5c26416590301a6a6ab8dfd9904e786ff8f4656141f3b8a1f16002008a75c325

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
Size

24.3MB
MD5

e38afd2a6027ab55e8f9906713153138
SHA1

b3c5c39f1fc8e276da6a3d2d1b93853158ed0c5b
SHA256

5c26416590301a6a6ab8dfd9904e786ff8f4656141f3b8a1f16002008a75c325
SHA512

6a069485c60fa39d5c690d74baeb46ad007457b231a6fdcf1da22c4e23700bc405cd4494d89c83a18ec75c6a26cb11a08642b11586784fbc98adb61d22cc3222
SSDEEP

196608:CP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018DHBVH:CPboGX8a/jWWu3cI2D/cWcls12H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1468	alg.exe
2928	DiagnosticsHub.StandardCollector.Service.exe
4344	fxssvc.exe
1572	elevation_service.exe
2304	elevation_service.exe
2520	maintenanceservice.exe
4128	msdtc.exe
3116	OSE.EXE
5052	PerceptionSimulationService.exe
4284	perfhost.exe
2028	locator.exe
3616	SensorDataService.exe
4712	snmptrap.exe
4584	spectrum.exe
3036	ssh-agent.exe
3984	TieringEngineService.exe
1564	AgentService.exe
2520	vds.exe
2852	vssvc.exe
396	wbengine.exe
2652	WmiApSrv.exe
3656	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

alg.exe2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5af610e61ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010943624e6adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc7b8024e6adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000905c3822e6adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000acdda124e6adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000166e1024e6adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe

pid	process
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4344	fxssvc.exe
Token: SeRestorePrivilege	3984	TieringEngineService.exe
Token: SeManageVolumePrivilege	3984	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1564	AgentService.exe
Token: SeBackupPrivilege	2852	vssvc.exe
Token: SeRestorePrivilege	2852	vssvc.exe
Token: SeAuditPrivilege	2852	vssvc.exe
Token: SeBackupPrivilege	396	wbengine.exe
Token: SeRestorePrivilege	396	wbengine.exe
Token: SeSecurityPrivilege	396	wbengine.exe
Token: 33	3656	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3656	SearchIndexer.exe
Token: SeDebugPrivilege	960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	960	2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1468	alg.exe
Token: SeDebugPrivilege	1468	alg.exe
Token: SeDebugPrivilege	1468	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3656 wrote to memory of 3564	3656	SearchIndexer.exe	SearchProtocolHost.exe
PID 3656 wrote to memory of 3564	3656	SearchIndexer.exe	SearchProtocolHost.exe
PID 3656 wrote to memory of 1880	3656	SearchIndexer.exe	SearchFilterHost.exe
PID 3656 wrote to memory of 1880	3656	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_e38afd2a6027ab55e8f9906713153138_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2964

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2304

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4128

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3116

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5052

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4284

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2028

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3616

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4712

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4584

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4228

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3564

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
a8ae267b5d9d8daa0ba77d7e7275c600

SHA1
a596dd94fe27f1e74bba48a03dc2551a78dd0938

SHA256
92a5adc929daeef8e81fb94ded87d1f90bb628b2a8f8185699409a0bf51ef2dc

SHA512
8be35a3aeb8df1a995446b28712634d864c07b716ff21bb71dde95f17222174746659e9bc1e811a7d252c68d8147da6a5df9b44f95328d990b7f8c7814fc9f85

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.5MB

MD5
3c927311b25f0745a55a30447da0297b

SHA1
35cdd91e8ac6416af4070a8b524294b2f99e02ae

SHA256
573c4f012b6d556b6142bc1836ddb3395d24e7c61282e48a3d4f23aa356cdd6b

SHA512
c97bc27ab229b0a95694b2944bf1fa214459868201d040d041b24995776398fad5ded60b322cdbc7ca55161c1ef4e9aaaa36ecad408fa20235c8873e6061b14e

