA256
0ddfe0c80d9132e4d258f668646141f431e77dec0edc7aff61564832a20f66e3

SHA512
09081dad7a201b07809f21ff9ac3c92e9d47507a4a160a232c4d2e18c6b2c4c8e7cabdb9e1836137c74f359de238202fab70180f7d3a419e2ec380cb0fb1e5d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
3dc593d2dfb6772e22cdb0370c5ae171

SHA1
2f61603823592ffb3a50e3de9a4786140b5a37a0

SHA256
6bbd36fb221dbc2837697e3a3351699a3838408390a8dfcc77493b0504f97b3d

SHA512
a3dbadaaf964ae0e23a13fc49291cf46d1504dc443207d47d2fbec73c4a7951e816cf5fd5b34bd2053ee17804a7907546fe6f11a5002368ef1f1c2063d19f58a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
85e3a3b60972ae7bae467930f7511f23

SHA1
2d89a490be13b181cb70e02fe3b73a21252713de

SHA256
8c02d2f4231ceb7e8e22c89011beb6b6514b67a04bbc36d118683b116a03614b

SHA512
30a19425de33f9c58ccd11b7d8712ed775606104f70dcd9a620182471913fa42d76c4a5c493ec7ab9e8a0891cb0931f5574ebd466a170b259e2c290c2e174203

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
8825d8a13bfbb1a9e45d2534dff0d663

SHA1
93f0aea90cb6f822a37f39378985c76a22806a0d

SHA256
a06e39cd81d4a8292ae7a97bd1ceb2ad69ebf9a4fd9babfa441a73afe8f66a66

SHA512
f25e29af071af32cfb14fc742cff3a97e178febf9f8f9659fd27a66c8f15b0e62548a5fc7fcd35da4377cbbddb0c55dccc00fc5eb02be844ae7c9f810c8b2d19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
6284902ca66f88ff3b93453b5152f43e

SHA1
8c920b3ed9584c7872b5df5ca8ee76d2efebcccc

SHA256
fc35e69a13e8666ce628f8729fb7bc8c068d178ed933e084bf33f41921015958

SHA512
2a95fdc3fe574ad2b3efa9b9261c276612fda50cd4fb0eab1c7ce0a4623812a890ab43ed7e1896ae3f93a834c6c80a139f3c48f9d92e6330c8f9454dd8ca48ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
17dd2edafebcd1798f2140df470df612

SHA1
e906bc3e8c236376a2b639dfa256198188f746cf

SHA256
15f10996447afac1efda8fcce825f8fa485d7b8f9f9a9b671476f7d543f32f6c

SHA512
e822e6108134e9368c09e51133244827e23c134321ce1d575b2b4940cdd7538f69e2bfcb921cc9446f1a4d896f52789cfec9b4c87760387d859cb47bba224ecb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
ff91fe4fccb7fdd3fc223f322e12f4cd

SHA1
141591817d78f26c6cefa51ca295c76bf9070c79

SHA256
521dbbc0745fc8179167351abeeaa1cdb637a1b5be3e35954a759d0ab31e31b9

SHA512
201f077c8e70244f4e561a41926f7064bb9822df284830dbe4bbc4874da6b6a108cdbbf8a55c9eaa6d052f8e0c11d117cdf66a8d71bd84c6d545ac852f965df2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
d3c443682a2f0edc3aa4c01bf3f1b6d8

SHA1
3609540c76b77780e94449627600f1411c8df035

SHA256
f8ff763912e33cefc7b17e5a1cef25a61e47675414845e8ef833e2032012c586

SHA512
5ced35e80e60cd4f302970fa324c5cd851478cd25c19d40f57c22accfb1b347fc6327cf8aca35d93c304056efe3bfd881c6c54192e7ff337a2e3f7478ef46f48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
6fc19fd1d53a5d80b591956ef89e7ee6

SHA1
71624b095b2fc7fa99f0eca8986316ac07d5e40a

SHA256
f60fb21129c9a636efa4920475b818a4d7f74d80877cf9bba65a2a5b35400353

SHA512
e983da61723510d2211dbb7fc1f75ebab55ada8ff16632ff992381aa8bf097f229b3d78a0aa8fa5338931c30bb7e57086fac0b64c53fee5e07021675cb7d2b1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
80d50330c2c474ea694eb5f8e92e1b19

