d9af65baf7aaf9c0ae52d7eb08aa4b837597b34fcd9d24bef258dd368a0893f0

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
Size

24.3MB
MD5

dfa5323a4a6fa019117f032e6efb525a
SHA1

a5e8648fc7abbfdc40fda68bda22dec7bee82f95
SHA256

d9af65baf7aaf9c0ae52d7eb08aa4b837597b34fcd9d24bef258dd368a0893f0
SHA512

567ee0445ef2688cc708770c1afe93002e7900673f459e3836ec9db26945e21104c921222b6e8798952b4320a89ac7783ea651b31b1fad7d6005d0e1c689ac07
SSDEEP

196608:8P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018uHBVH:8PboGX8a/jWWu3cI2D/cWcls1nH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2420	alg.exe
4860	DiagnosticsHub.StandardCollector.Service.exe
4392	fxssvc.exe
3584	elevation_service.exe
4696	elevation_service.exe
4728	maintenanceservice.exe
676	msdtc.exe
888	OSE.EXE
3316	PerceptionSimulationService.exe
3928	perfhost.exe
2828	locator.exe
4316	SensorDataService.exe
100	snmptrap.exe
1952	spectrum.exe
2044	ssh-agent.exe
3424	TieringEngineService.exe
2480	AgentService.exe
2860	vds.exe
2156	vssvc.exe
4176	wbengine.exe
4076	WmiApSrv.exe
2260	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c28adfcfbb5459c0.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\RedoOptimize.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008660f6d0e5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d2de7d1e5adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f565c3c9e5adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000042282cae5adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000abd716cae5adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007913e8d0e5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a5e15d1e5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008764e2c9e5adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009406e0d1e5adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe

pid	process
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4392	fxssvc.exe
Token: SeRestorePrivilege	3424	TieringEngineService.exe
Token: SeManageVolumePrivilege	3424	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2480	AgentService.exe
Token: SeBackupPrivilege	2156	vssvc.exe
Token: SeRestorePrivilege	2156	vssvc.exe
Token: SeAuditPrivilege	2156	vssvc.exe
Token: SeBackupPrivilege	4176	wbengine.exe
Token: SeRestorePrivilege	4176	wbengine.exe
Token: SeSecurityPrivilege	4176	wbengine.exe
Token: 33	2260	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeDebugPrivilege	3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3008	2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2420	alg.exe
Token: SeDebugPrivilege	2420	alg.exe
Token: SeDebugPrivilege	2420	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2260 wrote to memory of 4268	2260	SearchIndexer.exe	SearchProtocolHost.exe
PID 2260 wrote to memory of 4268	2260	SearchIndexer.exe	SearchProtocolHost.exe
PID 2260 wrote to memory of 4588	2260	SearchIndexer.exe	SearchFilterHost.exe
PID 2260 wrote to memory of 4588	2260	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_dfa5323a4a6fa019117f032e6efb525a_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:436

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4696

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:676

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:888

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3316

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3928

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2828

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4316

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:100

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1952

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2908

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4268

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4588

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
50a02e5c34a352c1aff5a0b73d70604c

SHA1
c1e2126646b339a38107ebc520ff1d4952ac28ea

SHA256
407548467c4105a6f84f88ddd58cbb8935a66639bb206b43bcc7937f4645915f

SHA512
94a87b349aa714134e04eac3e494440175b8f28a1dc7d13595529a9534584381fed451625ebf5fbc4b62a3fbe804d773180dd5f7d3e5ee9be2e1416754972d13

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.5MB

MD5
2a049851212f653ba50c8e21f3dbae91

SHA1
24bd343a4aeed0eb6639d6944e7fc79c2291b2bb

SHA256
11046bae6facb59516ce298ceb1f0483422409811c1009b310ff2caff7321898

SHA512
bf67748404b50f938bf464a3a1e4817b312f5ec4e7b1b24e51dc73bbcb62352826b139bef317455c3c836f948b196b03533c66e042c648e8a4a9e9c98c94a89a