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.8MB

MD5
345300c3c5c0e9cca26b3a09caedd688

SHA1
ff4ed35c7413598d3f3ab73e1794e5aa3dde6d12

SHA256
a1fdc0bed664d2c9a5a9304463da6f22f475ebe6561e65909b2dc081943b5f47

SHA512
9bab5356c84c59ac59f4193e894e8e4cd46dbe2a897170a27eac9d3baab8c71756e152a7267a063a1049767f29f69a8f9f356d77ac69220d94954a24730e9651

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
ed496ad879183ff55b4fc3f290b63756

SHA1
50bc94c0f4f71b9f1302acb204c6de5cc9efcadd

SHA256
c6c6790d5c4fb8af621e620c18868deba160f9ae858e50849cc68878f6aa6ad9

SHA512
2b5624989bd427fdb9f7e47a1493c8cd9706a7a03b4280a9514a949795e8e7a4c1a7ad5ec63cde715c983e64f6448d62627c0fa07508c8212d9bf47c8fdc24c7

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
807a8f7e8aabcac8d98710d2b314adb8

SHA1
3d4c9547f7756335198e6e8dda2d7089ff403616

SHA256
2045979a13ff1692827d255a6c9cdb08c5fd2d5f32c3a86896c003dfd9fd2b60

SHA512
f1e0ce5bfe4a63db7be027ea24e5e38341828b84772abec4c19360d20a14438e21ffeb57076e68600362d09deee9bd280b00c33cf248439ae5c0ac187fa4534d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.3MB

MD5
3d1d2927a48037f5265aa81eb2ccc7d9

SHA1
91a37cc47f07c33ce64a3d7dbe89f723e2e8154b

SHA256
7aaa8a92ad064aa8e109afd69284190cb50d6ff06c6e2d86945db4ef6d77b42f

SHA512
e99b1966038ddb133449ab913e526d1b2f2069f957f403ccd2641d9093c6828c08a1876cd84107e834f36e6f04df7eb1627c53835708c80b29f9c113487fdd2b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.5MB

MD5
baf4593b0c0f8210a5c01690d68977da

SHA1
ff993c256c0227aa28bc81c082eddcd9bcf59267

SHA256
d4ca975156b9e712f03210cf8015d693bec5c7d8cd4684bbc0b53806ce530e4e

SHA512
24f4b6da1d63e4efcc868a9e9332f7eb7f2a1bde1c78084d139a3b306a26015a7c1cfd7d5b6435afa57bd7db37346051c5012190e43e34b76f34b45df21e3c67

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
b5d697926034a8c39424368f10491009

SHA1
4641b0c366960bd282fbc73e342cab372e59030c

SHA256
f1dd594f23626d6ee1ecf60cf422201e50d6ef082cfb36040aff4dc3273b81e8

SHA512
8c9b8412741133de6e6e8e5365147a07de6220e5af8e3c7b0cd1106779b7590b133804d346163ba842aeab7ccdb44bafb7387d7308b800190043e35cc66c0b8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.6MB

MD5
43064b1e05b8a62cc54854599f350eae

SHA1
c8d840955d49f16a515bc33e7459df2bede4f9ee

SHA256
c0bfc35323ecf537c64b36f6184e54d4d1879d29222d95107e85ba40cf5723da

SHA512
3af2642b3d53b42fe429244b653b6ca40a3bbc7062aabf37bf05c364292be86150f1e77d86f8e0151f4cc4d5ee5fc3cbe3dde447f946ecfc4139265d4de9ff54

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
e8c74ebd29c4bba3f744da0322a29913

SHA1
b91d23f2c5f9b834eaffb8548f2c392e127c390e

SHA256
02c9db112dccbb77785df4c23639b50cfd778bd7c921ed15eb134cddab25c163

SHA512
5cfc5b00ca33b0254695fabeecb0e548c7efc84bee3802bcf8a2390e736758c91d532c1c7502b54526338c4cee49fb28f6d741bb2d223e45c7596f66240ea3d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
1686dd7b7d6acc7fd3b7da165155fa56