SHA1
f33be6a6aff4337f0d968b083749db713abe14e2

SHA256
13dc80b99153ffdf0c9a08dbf953b55ae8b0d9929cf7bc921812c636d242da7c

SHA512
f47c95b8e86ceb4a21aa5f493c682d1271441535e95720752cf2c50238970b9a08fface45391b3512b458412d651c282cc111f75b5b724eda576651c7e2ba7df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
786e3e71d30ac4284241dbd2fa2d92e0

SHA1
e4962f069f94601104ba2eb82c998888aaa76882

SHA256
dd804afe973d448b665494f9230882e1154d498c971491aa9f5faca1de49e4a1

SHA512
aa0e6b9601043c7a06f660573b87e89416f63b8c29cc0ed0a39970fe8294257af822e8ea01bf26779476d1004fa49a6dd027561fa0caf4564c56a8eeb253d057

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
5d005bdc326cc74f76e4a87f1d12e426

SHA1
22a6bb04d9764837b3f0cf178dd9fcc384985b78

SHA256
11fd526846563f93497a5a2ad2fbd2416e6bdf3cf79113bb4f02102bae89edbe

SHA512
d41c527f445ccbfa44e87bc7415041d08226751f7bafe82d37875f52ef117b7c79ed2534ac1ca68091e3e6bb9db24710f717801c97a74b1e5fadf5627aaf72b9

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
5ac4dee96eb66020b844218a790fe50d

SHA1
467ac6dd040c232ebae0fb6e830e52ec47d6c45d

SHA256
f651f968e04b3d3db17f0ab25a79da31ad61efcc7d4c12f63515f52a6508bb4f

SHA512
116e1f2cd3766e3a4ae1e811a8f1579ce2921c1450c6f97a4953a5f7baf69e8dfdc54e18cfc528dce1d242ede05947e2d29f2a834ad128b176aa4c849f401eb8

Download Submit
C:\Users\Admin\.node_repl_history
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
11ae29bb8cb08d4b1bf20debdf5803f8

SHA1
c7bce802f58f9eb20248946473a81dfda8165a6c

SHA256
8d938e709126696abce40efd0fc9a6fa8a9bf2c6b0c7f1cb0eeedb0008a51f56

SHA512
6167da94b13edc3b7e15ac3536263292565afb331a68326c0f2e7ae5040ff5fcd548e70754c6b25b538469145693f919ea962d894799256df78ae7abc05d0ca5

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
29e60c88dc72e6bd1af9242f4afd5859

SHA1
dd23aa6b1f3414c13457854d58e1a16a9ef0bd16

SHA256
8cc0ea78da4767ce8e75e2ca8ef9a1a5e5a641e09f3c26ed4e98619c521d851d

SHA512
c19ae9abdc32085a1f14f62b57f33205c81cfa5bc827aed6a9fb7ba7bde4597c9062867ff9929262ca2263535cbfdaa9006cd14e77ba62fb0ae8d65adb778f36

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
c13cf570c2d92a55fb359e78229818bb

SHA1
2e0059fc535aae2ae7c99ad3a5b9f27e3c7ca6e9

SHA256
7562c879f5b76af259d70ea14c065746019612228f0919440be85738aa69bede

SHA512
c638c5ce9f7fa77f7ac9744680acf95cc58a7515f4f1760382b31312d1727b9324a00a21589b61cd9a4eace0f1fbff03c75948277832354ca3f75cdf0630d433

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
7a1b26bac01e1e3021982bca49f08fc8

SHA1
9af5160cdc0d631f35f4b7cedd29c3fd6cd28c7b

SHA256
5aba5eef760cbeaea2959f062cff597f2092c9b55d17b205fd3237a7227f043a

SHA512
2f2bfac39eb1967e08ee04940fb9b96a723629c49a93f448ddd4b0bd7869741f9f0293d3681b35a0b073c72dfe78569698ecb013ab4507fc447d7f0891036e7b

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
40bbb085c25cc678dfd7ad11fda752ad

SHA1
a4fc18ac889a09e07a5c79585d59a30f949a4964

SHA256
baa33bc8a70cfc003f7d7eb0f56fa7f9265d2328ac957eeb8db072610000dcf9

SHA512
4033f1131e5d3175d980e64ceac770c41fc9428344d3c3dc97a1d34910838d63841bd3f5a97b86fccb0ba39e8d9189dd112b8b26e0ddfcfda01ebac542de9370

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
63c2e0a4e3f0e2c02b7ef757c84d7192