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.8MB

MD5
f03f25d88e228a30849375eec38135bc

SHA1
e3fe3d145963bc86f9a7098e5f931a23992c70bb

SHA256
715b4f65b125bed7e206afef3fba84515d87ab73f91f4d35c229abb5acea4a7c

SHA512
b559e8cc58c784dc93ab0b21efffcbb1691c68ec7d2a2238158cd3910d378cf7bf337f9c00fd94cfb6cadb33be66ec29c74b8df4572f6447afe9a1a31e418215

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
56c770a359aea4db3ba96f154ad44784

SHA1
7fabd2f2e8ef42628d2917825078abc32d40194c

SHA256
e25ed1d54fa66f38c86094fda166ec07e6fa1103caa63330ca1943332c6ec018

SHA512
eb7e65c365dcbeeeb1dfd43b29698eaf45b7bbc351d1f2979de8eeae3d22c6367c45751b2adb4bbe7459069938ebeb97444ef77e47d31a8ffc77dfde6a580318

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
17a1d31b992238e134645fc621c375e0

SHA1
c83f1b1d2495cecc76f2b5e7bc9fc76a8648e427

SHA256
4311177ba6ade4b50bda16ad474274b2c2e2820ae40535740c611ddb4e38f63b

SHA512
aae4092209fbc0240403f8ad9088d45ed0786256313b176269dcedb8aabaed26836ebea1225dfb5dddbf14f8149aff1fbf6497557380471b07c23cbffed4e169

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.3MB

MD5
6fe53b51bd93cd9022d6f42089bf0a92

SHA1
ed8327ad59cb59beef7d78b7341805b4d6ddb660

SHA256
c490f202224c2eef89b6a500cf9232c783255973ad612cce4e02af96293d7cc7

SHA512
c6f8ae2103d49614262664d541acb0c27cfdc84c0b4c818cf3aedb927b2f299cfb14d9b64dd07c19281c8917e376e9ca955ff23a2acc76b7de7724f77a1126f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.5MB

MD5
464ff12e17a848f2e00955c1310ac0ff

SHA1
bfe722bbfb4ab18e28046b0b3eef6491c9529509

SHA256
b9eb82ef53e9166a9dbd68478ba603a0b3e899f7e604429f487a5f50a39d984b

SHA512
2368980edbc33fccddbedb40d53fd728dd9c1d2c6b3e4b2897cfa1be55d0940cf7b88b97b775a26be3116ab8c5621c6215830560828d66c4bdf926a4b20d47c5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
c481f1e0424d24ade6af669020ee20b5

SHA1
bc7ca68d8f4548d8af4d1769f8483f3ae18928f3

SHA256
f3e9c078397cebc929273575778fbc82cfbf82c0a07e2405a1927f54247ddbac

SHA512
1e6c05c7df17ed5de24b64eead1209a3f9cf1efd81ac1eaaad57421488e3db0113060060c76f1f5b17f6f64ec87f650e5e0508890931f1e9adb128f39cc44b73

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.6MB

MD5
4717f7ee5144137048987fd9ceeb4b0d

SHA1
efd5a54c65a7cac1e9f301609923337a4e8b9b8f

SHA256
420e27c6648ffd5c5f72e5fef833f50bd73c16e85c1cfcd353c7fc8b95b57324

SHA512
3d20552945a947ea296a940777c64fefaecfad8e063aa4f1e17743eccdc2b534c2d83dd4a700ef479666063eca21a046f7c5666184e0768f57d34894664a67f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
464cb839c7b648a855813834285e4f7d

SHA1
c0265061f653c5cf20b77befcb4fc7812e620fa8

SHA256
cdcdcfe5e7bbf5fa226dc7a03abdcebe02b08f7b37f8255d304e41e4cb44f937

SHA512
794ff53123bc9a4d2f96f310cb75eee31ba259c612b236706665b548036479685be9ff4b21909431f55634ba2cac2d82abebbf4c190dc7081fd39a2e306cf912

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
9316ca4b54ccbd7da5216a4ddb1f09f0