SHA1
66cfb9d015f3c930f4a072d73653d5cb5cd1a2ed

SHA256
63708138a93dbd6d12eef66786e94ca4de30708e1697527d6919149760ebc698

SHA512
d4a7803518abb9d16a8f7b81bdc68f56542f50561d55414681b07717a92c6462389181bb4fe76be83449aeb08a87775fd9046b3928b82a4230885ac0609e6ce7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
7aba9f9ea48b080ba0ab5e78b43e173a

SHA1
3da7e81c8a0434919ace15843c67ac69bf98662f

SHA256
80ebd07d8e68ac0ce29f676eb7ef4ee88eb1e185614e5634b649bd3ff08c9e69

SHA512
327b16472e0de3b46410e44daf38cbae803cfdb3f6b27ce903b073f49c67afa412f7e5e9a667b1a459120a18d36bc67a8d68744b8d9ab681920b4e49b7a07f55

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.5MB

MD5
7bf4de1e86f311a2687b8609d1a4dc3b

SHA1
7f10c3c618e20e9d468149c5b080a1a23eea5cc1

SHA256
4f0731457fb9fa697c98bd409faf7373c159aa0656b7e397b7cd858fd7cdb895

SHA512
f406a56bf85c336bb49bc2d409863f98b6d3516b8d134fbc3e31ea6df3e7cdf54090619da07a91a7b3a779c787783a943170a72b372ef8dad6f00723c63080e7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
a91dc6e51681b33b09f701297e1f8f5d

SHA1
18e29c2deb6a573b419b5937b53f48feb39cfb46

SHA256
eece70e38db28ec0d107a02bbc7aa99869a360c0c26d580ec97229fdf4db0e98

SHA512
7b3a8a16de75299ef568e9ff6069ae243f2b19bd3ce4b92d352eb1cdb3a476873caafd0fb9f22633b0921aa260555f06927fd7ab4badb934a6e6224e4eb4fd15

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
f3d901df8c06b3a0542071543ae377dc

SHA1
2051df3b25328efb7944e1e4e8a3e537ce941da6

SHA256
a172f89569cba80f9769ceda04326982e98a8e75988fcae1eb34ac9d30136b3a

SHA512
42541182918620ac0bc6a8de8fcb4782ac3b364c315c1e047949697918dcd70bdd31a931feeb253c28dc12f29380cefaf2dd03f21879d49d3f76c1d9ce6eb500

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
8f539808bb9663ca54e3f4608c7ac39f

SHA1
15c2b7ed7d1dff85c8f400950c04da4da48b0a31

SHA256
8ee0f30010f23692270adf56e515a1a2f1518cfc2dd0aaf7683026bec543a4d6

SHA512
03cf146d6d90a1c8aa78619ca879d03422cce0eda2bdf16b097708f307dccc35363dd72f0463e02763189ac8587dce34be840eaee22f693f40559167d440af79

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
7b46732e45eb052fa268ad04d65b25db

SHA1
3a23b5a1ab8f0d5248ac201bb1c7b992bcc90bc6

SHA256
64829d2552f8ccd6528a670da220ab38f0ef62e9379e1c01cb733b25348dd574

SHA512
345c42adf0d67cf548298703d3e88fdacb8b2e76573b4fc0b7b05f8776e1640fc111187a1a5e35952582f8d24a5be28a09d1d5665f8aacbb72b22ca459f1ab9e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
8c0f8b95fa56422ec6fe23e134fd3c07

SHA1
88c00d417277ce4b08fd35a037e9bcd2ee59c910

SHA256
3f57e28db3c46a980e486e51ed9603368a7ea10d206a45f4a23c646feb43f2aa

SHA512
bd7264a0dc6dc696434a0f167abe8dba5e4b3bfda86b400edc70fa036944182cd0419fac02e2a471b27def861a14e8b38642da2098443402976a3398916acc4a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
68d657f11cf8689a772ff242c55268d7

SHA1
146d13e1e92e213e8f129c61235d88e4862adf25

SHA256
ba0a8fc1a692b0e2c69ba8995d573f399f71e56d871c8fd3ec577288a2e112bb

SHA512
10532a244186fccbaeebeb690d64723eb4dff4326a00a35f25a68595ba5c052a7c6ce29905e7b3b75ec1839042ef18d1bd1e8892603a86f161d579de3d6af577