SHA1
19815fc82517834fcfefea03ccd5d6826b2a0d74

SHA256
eeb501def0ec3fce5ef22c0d4bc725d44f5b1d09464462707f4c1db746165545

SHA512
66ac6b40390c7195459e2079ba1dc128da96aebd25cba1188cbaa1667cb92deb4d49e64ba5e156d48b40c7773dda275918431385e71ac7fa902a928a770639be

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
0508f99b2a00ccd77b76bed15e658c7d

SHA1
e6701b82862d885e49868dd2f20098c8e420c812

SHA256
c39ad4fafc6c4b65263132f8feee5771bd01471b1516309832326c2fa7efafa2

SHA512
2f62008af57d210d4549dfd284a99b4a15199934369a4710ced4e68b7804076fd61bd651bdd50f9d3296819f61d93541e2cb9a1c4b0dda6f14d242e6fbae5e64

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
0af47aa721e0ad1341cfe790446d0763

SHA1
b96a175bea6b378fca41a014e64163e7085e5291

SHA256
0f42735d106837d1bf3d9925a7cee7ee5039730e397a39eb0c176cec7abe8de6

SHA512
7c1b13a3e9cc62323bbe41e69dcba151dae29d7c45f3cd1bb79086aadf76ee0320d26f0f5f51d3538526888bcf5a8b214b949a02fa2cb01b4b1b187f7f67a2d1

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
09f787f4f34ab5e135643fc1ce39e1b3

SHA1
de65a1d1e8a1ae7e3137e07c8015d6cd54453493

SHA256
e94c8b5b11e6b714e2025bb23921051c88a6cbd404a3c824d6f50c146271dab3

SHA512
582a43dd4e5e933b8105bce71f2f6471328f255b0a6bccfe662a1bc62424585d44bd0de1b1b84e88d1b55ca3ed8c411a75dd88585a571ec61f93fdd477060d0c

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
23b5ca5f52cc61faaaad332dd9a7f885

SHA1
8959e66a43f7db5251b13060c0401e4489343a29

SHA256
a81e7f4af278d6fe56b3a31a1f2e4b094bad4dfba181c3ddfc17a716591b57f1

SHA512
1fd326b196027e7be0d49b7dc8c41b504650746d6e9a47deeb7963cb2be2835da0a4b775e258e92c13c7ffd3d27fa97c2b240a0daf499a0d74f32450ae9a7ba0

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
55a62f56a1cd57bdeffc4239aa2434f4

SHA1
6de86ea826392aa61d22c09fcf30a0abd5781981

SHA256
04e04980a5c3332b72c30d7d5b9aa3bb2b926fa59e5442c5c84755633c0835de

SHA512
2e6f88b9470dbf7714a48c5d86921ba46a20645e6a5524bbfb83a559d3bd7c77c695bbbd6f60b27fad431fcb3bc258b35de2053cf606fdd68cbcf310dc2b31d3

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
44a4a5e158cc928634472c88f783e481

SHA1
06255c73d7b764cafaeba5d904e353a721934f11

SHA256
e398fde77d9c504cf865f97f98e313805f50b210c4cbcb16678c79d7be61570d

SHA512
7ae70a480f81736d3a9f40d9c77110d0f919d7c27e0074ca5a1277f67c0016c59605a840938d0173ad30ef793dc9beb97f46041efddb7e0d5509c10bc02bd719

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
b9f7e4295e3182c89251ce728160b3f2

SHA1
8d09e387cb3e842186aa7000cbb51d2f48674db1

SHA256
6d502106b45da64df36ebfb9ca4feaf8a4bb4792d45657db37a86b2a2d67c33e

SHA512
50e3b748cc9f414263af128694f4c62653751f3ec642f987ff9f51de01ff027978872998a80fb2ab9a4d9ff3a94053500b80d0b6686ed9ac89b3751c57f261f9

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
04e1fcbba536e3aff8f5ac6e5e5e6855

SHA1
84156e2df8db93aa0d6dc45d60b470be8e6d2508

SHA256
9c1e138d940c3fb4be6ad15719353ea0f0262310458692f08da0041662c9d3b9

SHA512
88b212102fa785aa9b1c0132996b0de3bc895742628fd2c1b58f6524a43db9382a88ba67de672a468fe457f21830f0291f1c130ca93beaebad56b6ab72b406fb

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
67fe57ba21a857a120defb178d774290