SHA1
2dcdbf2074d925e25c8e7b12441a4bc78b4d4ea5

SHA256
dbf4f45f0d064445c1ea75b9ce14473c68ba020f4f41b5f19b20e6a87522b686

SHA512
a2ab16753c4a853e1caeb797295809d1de087cac23492eb4e72bdf92e0e707997f8c15e42357d75bc16467e01803e27b60ac06a4b8e554e65d6a29cfe6c341ab

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
2aa68f1bc80ab363b8e943d09c4dea6c

SHA1
f80e14fbeed1bf9d3aff3c0a25e8b4ac0918da71

SHA256
6e0d6d06147aaa08204a59d42511342fa3e073986d578bf36b1ca9fe699e841a

SHA512
94c579430cad58e0cf11561edffe4aff1693f59b59e74a01b0a723f4a69ca16ac229126129b70cd4b013029f6cde3a997f81597b478066d259d13555363065bc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.5MB

MD5
597b79b3c0f60eda446dde13f18c2731

SHA1
71fa4e3a748ead3fc0031c35b522820933db8066

SHA256
f4857eaee1be196fb1b8612184660e4ea74936679e012afd29c5ab10c096a1d9

SHA512
524ef75d2ae57530a4ef310ed557cc308f531cdbd662be06fcde7563d0d928dcd4da1a7621ba814e3fcd966864f7e6065855045e65c1259e46108413e71805de

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
fe4932502b1fdb7f1f5992cc9faf31d2

SHA1
6f225ac898237c9dd7276abdaed4a8b59551b735

SHA256
079c2d6fe7843d1c6059a6e34dab4513230f4625aead531ff74984be99e67a05

SHA512
c47e82bbec5dbfc2e4e67abee8254d5355ee88bbd799d12eedd1c90d00de2a2ab0d1410bd0c04ab1467c6832c3c8ae5ba2771e99743b726785619961e25df12f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
b1f9de54de81b1f144bae8b0f76cf64c

SHA1
d0f88a233932251df8cd2853b83e8a04d8671706

SHA256
23c3eb6d9dda5aab387c6b81065a79087e31d5cf5056dce5d7128e3f426d3df6

SHA512
609b38a0dadc1d92401b75550ab83e029b49bff215fe985de7532a7de93bdcbb052e2f5b00728d2239309bf2249ed4de6ba408f983f7552063fa78350cd30daa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
236fda329e36acce6eeeb5e1add01803

SHA1
cba9641ed22a500117865b067ce1208ec19bff23

SHA256
ac3bf9899f1d01fb9a6405ee125faa29475920184ffb125570526b23be2df825

SHA512
5603d1ff8ed89bbaebd644bbb708a6638ecdf1912d03f425a488d2151170c0105dde9a8de873211e5699c99b2a4a010b846b5115c1b054dc8dae88499863f871

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
149ce152fc7b9f847a938ac0d4aae3eb

SHA1
18a86c261965ec0a39f71023428553d64b41725a

SHA256
37939a516ece6f38ab2833425413fbabce12b2b5e6794c5b15047463d4fb990f

SHA512
25d1866b9efebb904aa5617992f77e3e9676fc033409a255ca6255fb201a2dbbc5c474f924c7dfa9635c34324ee7a119cc100426c8c0c26e1325e22cdbeb0f1a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
79b91d15b99795bc99a7281709ad8841

SHA1
107ffbc43fda7a180114e75b6a9161624910cc08

SHA256
5552955254b1d7e92da5748ea2806d3155781c0a6d7a74a52668226af59e41aa

SHA512
50941b533cc959d6b81b13c3d62deb8a0b2ce39e7a9aa837f59215f944bbffd2181c74d851bad37abc17075b75d842d86f0cf17a0067707c2a0103b11927d7b6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
e9b25ba66ef9001fe4075a6572b08a40

SHA1
5ba5212a40d3983b294571fed1a3e5d1d3dd6425

SHA256
46fb3a30569f5c6760a2515543b8fc939b32e068edc5f5e92fb06576d6bd1f36

SHA512
e3c47f89d21b44eb41850773f664c93b16fca6486accb5f2f7aa14b678ec874e6e188e656c3eda303d6a30837d5c57321444e7b2e52b0931a3fe295540122375

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
618225d43d2e717a1dff571d73c99118