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
911600745fd97e30897256d80ce256a3

SHA1
462d0d67a7631906c7753c34dd9d1e6181c5f06e

SHA256
47209bceb49e27a8f38edad4a39b16f36ed98c4861dcf337f7464c07de880023

SHA512
21a4234f32e5c0f868ea8579dd403f15a2e1c532c0f74cc4d3fdd65a5ee2c42b59de5ae821e753cc88f1f1b661d5eb0158606055fdffce62df777934ba0019fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.3MB

MD5
3cb263ffe1e486f605578ea29ccdb3fa

SHA1
2fdc8ddc1d35539e865762984384059f9cb92dc6

SHA256
48799b489c0c061419c7646846914a2a638a1a2842883e7e928917d860b836f5

SHA512
f7926217f0a855320a4cd37fe5e6f0550f0ca56a4c73a869f405265e10d97b6303f7769238daf45e3aab089df522b7fbbf4a295a4a95b93551243ba83716fb2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.3MB

MD5
7687b285b71c18ec3394e5336fe3edef

SHA1
edb2185936275d91e71e6c0321e26e438cee3ebd

SHA256
27026137eb1e422866cf79667de5ec81d56921a62076d5910580586ffc9a7892

SHA512
f7227cffbba1e905fa16fcf42ac07a0f60241314772ddd23e49790c2022479c2cb0dce447a70753cfab582811ae78d5e20a781e3d5646fa92ad41a4a03850765

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.3MB

MD5
05634a1ac6660333a410f313dc42d4b4

SHA1
7930334345d30e66a6dfbf75baa898948775cadd

SHA256
c3312addbc718b370fdb279e66a6c254b12d22978cf9c9150217392ca4c3c864

SHA512
1196924a3c4e5db20c26bc9eb60273ed0dcdefdaf87282cf9ac6f103d89498478b3a453aad714e47a27459170eca25693b54db2f851534fa19ce6b81c7737784

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.3MB

MD5
120c5dc039eccef468f07849e228062b

SHA1
999d213a0a585b6cb7544ed3b8dbf2fd744b9e45

SHA256
e8cde8e205771d0162ad5b7bd591880ba53bf6080846668b9fe818cbf8764f08

SHA512
f60e309c6105e775b50d16d03670acfded73be277d15b7be0bab045d7064d66ccfdb5071c1fb69e34cceaf8860717cd4e8f1d842c4ae49cec477cee3135acf9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.3MB

MD5
5c34f83aaa829fb7b315381bf55c77dc

SHA1
e3dd4d708100179bc062c3cfbcc65c231bc071c9

SHA256
01b2f674cd85cb0f4228e644861cff51ee076eda9da89f7e3b0fdfdecc2058e6

SHA512
ecb894d35bb6fcc53706863f62fcbcc526f08ceaf9cbc69803c83a1f81b04186b889334c889a3c1b1396102a3ce72859b27a4f7521161dc2c1ec37798070649e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.3MB

MD5
2207c8b950ba6471fb1ed5019fc19a5d

SHA1
fe75e25b279eb36849a8f2047de8ee3addb599ef

SHA256
a71f7b8fe813d90257f43627b0e36b9f5706a5a0d4e2561260b57c71739a1331

SHA512
1cbd10387e059b2adcdc1c9dbbc3faa1524de9c933503c7e6f678b426ac8e3a23ed5a5268e2c07913110603506c6e8c66cf1568509539e6a0ee168a6eb412249

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.3MB

MD5
f0a7dcfdd6b795b2968263845698f5ed

SHA1
d12b23838e4e51c0bc2e6519b5165ad2bd9d4c0b

SHA256
f56f336a7c64e791daff9ad1cda90212376e07a3c1b21d86bc343db062e4e4b2

SHA512
0777e4c6e8440d248ef59824ab3c8857825033bdfa9dcdc60f43231486be76957ad57d30250ad6300ccb8ccd89209044ed87a79ec71259745008bc71bfb11228