SHA1
4f67f1ab4f1160e4136cc1b5c07e9201a2166289

SHA256
bcc7bc419326ca6050759f29f73908f6b45426ffd65264ed182d007e8c6cddd9

SHA512
eeeb9c556469d69777112634798d0531e986c85396463437684d813d22100fc81e8249fd59bd80072f0cd599d2f5b91baebd938dea39b7b37cbc8ab825609d5f

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
60f38bfbf97fae1bf061ac2ddc2e8e3c

SHA1
2f54ad521e6051709fd816599e7b13fa829acbdc

SHA256
f2f8ff1f898ba7505aeb6cdd0d4f73be30d1383f84af0b4d670490665c67d3f0

SHA512
b2237794f0d81d1a3c4c83f01302646bdb7aa39b4cb56fbf375174a633b5ffea8b5fc7f3f9d3d24f8b0089174826c1189d602ee8aea4fc7bb74658ec91c5f381

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
60f1bc2dff87232fed3530e476d34df6

SHA1
3e92cb12d7f60f83c45f44bc263b398d591b694d

SHA256
97835821b87038a1e6a6752b0dadd78b7cd996d47b77aa4a332cb74181a19c1e

SHA512
ba9868affcd00c833b8c1b6d79375ab3b72dd46e3993631130887a2de0117ad135d565c2da1e32aeb8e86634f7eaf6ace935b05ad6c103bf0ab562d300601dce

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
d35bd182ab598be4afa009f657870f63

SHA1
e437c5733ca17f76ce8b67ad7139a18921d9f702

SHA256
644da6ae0d5236cf1042be8371ffd3a3eccc5e7f88ec000bb23e525b8e79423b

SHA512
dc8fa1dfad56d6ab6166cfd2fafdcecf2aae9476cc6d9e090e8944f5dcf6ef89f26b8618b1d700c17374075422c917fa662a973f9649e698df5947d4fd014f0f

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
87f093b4ab0ad3bee3654f2c0b9de7b5

SHA1
786ed365d0941c8319ffc8f7fd1d1923f5ea046c

SHA256
380abaec4abd255cd66430806a696ca405fdd7680b395cade620f5580a1d4488

SHA512
7edf84c3b5ea3207a7b2a42730490b3187f1b7430cf5472bb5049377f266eafb794a4845c5b70f2d4915f939f8fc9ea55d2bea64ca1d654d13bf859beb43a5cb

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
6a68a2cd66782c452c6b7d491094ca14

SHA1
6ca516d2480cea1b932b7b6b3092130ca2446cf2

SHA256
105638ede8dfb8574bbb32e277c76caddb3318023e2e7daf587c38c6209388cc

SHA512
3675f4607a595483b22991b664a9e7deddaafe4715c3746c2e51e202a44b58f10af15e80e6e912c6ee810202e57e0ff6f28857a266cbebf40efe3f7634f1f2de

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
df8dc5c6890a7b5038801500e5f6cb23

SHA1
73271924caf0ac370cbf37bfa250af2f02d080e7

SHA256
960bf43530abea997594e32054ecaa420dbcc002583871fefad4b38cc3fb8ad1

SHA512
1d518f6fe3e6053d3748f6b4a787cc88bd03581b7ba8dae42fbf008714e1a3fbee492cf0a076db1a325063c75ac6ea0c34ea71571fad9fc28e5619d211b0aad8

Download Submit
memory/8-467-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/8-185-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/60-109-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/712-233-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/712-506-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1004-261-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1004-463-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1004-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1332-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1332-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1624-249-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1624-610-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1916-441-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1916-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2020-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2020-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2020-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2020-184-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2344-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2344-47-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2344-53-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2344-171-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2428-137-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2428-248-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2940-125-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2940-244-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3132-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3132-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3132-136-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3132-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3208-108-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3208-5-0x0000000002180000-0x00000000021E7000-memory.dmp

Filesize
412KB

Download
memory/3208-0-0x0000000002180000-0x00000000021E7000-memory.dmp

Filesize
412KB

Download
memory/3208-7-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3576-262-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3576-611-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3692-507-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3692-245-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3752-95-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3752-87-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4084-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4084-31-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4084-33-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4088-114-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4088-224-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4416-56-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/4416-43-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/4416-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4416-37-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/4416-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4444-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4444-78-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4444-83-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4444-72-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4444-80-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4480-393-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4480-160-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4852-188-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4852-503-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5116-213-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5116-505-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download