SHA1
818ad6361d4c4a632503ae5e6a97cc9e97e92e7b

SHA256
824dc8bd8fb2cdc40da504dce1dcd3f4ec8b11d6bf573a15590a78795603c7a1

SHA512
b1d6409ea5bcaf66484347e4a792beeb8ff80a5d331910f2ec4b396e77430a081f4b82702eb80a6cccfdb35c248d7cbfa4aef0a27696aa946d3ccd22ce49d4df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.3MB

MD5
b923cf48bc97923db24652023b3ef57d

SHA1
3fdc86becf1be85e19f88eb6fd908441db4684bd

SHA256
a05b1801f4fa17863a38eebfdf598769102b7ba9e8d8a90ab48cd29b40185e02

SHA512
f9ecd0483ef67e80cc3f18d08ac52e5285b3cd76132be33cc309259108f459f07d5aaf0c95ae678b194ef2e4083680d1530ac7e1d0dd3a867c1a3f25b3ac391c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.3MB

MD5
9de7754698f55c21b7990b83ca8f6018

SHA1
631cd913330323f1642176e2fdd07579ee131ad9

SHA256
8e95b96e54582411734434bc43ada04a28611ef4f29c1d796a73c76d1e53645d

SHA512
cada2a924868f9f70afbd196e9d0707ab62da007baee01cbe3a8d36e6636fe05f8f116c6179447a547d67c7f6c6ee56178162a376db86b3f00c930657661345b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.3MB

MD5
f4e80e2abfecf1ef05c7299cf7fe7ea0

SHA1
0eb1367e3a708b4fa6b9f6b0a687397f5c0d0c85

SHA256
1aed81aa7cb83f0c0287941ed2b71a69ca6126a09844251992485257fb23d2db

SHA512
082b82fd3281a8bacdeed035bcd92629b59aa6c165791a4479ee7d42af33e98592c294dff6e8647e15a67c58d54b25fb437f8bea82a9cc62471300b73d38758c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.3MB

MD5
ed03e487fe3653915f6dbfcc2b9caa8f

SHA1
8d26be56fdff61613b7c621d6cc6069edcb86961

SHA256
4e28acaf6c0fb6dd00e8f207e00d25ba45f899b9da2446c9f6a704a035d4de21

SHA512
2843984afba79a6282077185d5da7af7c4287d9aebe24775edf07dc9bea7fabecfef4aff12532f461500970cecd755523f5cc5191b6b3bdd3425d0dcfd099e7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.3MB

MD5
29153fb86fa2d31e27b96d61a783acc1

SHA1
5902090c99a09fcb8bdea636bed4ed97e63fe5f0

SHA256
6624b426a345170692fd48262848c44e40c0ff557e4455f631f47dad1b00cf83

SHA512
021884e9b0dd3f75e325ca876e32838fc8438982cfbe48261e8bd62c1f2975142cf582faf8aff609fda4f28998e5bbc91968a498bf4edccdfe7f41395fda5664

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.3MB

MD5
02a4e86808bf6375369e3e5c301f6bed

SHA1
482afffc297efd4e52907ca1833300e3759bb940

SHA256
5a782fba33b3341dfd2f43bd123cbee6bb6437eeb2cf646bfdf8c7dab6c072a1

SHA512
19d99a28db8c2779d2b9b36e3d3d132380bff333895ba71244eb633848c78442ec3248d66e8946b4504da8ff42b59ae066edf78c189e5d48b62be553b0cfa02f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.3MB

MD5
60a23219111c95b3963e3659d5da73d8

SHA1
81d5a3780c4cd8fa94535dc069b75a17b67b00d7

SHA256
b9e94291333cfe1d7f5713e7ff3511429b8b92303b11ff7b1f438ee680fa99f9

SHA512
c1847929d88ad37d0b8fbc282b2dbb27fe9561acf73c531f0855b3d18d4272e74d7098b896261c22b3d6b25e05d96dce956c451ee6f8b929890fdb772e59d18f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
d593a02afda204af0c023607eac3f9bf