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
9e20d458e4aedc2911a4195d0ba507e3

SHA1
e729123ee144db756d8741b222d70832b12d8930

SHA256
1e83b7420b3e052153f4dc6d747deb219b2b5be09b4170df90574b7c0dd0917e

SHA512
106fc60e62b555b0ba6609419161cdd83b4d1d0d032bb46af132b6d419d15183d89676000a023b979a850cecdce0cf9848c30863bea2b5292320d788b08d43f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.3MB

MD5
59a864419971915d5eb0667479e08bf1

SHA1
eed80bf66f1552a5f3c05e6637acda61c7b8e1b5

SHA256
5923cd2e87b5e56a93ec1974ff6b9f07795d66b74a143cb24dcfafbf74e55069

SHA512
5789ea2b11c9216b6941593b68f529d2f8899ac08528b71f8d669c6ff0b26c732f9f7e278214218d547e958d7e5e73363420621441b9c775c0223bf3768de884

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.3MB

MD5
a193cc26d6b7d2dd5ed8f704d10ba501

SHA1
a679614fc77bef35d2cc78b052e8078082bed12a

SHA256
ccf2168fa793fa13e57d88e1f22470555975165e221be70fbc1c78d84964adbc

SHA512
185350cfa94112cb6932f54286a810ee39160fcc7e70e4a2b83d63dffd7fd7d3d7eadb2c85eb0d5e3ec7dfb96dfa54f838922ee6989d036c7a9de684c26a6eaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.4MB

MD5
eb853fa23e5b0780d4be2c5e00478ae2

SHA1
6b0c2fbdf47d7d61334f2d3c0a42ee8045882baf

SHA256
41c9dcbea1a8c710b73cc315786fac4ec0f3ae52d93321c2b0b3fa2caa84daf2

SHA512
4316c309276119ce910d2122d11a0af9fefe2683eeb919d9a038e3c130a859686bfb1a78b05d8e33c1da747e8cc481ac8c02af258fc0374fe167db9c815605e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.3MB

MD5
775141b41c9e08e400937ccc9da5f1d3

SHA1
e43ee452174ee2291acdb55c64c19f6d59e0764a

SHA256
20aa7b850c193b4e8b7d0ce9091ac5144f3fc9775eebc00e4962537bbaf5a8d5

SHA512
1d71d50ac3cf62ab578b8c10675f044016c63954c1575867494c295958af1aa0feebdd6f64d363d735c747def7160549eeadbd3b0d6502ec24c002acd77d1cae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.3MB

MD5
6e28d21787463b076c2bfcb5928a1561

SHA1
2aeffef82b919d2b611e4f5f3b7ab7217939e6dd

SHA256
1761a23cfd12c930719f6e20acaf06bdc3c0b0c23728543677ffe2897cd49327

SHA512
3373af616be3ba144a920aebaf6c5ea1c30448ce29895b9681659e0cbad304efc9ece6876f7ed9ac1096a40bff2ccd37efd8cbff62194275c5cd3574d4ddf5a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.4MB

MD5
57104e3a75594e84fadf1493620fb430

SHA1
7c6ab1dd27647fb061a9d44e9561b614174d7ab5

SHA256
87e14f09e75866876608015b63cec31f304bab1492da44e5467c34f9ea6df271

SHA512
8a97c1c2ac54feb89af3869396708556ad5fdfe8bb7f4760a3630b5ebfd89bc924be9589a1bb152d21eacc711772b223ef9bb8ddc98aac8adc575b80a53e844b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
20ac306078a58c759ec74218860108fe

SHA1
afba46af537c6474591127c0c2445cea7d164335

SHA256
1461ad8a8cd532b9b33365f8dcb08860ca01c089c7a0046a46979392f41182b2

SHA512
8469e6437f0ca4ce8f73a90ab2037455ea3beaf283621ed1bfa70fe699a152e7f9b4ca6c96115f62c9c992aa36631fcebc84ae13ffb116dfd846e4a13050fe0e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
8f88290586c002df16d9424a262f013f