SHA1
1473de7bcfef9c18323cb49511efe8e0efe2e8a9

SHA256
f4a6592e9afc1b58daf5e2973c898cc52cb5b323331c60925d0f730e452a1d8b

SHA512
c2935458a5d897b1fac0637065ad004927fd716ae0b9ab1f3b1454326f3bc33056e7433c5d14e7fec1e4597b960324899d2b7302b3abc267dacd22a2cd507502

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.3MB

MD5
9fd23a71ad5755b7d6531c7a2d793483

SHA1
e6cb1b755a06e85197a9a3cbf5d14eb639dd636a

SHA256
e3b029387f72d25c160f86b3e345e637316bfeb7dd204a2cb3f24f6d11505f3a

SHA512
3a794f8872900e9e88eb33c7663eff706a160e4f79b5e8be367d1071f545549174e7b74e19581e926cf016c2f246117adc96e7465ebbbc00e28540dd932f0a5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.3MB

MD5
ab5c0149151e92ed8fc80c73b429b74f

SHA1
faa1b5aace7b0c5062038bdcfbf0422daa40a4db

SHA256
54004e772c448c7cd5483b7d9d69cf6cdfef3efd8f25541f549d2b2687f32a6c

SHA512
1c45eaed7690f3c26b49301ecd10fbda584200e558eddcd7ddc681085768f1403b7d8e8ac2cf4d18a9e001fd60dccf8441810d8d01ed125582bd760f50e48227

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.4MB

MD5
bc620c357bc0b4ac1f36228be9eba853

SHA1
d42af080b033045e8d89f31eaf093bafbf12998c

SHA256
567a4d9f747a7b275afab5d313eced25cb8f042676fbc93e26013d53af51729d

SHA512
e05d02a8286d03f7ff069399ebdad9e0c753aed74ccefbf93baced3fd29ea28869fdbd1e29fb1181fc85b61d8ff6585c169d87912c3ab90507986a87d8c302a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.3MB

MD5
39ba0fcd5faf78f1fac6b049d4ffbf99

SHA1
5719f5230a7d26145e2dbb1e88201887a95f400e

SHA256
14c641d8ca63467e689b6e80016da0b34fc892bbe069af31502ed3b2cfe4f343

SHA512
990885a4c418f3a38865e439738641597f634b2fd4df98bb62d24d1bb3c7188573ea5a934644dc1f698a75a4a9719b0f201b8a98bf602c3aa065aedd6bb77251

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.3MB

MD5
8aab31b3499f8fa6727a006282d260a3

SHA1
6136d95185976e9ea957bb6e9831a723f7694144

SHA256
fc3b4cf56d8542876702114162bb9a6d29438c0db4d82f6b1b87bc2c7d376b5c

SHA512
ba7a82a6d8af32f9e4b2076983f3be2eb573e4f7185f27ce83490b6fc38ae48c8cad21fe6d8a00b7ccafd67d92114baadbdbc7025d5b2cd08460641a49f49384

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.4MB

MD5
4faa42c4b831761796c3fcfe377be14c

SHA1
b2865ec6689b55893ebebfdeabfc9b3aeff7823b

SHA256
e381a5c8a148c4f96acd0e75dcd9eb79554af7def6910bbdae93eb4bd5cb4918

SHA512
b5566a7ecfdd77bcf597b0b4e557c8ab170114eb58541f10d59a516689fda00e1bc10c9d2958ed3b105d62dd86fe24bc343ad48670c4fdff9cd237b2de5c3a48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
1555e41c561d22ebb674f88d2f291a3d

SHA1
8a59e084af63f5c2e4303e8514b5e3c97c5cca4f

SHA256
accca6bc1e33c515ced24b2ebdf78a2115865fd48959132c5fed7e7c4a7b83cb

SHA512
d14153c0130d6fe976a8809660ae36f4565bac5ad95a8f19fc58d39fdda0a6ab8da9a915ed8f0d99a38d8f2adb803a8488c1699b9b1a336aec4d99237023f572

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
e388801fc3b6c30ac5ea1373f26065cc