SHA1
1c2e2e4de89a59e7d3fc8006a147ba040fe74b49

SHA256
9b9878fff1e5988ac355b4798de227c65e9bed469d0104b15844f288879909fc

SHA512
c9626f4f0a0e135eb0c77ff06f81b47a30fe2261df912d523f72f1f09ca8473b55cfaf6080dd9129f6ecbef319e1855bd17310b823ec4db20d31c9b24d3b9928

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.4MB

MD5
495a0dc5ca12afe85b212ed1d6a4531c

SHA1
cf46fc76332bb2d9e28495c274f6911f1b3a9d14

SHA256
e79dbd62d3ebb1fc6378de9ad19e5894d345b7a9c14ccbd114093e6459933f49

SHA512
2b9c5ea645b9efc298f28a99b4dbfa246802019eca19bf4158a10b6ebbf79afa70da6827f71662f4c0d86227af1a1e36acdcc222c4fd3dc22e8e686bf694f8a3

Download Submit
C:\Users\Admin\.node_repl_history
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.3MB

MD5
22d83b8ae41d5e631678fc22eb4ec512

SHA1
bdb1b0527b7ca967e83e6cb38904a8f3b992ffe8

SHA256
a676ff6cd775cd1efb4b5eb6d7ed0eeb9fc7159c394bd78b5d6d5a73bbeb1eb6

SHA512
db1ac611f80b9a7045d76d17805f638d98b620f5e88bed0c277d4538641ef6660575e73a974b314dac1e9f7a99be4b159f23537de7d640c3bdcad318bf8f767f

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
2cde2932afc70bba0c1a52d4f1c11183

SHA1
192e442f2bf61d9227800e8c94c7bcefa9405a31

SHA256
4cd7af1572e56d4a7ac5955c109ff93906d8d571cfaa6ac0937e058969f8bd68

SHA512
4c23403fb124ebc89b264f65db34fa7016a8e026cd81166344e3be6a2ce61e21c310229d46abc1576e528c384b0f65bed6aac79a11860ea2816b6ff0697c3ae4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
57e98ac318d400ffee084300b94c6641

SHA1
9b319c9260352eeb8b4a6f6efb062a9c0bce266a

SHA256
9d96723e836186694787d868ac9638c864db25f4cb1b0a2f35ea1b2dcb714f96

SHA512
12c3bb92cb342143d79f93be4cbbc2190d2aa4ae4816578ad09e1f263f9ba51948a27915c912511bbc52eedb868e46700f0258466457d8d4557d768baa6169e2

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
337ac1d80d6710cc43faa42207dcb456

SHA1
100b2a2db72865fd2eb97d3f530f703a5b26fce8

SHA256
d086870ead6b24d9b35dd5ca98b17187a2134dce7f18f1e2f729faf3163655ab

SHA512
3b2b8ae27ad636e991b1e5fa51c9647192b62a7977caa78b5c86f68b77f71c3bc793cfb149b29eabf1d8bdd99fcc1cae1c30f425e2d92cc0c7514f9171571fa1

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
509a926d121ac603027744a090c37383

SHA1
74933eb874bee5b1ce743b55e0cc62d8a49c47ca

SHA256
b15b00828a4edaf93683f7161ab23af0338c533521eb6520018514bc4a84bae1

SHA512
7627951827c3b7ddd2c3371adda07d327139e7577148bf1374396165c718c49ed788c9c2aceb491936d83ae51371b46900d017bff708e53794758d5d5e5eb531

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
17c5fccd596d4b6c6466998dd3c90868

SHA1
da27dc5e1ca69d5d1349cb7ee657880ec0858e58

SHA256
3275857c86e959319c93c501641950f5559f71befb0be48d4b30d371db6d9ed6

SHA512
1dd7a1b974b4befca0121aad3d0c7854ea5657c88d966a3c76db21f5f78bb3527c5260198bc09506c96da43cd5cce7d1d0d289c5a99a9abd9d38f7ba094aabcc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
d1ec586b225c898e9c356019d4b1808d

SHA1
69f2330921ef033ce56bacbdc57e4e6f5aac21e8

SHA256
ba71d86c77cb417402aea86a91a09e7688a9e17811c79de0fb89f4ac522c1c1a

SHA512
e061833d8f820b3d64e9e8b9a086400504a2082df7962a60ef0dcd2ec9455ec5100c2b49cd57ed8efc22d78e9d47080cab23a499394bacb0d956f6401f8e68b0

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
726cf72da259455c920f1e45bb48f14e

SHA1
9db9358c3ca2e8cb47172b6504289d26983fdffb

SHA256
1f9fbc763d2cb65703c9db0b142aa5639c4f007e24669de77fd41abcb81da87f

SHA512
dc36205b8479f5ba21980e24d11b0371746c94efbccc3935cd87da1e44c10295e9614892ab3d7b51f1d97266c43a07a88952884dfe480dd75b281e50dc53ded5

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
7ccc861350ca660476f93261dfa6e8fb

SHA1
a95a1918bfa0dc34eaed896f7c5f9b9c930c4ee8

SHA256
0f16fc1206077dd11ae16505ec3abe874c81eab9a37a9c3c26340e47efbf573a

SHA512
fffd5b904502bdeced2516c1f1f336489f99ffaab0f38e05cd5ef8733faa01f95b583a2460a77c7e905ad0fc66a7c43499094ee6ee0714c83710cc123d16ef20

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
982a8418a51be4709d673b92947aca0e

SHA1
7fd462191d207a712fcd0a801d846e50a1ab26ef

SHA256
27a76a6cd903bcb97d770c694db927c570b9acdb0640799de343703b26d451ad

SHA512
242d04b395989a364f5dbc7f0becc436c32f558923a2fc1099a0cbb932f25804e02cea42d0bc8e9581f74f8a4c45d3c72d5b042056648ea4df3302485b08eed8

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
f9d879af008d97868943fbe8d3812429

SHA1
2f55b967a3683b1f316cae8ed8292da311afea12

SHA256
690d5f17e38a70449b1a2ef6ab9b7b4610f1ae72b6d807b4bc115360820a561c

SHA512
238b5f3e021fa48a3728be6b71721e84f2adc37a83f9f26eaf7d17bc88302eba497f2060f2cbb729de38d42758f55bf776fd5a1f1ceca09e8718340b147f0ff1

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
0ce284d2b323c0dd874c65117a544c08

SHA1
f4653d8912d1df89173cb926babbb2f8d0b53322

SHA256
1bf784704cecc3653fc623f7dd5135307d37529e97bbabc71ba823ab0fc687b9

SHA512
e4c1f25472e04ff74e0f86d9ddb96bf005bc32810643cb3be6527bf807847d7e1f23792917f8c45935449c8c2d4a73f7daf2d1cec721b099b6e3ae2469df76be

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
5538c6296c26dbccd425635a9447bf3e

SHA1
e61a9b45a1f9885165f063b267ee8437e4a6fce3

SHA256
ac323e4caab850fad655a615459a9c719c868f6efa2110ee45c4fb9757f9ef4a

SHA512
9e8ac8c1678e181f3a163e0c08407bedd9933b63a52e0431bae6d9cf33f40d78c1df4a13da4bacc12d2a49fa5017aca7912a3474e6687bacdc8d067a33711079

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
0b3afa218ddec3eceff05c26b6ab61e3

SHA1
7381fb5db69b0654fcd702822995bc6dea2601f2

SHA256
232cae75bdde843e0038b529c528c139a251285b14abc9195ac87079135eb435

SHA512
42d1f29c14c9a0209ddc38d13aae0cea85e301f4e773c0f00b543068e63cea7eda8dcace8cf700d4ce5d92ec5d0fa6d753d56a1921ca53cb2b3a7ff6e25f409d

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.3MB

MD5
18d5585368eae2475f59e784af05e4e3

SHA1
b06e12ab08c998d9758c4f1e01d7fa55f9389633

SHA256
bb4d2ced4e024fd8ecf44110448bf1ad2acb73fda76b7896cd81a339c200af8e

SHA512
01d769606ee51568d6545eb4c32d971e2ad03166a2b39d02c68d8f61523f1b7354008fe0a2b1b5f902d059c5dcc82caab3d88f49390bed1b4a3f86f0471821a7