SHA1
03d2382fdf7e9f1e98a5b46397a9bbbbd08daf36

SHA256
65985cb3b27145a281ea3ab7e0ca02196ec4c0e0fb992561d861a5bcb64febb8

SHA512
83e3e2c10cb515ea269236e7890253f0bf9b47961ee4c095c20ac30ac335f5fc82190d9c99dce37bf0851cec3430b04f0bdfbe58ddf97e8bbd9a63bc65a84136

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.4MB

MD5
134c2e9e055e053e5dcc16b2c3312205

SHA1
f435c983db3b8c224e95a525bdb719679a24394e

SHA256
97cc92421926a68d7da5cd239866ead500f2980c9bbec5dc2edbabd67e399eb8

SHA512
bc4afe651f7fed55560cf109ac96057e40b5f020b33f71e2bbe05f51b9a78618653a50a9a16797cd0d2062cb4f35cbedfc1cd553460a40f7b5c3c3a73b37c8f9

Download Submit
C:\Users\Admin\.node_repl_history
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.3MB

MD5
5365f93d6957cf834f626aa749ac3ca5

SHA1
bb2e5c08d2fbd35929629cb95abd2287e4644a6b

SHA256
eee7a0f925a1ab1ced9fb7e881a713426a70a9a6685c3a84ec69ebae7d908ab8

SHA512
7e5d13050e388b2ef0e8f7377ffafc1edf996596fe795b345ec3244c565fe1044c3a4bdee9515738354a62f713effebcbe91cca521f722007933ceb98059e25a

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
847c6d02cf3ddaed6a6d30a3cff843f5

SHA1
3d3411cf4dec10a016034e7a4f85a3ec0f88e559

SHA256
72e60c5e41cb2839219ba01133cbc186d83b12d3d537307e97841cd8bd8efd2b

SHA512
9625ecbfd3f2ecd68af792b7297c79fa231eac0ae815eb8165d533ce09ce12b9112bfee24bda36ee9c7d9e06e8a3bd0ab1f09ad43ec9ef96ded194f55416ae52

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
7320708ae23445b4107ce076b66568f1

SHA1
4d40189da901486f4992dd4486b709cb584e9b79

SHA256
d820abdcad20665d7abf805487e3b1d0cbae72a7f94b7d3499407573a86b4f53

SHA512
983137a07707497d7f74258eadbb9a68ff803e69aa66a0ecbb550da3579713945535831221906a7633f737698e2b4f95dca38c9dde083d4634bdab89283e5551

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
c8b487f93df102639ee077883009572b

SHA1
bdbb310105fa1ca2efdcb9c9cf6305b554f45955

SHA256
e1a9124a0401781b8b6c936dff1724f397ce154a18315fc453b8081f1f432ced

SHA512
676fda585c99bec5e9dc707dcab493f55b5dfb2dec4e3dbe8797a1bd31f8a948b1c1ed806e3453e1eeef5a39064f82de14c6a753d7a16550fb9046b51cfb0331

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
879aa12136e2f143ab4119e1e0470d78

SHA1
67eb2a2ca49b1b7fcfa98ae01933885d15aaaf32

SHA256
9852920dd603313ad8d41a55ee968f5b92f1c78628fdd586800079ac6abc599e

SHA512
137c7cc7ca9471e4b763c1eb38bd77a3dfd440d980513e6710ca8c1aa423d3c27a969712afe1b6f5cba05bcb9a93c199b9ba2ccb25360c7d65135fad2142f3c8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
297f6c6c0d33e7efa9149c3685034097

SHA1
0c558255e561d569985aad49dd1910484fdb183f

SHA256
2e93f7c3e71fc7f4cde0cd1df707915de46e84fea8c613ad07c4316f5bf5f69b

SHA512
61bf99ffc850660fc508c215293526b051a6a0f9ea8c0243bf0fb0403e7427720ce44d6f1691975473f100d6ffc393d9787c53da10c2dc1f675e16484cf24d3a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
fee7b9fae7d04341d33f34559a84fcd0

SHA1
454aa950498beb4f271c308d302fa8b78d299702

SHA256
4b026eb0cc17717e358a4d42708e1420f24c739b41a89bab702e63903df1e49c

SHA512
ec1b42cd5dc32c779e1a1566ddecdf68f2734450e41b8375dc74c44897c8ac3b8f0ae3e4820ead50c068657fe1c55d1edd420cfb3554fa631af9c8a2a05bb9eb