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
c5dbd136b602e159c93fa5f74f593c37

SHA1
699c7407e0c95c35a1f3c329c8b71fcfb87ecd77

SHA256
0acd2dad80bbbcb4b7a32913f63a071e8a8db2a9f298ede4ece7a18da001cc24

SHA512
85ae684db5aa06cd44346e663bb7fb73f61e0d7cd523b362ec88f3f11f4e23bffe9ec4cb76d028f1216bdb0f1e74768a99ceb8b23ec4e807817b315d9da695dd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
80ea62cdf3f8aafe324084533ba0a915

SHA1
ae949d8befe76f90d70c923d1f7bdca3423226c6

SHA256
5e498f4012eb12a43548ba361ccde93e527350ac574072f3057baa81af5d884e

SHA512
9ef3cd0ef1d40fbda385d1363f0b2881a6b1f944ca76630bb8da0f3cf61d210f381e3f3a4491657879b7872afbe8a9cfa31b1dd739c2c2e459218e30d1dcbd3e

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
9b750e6c1f8dc3e279d667dbf57f417e

SHA1
3e2c04d5a2f85737a8f1ada916c8d180c2128293

SHA256
219c0094bec92e6f8035b5939b15abae54e09694b74626210d48a64781e21a70

SHA512
1c3190e08395e142c42a0c769ba6282cac97c936277b0ce59df2ff4cd999d2071a2c7c5ae51f9da32f94f685f4b06b85c96bfdad532275f5fb493d41e3efbcd5

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
6cf5ff0ce17949b673d91db070139422

SHA1
2431941ba1b23b6e3ccd244fdbf9255ce04d3b81

SHA256
280b1c622d14eadd50aaf9a2228914e39f9f9ce3425e4d0938c6e6afeffc913f

SHA512
732adab5c2984fcbe9ab30d280ab99faab60af4d88cbea4dd8b068607dccbb281575b675e81874682e2b55ff0cedbdbc194020446e9704ecf86e1d0f5cd7e244

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
4fd712040c0211a887e227dd0ad3c16c

SHA1
f9f7b0f605342445814181aea9600e04bb7f42aa

SHA256
3a66504838dbe509416a03df2baee54a97aaae290fb8ae0639e7aa864dbbe5e6

SHA512
436de410ccbbb3ebb63d56b2499c0b5568d24f236699cdfdaf3571dc061db157bff10af46fd16daa06325e0b1ee10c80c39d2acda23010de1c21f648e13b7da3

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.3MB

MD5
f189aa76ad5ede03355493b1577b1d67

SHA1
f58c0ec3d7305f1bcf33fb0e4896fc6e85443411

SHA256
2d607729427fc406e2ea444eedd8a074e11eb27ba23492e7bd27aeb3b392a1d2

SHA512
47872e092464d225aa5c2dd616e84aeb8aa6570e9671d5b137ea664499dc40f98ec48acdd0619eb998542e556a293d2213ae6e7501fdec958dbe25355414ffd3

Download Submit
memory/396-307-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/960-220-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/960-5-0x0000000003C60000-0x0000000003CC7000-memory.dmp

Filesize
412KB

Download
memory/960-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/960-0-0x0000000003C60000-0x0000000003CC7000-memory.dmp

Filesize
412KB

Download
memory/1468-19-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1468-467-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1468-11-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/1468-17-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/1564-200-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1572-53-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1572-595-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1572-47-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1572-232-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2028-297-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2304-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2304-597-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2304-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2304-306-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2520-82-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/2520-303-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2520-70-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2520-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2520-76-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2652-308-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2852-304-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2928-24-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2928-592-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2928-33-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2928-32-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3036-301-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/3116-233-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/3616-460-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3616-298-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3656-596-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3656-305-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3984-302-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4128-222-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/4128-84-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4284-236-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/4344-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4344-56-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4344-36-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4344-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4344-42-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4584-300-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4712-299-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/5052-235-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download