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
b550045588fd72b82de1e550e7711e14

SHA1
715af53954b5d57cabf5183d91c0cea47e8f7d02

SHA256
e9cafb3ad94966833dea69853df200c677023ba696e7174becec79f81171e2d8

SHA512
ac822cc4c85d2300b87014b73fbdc77f6ec571b81535e77fe365ede3e8648d4109e4c8110c74c1e39dd877c913f290c0df61e90aed72268b1aca3f1ab1b1da7e

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
600ee8910313dcc1bf0bee5a7ba9e9c7

SHA1
f5f96addca86de7fa3efd727eba74c7630340f57

SHA256
014e74b0cbb034c4f15e1bc66c9dbc951daa77c4a2939f1a7c1d204cd517a4ba

SHA512
70fc171ed414ada2e0686ade02e40d00522347d1c1cbe5f962325ca4785103c369da6372dbb54ef3cb172314383e37753a2a2568b120b8fc909c22f025cc2747

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
bef17a6ecfc74321b5f59dc0641bd1d5

SHA1
9b6da2eda718b2f715f3bc418f15043a0bc954a3

SHA256
07b8df8ac9211b33ba378fd18d0d4170de2e193ac5add2d521ca1a955929bdba

SHA512
ccd7aba3a1cecf26cd2ce2da668c7128cf40b19e20a1a04a2dfd5813a1b48a86aa69c0c39358ca2f45787b42d72a2a9fe7e6930965efe3d26233af3c9da81850

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
24473d9b69b0217cab515d857cfc6c0f

SHA1
7bfefb2322c569851d29f7c49cea7f8e51288d24

SHA256
9467a5e8243d23fe96f6c28e38871271eea13a02115ab639efdd267ecb925dba

SHA512
d9ce3510f97e60d47aa1ffc1602be4c6c61d7d84282458e86b2cad06517ca7ff767c8eca5ee6a990a44e3a84ef46c09ca2ff981f3c4a0170e757cf698f28ccfe

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
c2404b8849842c68b3d873e1ebb062c7

SHA1
80b0655f13b95789579a5ec5ee63ead7199cdad9

SHA256
b0fcf269532dcb662f3c0250dc3d98b54d434f59981be9cd3a898c84d1de93bf

SHA512
951482ff48883f81549df433de8bc1354fc08f3d92d1c3e518eba6be4df56da56ce82bb995d16c61ff2b34a9632d2c042d91d06917160bfc20f4e8e0f33f3c83

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
8f220e3cceccc8ce001b8b1e9ea59bbb

SHA1
b8463dfea9ee8aabf430badd94782b48e2e0b23d

SHA256
3466ea003220162a0b4c88002028517e5fca8107dc0f30ed4b08343a6eeb171d

SHA512
0f4555f1de72d07f176462de15668d8e80a55412961068c78f07ea74dcb9cd2c8ef58baff248322c9b381b11d5d077d69390c0e61b999e1584322e9a0f520a4e

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
66b39e7e486bac23f8b4362b61974d3c

SHA1
f36c91cc1d34fbc0376ad20ec7a0c7aba262d688

SHA256
00b6eaffe3968d109351313dc4b801b6a4ff876e2080baa8ee44a389b3be51c0

SHA512
1ab94a3cde0dd9111569583ca7846595087d04be103cb541bbc8fd8ff2a677db7e44562c9cfc3ffcd3ff552c9ecc31be064eda1934c0c29083e6b0deac88b5b2

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.3MB

MD5
4c35dab6e148c400f75390a2b6e596a0

SHA1
a64b8ec4da62673d393ec0d6e67a3c21983e3f09

SHA256
fbba16fa5f6bed0a32710df3f8f2598d0dadf9bb7c3f8f9828f02303212ceb14

SHA512
96cfd0cf723021bad91e6efa98fb4e0495af7eb86b6e01563c702a0d134766d39a5d68ed6045ded852caec81a3d267f27fcfc2bf192b0bf08a9b7e11b20e2ef7

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
a4c2b96b42dab1432e599ae33f922b8e

SHA1
4420f7c93d42d570deba007c189acf691f4b4196

SHA256
25a6977b7c10e97b93844d16745ac52dbb1099a387455d1f9672a04f95718db8

SHA512
70498688145321f8181d0fa8ac6c1448899888cd1d6d14ba9d6e32f4f4cccd6cd036b0d160703b6f9263af98e5ccbb20bf3eaf6275ccd2ff434d3bed436b54d4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
b39fdf0db3a74931571f149a96cd35a8

SHA1
b0c5992ba92b32df682285af8717a6f9725c91c0

SHA256
6122f189d49d9f043d45144838826d31b2d5157999a6393937e991a7a1b23b1d

SHA512
66288755f7bfc0d4a0e1f64e6d3129760eab9f3004a557f8cd37ef35fbca8c5f968b3546d168af45cb3c43fa0b92be200204c6a406cf3d7ca4432be5f22f5621

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
39aaa492555a222e4f0ff69f9c7601d3

SHA1
ba6cd85540ee4775203a0d838c5661a8a7b0c898

SHA256
432290f0fe609fb601a3a0811500d941eb7e12b349e11e6ab0c13b01fd5c88da

SHA512
b549ed5fefc727a395390e67e53526ca5fca1716373cf6b125ec5bc9a9ad343bff6aa1ac3116704d93e6939fdaf779ee9b105dcc6b7fe512eb7d2a39b48b91c4

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
54bee64559faa91096a4a088aaa0b4a8

SHA1
d996dd82b01581f80071f25b4535b4477735b62e

SHA256
de6b7cc331c72b8618821c3a2434080a864353dd3e1f6e008bda7d48ccb47924

SHA512
a008c43d868c63305776a6e20953f66789c150bee7d13d6a2894fa2dad3d007527aac4ee88322d8c9ea7947c6f3ad9270e811e9986c6c94b9fa5cd5ea9b2eabe

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
e8614c4387541294504b13d609ea8caa

SHA1
2d10358af8be349dec9f504f8c011ce4aef2bc5c

SHA256
3a367b7e816f03dba38e9dc1187e70a1ef1990f1bff377cfe3cea37e774aad9e

SHA512
8b9c97a9307c8192c6d44219d8f3b0bdf505836b3a366569842cbeca895de2de3a2662380a87102cffa8fc9c009031b475775e5251211a9af5ac67c529f94e15

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.3MB

MD5
f8305839f889ed6b3aca60185ad2af2f

SHA1
cc20fb947bceabedd75bd1247a25cebfbe6ea05d

SHA256
5df0c5d101d87b91a1706313f3d665f05c038ffa9b1b7365487ab7a0979372c7

SHA512
2f0f52f25893ccc317ace2c003226e0a243e72cbcc01d05f75e72ddb5b9b8abbc135e7ba8fdb90789971ec14c55de44ab353a304697884923859b095fa6d49a4

Download Submit
memory/100-177-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/676-86-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/676-121-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/888-123-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/1952-179-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1952-389-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2044-182-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/2044-496-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/2156-531-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2156-232-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2260-553-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2260-269-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2420-19-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2420-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2420-10-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2420-178-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2480-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2480-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2828-263-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2828-142-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2860-229-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2860-498-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3008-16-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3008-5-0x00000000024B0000-0x0000000002517000-memory.dmp

Filesize
412KB

Download
memory/3008-33-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3008-0-0x00000000024B0000-0x0000000002517000-memory.dmp

Filesize
412KB

Download
memory/3008-167-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3316-228-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3316-120-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3424-497-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3424-201-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3584-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3584-48-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/3584-204-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3584-54-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/3928-251-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/3928-124-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/4076-552-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4076-264-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4176-549-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4176-252-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4316-268-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4316-492-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4316-153-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4392-67-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4392-69-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4392-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4392-42-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4392-36-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4696-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4696-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4696-211-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4696-117-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4728-84-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/4728-72-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4728-78-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4728-82-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4860-31-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4860-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4860-46-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download